It has been less than a month since the announcement of a serious flaw in a software package used by many sites to keep information secure. The so-called “Heartbleed” bug took information that was supposed to be private on Web servers and made it theoretically available to a malicious user. The flaw has existed for 2 years, and so either everyone’s information has been available to certain malicious users for that amount of time, or the mistake was only discovered by the folks who fixed it and little to know information was compromised on systems that quickly patched. No one is sure which conjecture is true.
No matter what, here’s what we can learn:
- People who properly patch their user and server computers will be more protected that those who don’t. Keeping up to date with new versions of software packages doesn’t fix everything, but it makes you more secure than if you didn’t. There are lots of uninformed people worried about the Heartbleed issue, but haven’t bothered to update past Windows XP, which no longer receives updates at all.
- Having a multi-layered approach to security is the best: Relying on any one piece of technology to secure your data isn’t effective. We all need to use many different techniques. If you were securing an important government building from physical access, you wouldn’t rely on just a door lock — no matter how secure it is. You would “layer” a fence, a camera system and other tools to help the building. The same is true for Internet Security.
- Beware of overly simplistic news headlines: I read many pieces during the initial roll out of the Heartbleed issue that were just completely wrong. Tech bloggers (such as Krebs on Security) were more likely to get the story right.