BLOG: 5 Things We Should Learn From Heartbleed
The Heartbleed bug made headline news recently. Just as quickly as word spread about this security flaw, major financial institutions issued assurances to customers their data was safe. But the next Heartbleed is never far away. Unicorn IT director, Stuart Jones asks ‘What should we learn from this?’
As soon as news broke about the Heartbleed breach last month, we immediately sought confirmation that our systems were not vulnerable to the bug.
The ferocity of data protection demands in banking and financial services are arguably greater than in any other industry, and that is as true of the people who work within financial organisations as their customers.
Heartbleed affected websites using OpenSSL encryption between a user’s computer and website by exposing information it shouldn’t have. Unicorn products including SkillsServe and STUDYserve were fortunately unaffected. Microsoft officially confirmed the encryption component we use isn’t susceptible to the Heartbleed bug.
But around 500,000 sites were believed to be vulnerable to the bug, exposing the personal information and passwords of millions of people to possible exploitation.
Forbes cybersecurity columnist Joseph Steinberg described Heartbleed as “commercial traffic began to flow on the Internet.the worst vulnerability found, at least in terms of its potential impact, since commercial traffic began to flow on the Internet.”
Heartbleed has served as timely reminder that no one who deals in data protection and online security – both server-side and client-side – can rest on their laurels.
For every Heartbleed, which it is believed was more a result of bad coding than criminal intention, there are countless cyber-criminals looking to exploit lapses in Internet security for potentially sinister purposes.
So what can we all do to make sure that when the next Heartbleed does inevitably strike, you can be confident your systems will not fall pray to its sophistications?
1) The power of robust passphrases
In the immediate aftermath of Heartbleed the advice was for people to change their passwords, and the message around choosing passwords that are as secure as possible, and changing them regularly, has been reiterated countless times.
But instead of passwords, think passphrases, using a mix of words and numbers. They are easier to remember and harder to crack, as they are longer.
2) Get ISO 27001 certification
The process you go through to get ISO 27001 certified means reviewing and often improving every aspect of how you operate. Unicorn has this internationally-recognised information security standard.
Ratified by the British Standards Institution (BSI), ISO27001 includes identifying and mitigating potential risks and vulnerabilities, ranging from recruitment, identifying IT vulnerabilities to ensuring you have a robust business continuity plan.
To maintain certification for ISO 27001 requires monthly security audits and annual external assessments.
3) Understand your obligations
Client-side security is as important as server-side, and data protection and information security are among the key compliance obligations for any firm or organisation.
‘How to Comply with the Data Protection Act’ and ‘Information Security and your responsibilities’ are two core competency courses within ComplianceServe, Unicorn’s comprehensive compliance training solution.
The practical content is focused on learners actually applying knowledge to encourage long-term changes in behaviors in line with FCA regulatory requirements and the desire for a whole-scale shift in compliance culture.
4) Deliver securely online
When delivering online learning solutions, implement encrypted communication (HTTPS). This ensures any data transferred between the user’s web browser and the LMS is encrypted.
Remove support for old, less secure versions of SSL, which even before Heartbleed, were considered to be vulnerable to attack.
5) Regular penetration testing
Get your online solutions regularly penetration tested by expert security companies to identify potential issues and help resolve them. Regular testing provides validation that the system is not only secure but also ensures new functionality and developments continue to be examined. The results of testing over the years also provide excellent feedback to make your system even more secure as it evolves.
Still want more advice? Please don’t hesitate to contact us at firstname.lastname@example.org