Read Time: 2 Minutes
The week Heartbleed hit was an extraordinary week for many companies, services, and IT departments, even for the Internet. Heartbleed has caused tremendous amounts of work, and will continue to do so for some time. Servers and software has to be patched, cryptographic keys have to be changed, certificates renewed, and account credentials changed. And that’s the easy stuff.
Companies have had to communicate across their supply chains. “Who is affected? How? What does it mean to us? Who do we need to tell, and what should we tell them?” While this is not unusual, the scale of this may be unprecedented.
So what does it take to handle a massive vulnerability like Heartbleed?
The answer is both very simple, and very challenging: Prepare.
I could write at length about business continuity, disaster preparedness, and crisis communication. I won’t. Most traditional plans will not alone tackle a software vulnerability like Heartbleed, and smaller companies are not able to invest in heavy planning anyway.
To prepare for critical security vulnerabilities, a few “simple” things are needed:
- Set up a lightweight security vulnerability response process, and assign a responsible for it.
- Know your own services and software.
- Know what other services and software you depend upon.
- Have contacts in place for all of them.
- Make sure everyone understands their role (this includes contract clauses for subcontractors).
- Know how to communicate to your customers.
- Be ready to communicate, improvise and take initiative.
I don’t recommend centralizing everything. In a difficult case, you will be depending upon many teams working in parallel to address their own services. Explicitly delegate the responsibility and the authority, and ensure communication works.
In my experience, no two vulnerabilities are the same. Once you have your process, your contacts, and your communications channels, you are prepared and able to tackle most of what comes along. The rest is up to crisis leadership.
Camillo Särs, Information Security Manager