Running a business in the 21st Century presents complex challenges, and being a solopreneur or truly small business requires prioritization that would drive most business persons crazy. So the bad news is that nothing in today’s information-based society is simple. The good news is that we are all in this together.
When the Heartbleed vulnerability was announced 10 -plus days ago, I published a quick response to the OpenSSL breach which had been quietly stealing data from what were thought to be secure sites and databases via servers, routers, and other communication products. I did not recommend changing all your passwords at that time.
A change of your password will not help you protect yourself if the new password is transmitted via equipment somewhere along the transmission process of your data over the internet is routed via a vulnerable piece of equipment.
At this writing, Cisco lists over 50 products that may be vulnerable. Juniper currently lists around 10 vulnerable products and around 20 that are not vulnerable. Certain phones (VOIP) , video conferencing, VPN, some smartphone security clients, and router/switching equipment software have been compromised.
My impression is that some companies responded far too quickly that they were safe. Large corporations that employ many communication technologies have to audit a huge amount of equipment and channels. Small companies may not even be aware that they are vulnerable. The onus to repair breeches lies with providers, business consumers, and individual consumers.
Security is not an end product. It is a process. The mantra I heard over and over again at Smithsonian Cultural Property Protection conferences when I headed up museum security services for a State Museum, “Security is everybody’s business.”
Internet security can overwhelm a small business. Hiring an IT specialist, who actually knows IT security, is expensive, and as this recent Open SSL breech demonstrates – may not be effective. Even corporations like Cisco were blindsided by Heartbleed. But you can devote a small bit of time every week to assess your security. Ultimately this is probably a matter of due diligence. Ignorance of the law, as they say, is no excuse.
What you can do is to have security policies and procedures. This is necessary for all levels of businesses. You need to give some thought to security if you are a blogger that collects email addresses for mailings or a large corporations with many products and services. Policies and procedures need not be overly detailed, but they need to be developed and implemented.
I recommend checking your Host and ISP for your business as a starting point if you have a blog or website visited by your customers.
Yes, your Internet Service Provider should be able to tell you whether they use vulnerable equipment and whether it has been patched. This may not be as straightforward as it seems.
After spending an hour going through both their .net and .com site pages and calling all the phone numbers I could find for most of the umbrella corporations within the mega-corporate behemoth that is Cox, my ISP, I finally found my way to a tech support number at which after a half hour conversation, I was finally able to connect with a supervisor who was willing to tell me that yes, they used Cisco equipment, and yes, they had updated their equipment at a national level over the past two weeks.
While this supervisor responded to my questions about Heartbleed, I could not get him to used the term, not to explicitly say their Cisco equipment had been among the impacted routers and switches. It was implied in his responses, though.
Most large communications providers use equipment that was compromised. They should say this on their websites. But they do not. I recommend working up the hierarchy of customer service reps and their supervisors until you get to someone who will tell you if the routers and switches that may have been vulnerable to recent breeches have been patched or updated.
Look for something akin to this statement on your hosting provider’s website:
“If your site is a shared or reseller account with yoursitehostingservice.xyz, your server is already fully patched for Heartbleed vulnerability!”
The major hosting companies that I checked, including my provider, Hostgator, say whether they have patched their systems. But again, this is sensitive information, and no company is going to proclaim that they have been hacked on their homepage. But neither should information about how they responded to the breech be impossible to find. My hosting company asked VPN, virtual, and dedicated server clients to contact them. Shared server clients, and that includes most bloggers, were told they could run a check on their site by using a provided link. On that linked page was the notification that they had patched their vulnerable servers.
OTHER APPS TO CHECK
Conferencing apps, webinar services, VOIP services which allow “secure” video or voice conferencing, can be vulnerable to Heartbleed.
Go To Meeting, a major conferencing service provider addressed these potential vulnerabilities through their use of Citrix, explicitly listing their current products that are safe from the vulnerability and their recommendations on secure interaction as well as the need to run current versions of products and their ongoing assessments related to security. I found it refreshing to see that this corporation went further than any other company to inform users in regard to other web services as well as their own processes for dealing with this new type of security threat:
This is an oversimplification, but a safe consumer approach to this recent development in the world of data theft is to use this basic guideline:
If I login, I check and change.
This means that if I have to sign in to a site or service, I check for statements about how they have ascertained whether they are vulnerable and how they fixed it if they were. Once I am sure the service is as safe as they can make it, I then change my password.
I have several levels of passwords, and for email and banking each and every account has a distinct password. For social network sites that I use all the time I have another password. Every time one of these platforms is hacked, I change the password.
For other “give us your email” applications for which you need to set up an account from which you will probably be spammed, I use a third level of security passwords.
There are some other password and login options that I will cover in another post that include password keepers, password generators, two step verifications, and phone logins.