It was disclosed last week that a vulnerability in the OpenSSL packages used by debian systems contained a flaw where random numbers were not actually random, paving the way for another attack vector.
Plenty of specific details and analysis can be found in different places, including:
For many, this signals the fire-drill of reaction and patching — just in time for a big holiday weekend (aka the â€œstart of summerâ€) here in the United States.
Just days before this was announced, I was introduced to Venafi (as a direct result of my press pass at RSA). During the conversation, I realized they really own the niche of Systems Management for Encryption. As we shared a lively and informative conversation, I was reminded that SSL is not just something we stick on web servers; it goes deeper and wider in many enterprises today. As soon as you have to manage many of these encrypted connections, the process gains some complication â€“ and is ripe for error. Step in Venafi.
When the debian vulnerability was announced, I immediately asked if Venafi would be willing to share some insights about how organizations should be handling this issue. This is bigger than patching (remember code red?) â€“ and I wanted a discussion that provided insights into how to manage this in a way that brought immediate results but also good long-term gain.
During this program, Paul (from Venafi) and I start by exploring how to engage business users in the conversation. We progress to tactical and strategic ways to address this challenge while realizing this is an opportunity to make some improvements that bring better future results.
It comes from planning and following a process informed by experience â€“ and weâ€™ll share the insights with you in 30 minutes or less!
In the wrap-up, I suggest following the approach of plan-do-review, outlined in this podcast: http://securitycatalyst.com/blog/2008/01/31/the-security-catalyst-show-plan-do-review-your-way-to-success/
Tune in next week for the debut of the Pop Culture Security podcast â€“ your monthly â€œhow-toâ€ for Security Awareness Training.