In the last three months Heartbleed, Shellshock and Poodle have been coming up in context of security with big warnings around them. In this post I am going to explain at a simple level what they mean and which ones are a genuine concern.
WHAT DOES IT ALL MEAN?
There are hundreds of security vulnerabilities that are found all around the world in all kinds of software. As people (namely software engineers and administrators) discover these they publish them in a number of high-profile security bulletins. These are referred to as CVEs (Common Vulnerabilities and Exposures). Companies that manage security, infrastructure and servers (as well as hackers) monitor these on a regular basis and as they come up can judge whether or not their digital assets are at risk. When the vulnerabilities affect major pieces of software they tend to make a headline. This does not, however, mean that they affect everyone.
In order to identify what the total impact of the risk is we use a simple model which takes the probability and severity to generate a total score out of 25. For example if a vulnerability has a probability of 2 and severity of 4 then it will have a score of 8/25. Generally speaking, unless a digital asset is particularly security-sensitive anything under 9/25 is nothing to worry about.
A BIT MORE ABOUT RECENT VULNERABILITIES
The following risk assessments are based on our own infrastructure, your exposure may differ.
POODLE
This vulnerability scores 4/25 (Severity is 4, probability is 1) This only affects secure connections using one particular type of SSL (secure sockets layer) on very old web browsers. This is not something to worry about.
SHELLSHOCK (AKA BASHBLEED)
Total score of 12/25 (4/5 for severity and 3/5 for probability). This is a more dangerous vulnerability that could give the attacker potential administrator control over the server.
HEARTBLEED
Total score of 9/25 (3/5 for severity and 3/5 for probability). This vulnerability potentially allows attackers to view small amounts of encrypted data and affects servers running specific versions of encryption software used in encrypted website traffic (HTTPS) and encrypted email access (POP or IMAP with SSL enabled). This affected a much narrower range of potential servers thus it is not as severe as SHELLSHOCK.
SHOULD ONE WORRY?
Provided that your digital assets are maintained by a qualified infrastructure manager on regular basis there is nothing to worry about. It is very unlikely that within the first week of a security vulnerability coming out a hacker will get hold of your server. Having said that, as security attackers tend to eventually write automators (bots) that will autonomously try servers to known vulnerabilities it is important that those vulnerabilities are not left for much longer without any patching (updates to the server software that protects it from vulnerabilities).
