Connecting to LinkedIn...



What has Heartbleed taught us?

7/05/2014 by


The impact of the Heartbleed bug – an OpenSSL vulnerability that affected more than 500,000 websites – is one of the most far-reaching security breaches in recent times.  The fact that one of the most fundamental backbones of internet security has been dealt a severe blow is undeniable.

On the heels of the Heartbleed fallout, many businesses were left scrambling for an information security solution that would work and remove the risk of future vulnerabilities.  Is hindsight really 20-20?  What have businesses learned?

Upgrade is essential

 The Heartbleed bug is actually a vulnerability in OpenSSL that allows sensitive information to be scraped from the servers; therefore, many IT security teams have been forced to upgrade to OpenSSL 1.0.1g or higher.  The true impact of the risks from the Heartbleed bug may not be fully realised for months or years, however, simply because it has actually been around for years.

The bug is not very fast – only 64 kilobytes of data can be transferred at a time – but there is a real risk that sensitive and private data has already been compromised.

Encryption mechanisms

 One of the key lessons to be learned from the Heartbleed fiasco is to implement layered encryption mechanisms to protect data.  Those IT departments that relied solely on OpenSSL as their encryption solution were at the highest risk.  Multi-layered encryption mechanisms are more complex and should be used on all digital media devices, including those in hard disk RAID environments.

Proactive security audits are also an integral part in mitigating future risk.  Keep an eye on the security mechanisms used at every level of the public and private facing network and remember that nothing is ever completely secure.  Understanding that information security is an ever-evolving phenomenon is essential.

Proper auditing procedure

 A disconcerting aspect of the Heartbleed bug is that there is no way of telling if a particular service has been exploited or attacked.  There are no logs and no signs of intrusion, which may be why it took so long for the bug to be fully publicised.  There really is no way to tell if any sensitive data has been leaked or hacked.

IT professionals taking action in response to Heartbleed should consider the level of security required for certain data; for example, does the data require one or more layers of protection?  When dealing with personal data, it may be best to err on the side of caution.

The sheer fact that businesses may never know whether their customers’ data has been leaked or stolen should foster the motivation to beef up security efforts by using multiple layers of encryption and proper auditing mechanisms whenever possible.

Written by Montash.

We are hosting a Cyber Security Breakfast Briefing with Mandiant, a FireEye Company on Thursday 15th May 2014, 8am – 10am at Grand Connaught Rooms, Holborn, London. Entries are priced at £20, with all proceeds going to Groundwork Charity.

We would like to take this opportunity to invite you to attend this event.

The briefing will be an open discussion forum for top cyber security experts to discuss the latest threats that companies face and how best to combat them. The forum will highlight the potential cyber threats that target businesses on a large scale and will examine the crossover of security risks in both the real world and cyber world.

Montash is a multi-award winning, global IT recruitment firm. Specialising in permanent and contract positions across mid-senior appointments which cover a wide range of industry sectors and IT functions, including:

ERP, BI & Data, Information Security, IT Architecture & Strategy, Scientific Technologies, Demand IT and Business Engagement, Digital and E-commerce, Infrastructure and Service Delivery, Project and Programme Delivery.

With offices based in London, Montash has completed assignments in over 30 countries and has appointed technical professionals from board level to senior and mid-management in permanent and contract roles.

For more information please visit

comments powered by Disqus

Social Stream

Latest News


Are PSLs a Blocker or an Enabler?

2017-10-02 11:00:00 +0100

The use of a Preferred Supplier List (PSL) was intended to support and strengthen relationships and performance between organisations and their third party suppliers. As the technical landscape continues to evolve at rapid rate recruitment and demand for new skills becomes more intense. Are PSLs still the solution or an obstacle to sourcing the right talent? The traditional PSL A dedicated list of partners intended to guarantee quality and availability ...


Why do we punish the victims of hacking?

2017-09-21 09:00:00 +0100

Hacks occur every 39 seconds, with 95% of them targeting governments, retailers and the tech industry. If the hackers are caught, they'll face prison time under the Computer Misuse Act. More often than not, the businesses who are victims of those attacks expose themselves to punishment of their own. The laws that determine the duty of protection owed to businesses and their customers is both vague and broad, making them question just how much protection...