Following yesterday’s news about the LogJam patch making more than 20,000 websites unreachable, I asked my colleagues at Fidelis for their thoughts on the news and what it means for the industry. Below are some of their thoughts:
Look Beyond the Headlines
The impact of LogJam goes far beyond what has been reported thus far. The technical details are available here but in general there are a few key takeaways from the LogJam vulnerability:
- It stands to reason that standards and code where significant bugs are revealed will be subjected to greater scrutiny, likely yielding yet more findings. This is clearly playing out with the TLS standard and various implementations. While there is some level of disruption in the short term, this only makes the Internet stronger.
- Similarly, another non-intuitive benefit is that there’s more coordinated and deliberate response to such findings, clearly involving the original researchers and other stakeholders in the process.
- Enterprises should proactively monitor for the use of weak keys in their critical communications. Even in the absence of these known vulnerabilities, such communications will always be susceptible to man-in-middle attacks and enterprises should ensure that critical business services and 3rd party connections not use weak keys.
Organizations are only as Strong as their Weakest Link
LogJam got me thinking about a recent breach case we worked last year about the time Heartbleed emerged, the organization had a seemingly robust patch management system where critical vulnerabilities were patched within hours and weaknesses found from assessments were addressed in short term roadmaps. However, the organization had test and development systems vulnerable to weaknesses exactly like those outlined in the LogJam news in their test and development networks. These systems were not centrally managed.