OUR THOUGHTS ON:

Help Prevent Future "Heartbleeds"

Risk Advisory/Internal Audit

By Troy Fine

Recently, a Finnish security firm, Codenomicon, discovered the Heartbleed vulnerability in a variant of SSL (Secure Socket Layer) protocol known as OpenSSL.   Web servers and browsers use SSL protocol to help protect data during transfer by creating an encrypted channel for private communications over the Internet.  OpenSSL is the most common used data transmission encryption on the internet and the Heartbleed vulnerability allows intruders to circumvent its trusted communication channel and obtain access to sensitive information. In essence, Heartbleed creates an opening in SSL’s encryption technology which allows a hacker to steal the public and private keys used for deciphering internet traffic, thus enabling a hacker to steal sensitive data that once was thought to be secure.  The vulnerability has existed for two years and exploitation is undetectable.

The discovery of the Heartbleed vulnerability emphasizes the importance of a diligent information security vulnerability and incident management program.  Organizations should ensure that they actively monitor all available resources to identify alerts for newly discovered security vulnerabilities and take the action steps recommended to help mitigate critical threats such as Heartbleed.  It is critical that organizations are diligent in their monitoring of security alerts and timely in their implementation of the recommended patches/upgrades or security fixes provided by vendors or security resources.  Subscribing to available resources, such as United States Computer Emergency Readiness Team (US-CERT) or FBI InfraGard security bulletins, and employing external assessors to perform vulnerability scans on systems and infrastructure on a regular basis is critical in the early identification of security exposures and vulnerabilities.  Additionally, developing an effective incident response plan will ensure that organizations are well-equipped to respond to high-risk security incidents with early detection, containment and implementation of swift and efficient resolutions.

The vulnerable versions of OpenSSL are 1.0.0 through 1.0.1f. The most recent version of OpenSSL, 1.0.1g, patches the flaw.  Companies that employ web applications containing sensitive information or transmit sensitive data over the internet should investigate their current versions of SSL encryption and determine whether they are using a vulnerable version of OpenSSL.  Vendors such as Cisco Systems Inc. and Juniper Networks Inc. have made announcements informing customers that some of their products utilize OpenSSL versions that are vulnerable to Heartbleed attacks.  In a customer bulletin, Cisco released all of the devices that are vulnerable to the Heartbleed vulnerability and all of the devices that they were currently investigating.  Many of the vendors such as Cisco informed customers that they will release free patches for all of their products that were affected.    It is highly recommended that you contact your device manufacturers as soon as possible to determine if these devices contain the Heartbleed vulnerability.

In addition to the adverse effect on companies, many consumers were also potentially adversely affected by Heartbleed.  Consumers, who use the internet for online banking, paying bills, social media, and a myriad of other services, should continually check their service providers’ websites for press releases or updates on whether the sites they use were affected.  To assist consumers with determining whether or not a website is vulnerable to the Heartbleed bug, Google released a plug-in for their Chrome browser called Chromebleed, which will notify users when the website they are currently on is vulnerable.  There are also sites that provide consumers with the ability to test URLs for the Heartbleed bug.  Many security experts are advising consumers to change their passwords to all sites that have been affected by the bug; however, they are also suggesting waiting until affected websites have resolved the issue.  This is due to the fact that hackers would potentially still have access to a user’s credentials if they changed their password while utilizing a website that was still using an unpatched version of Open SSL.

For more information on how Schneider Downs can assist you or your company with securing your network, contact Eric Wright.

© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

comments