Heartbleed: A Real Clot for Security Management

In the security world Heartbleed is a big deal.  Web traffic on the topic has skyrocketed of late – below are a few tips on infrastructure management and staff web services usage.

Heartbleed is a new vulnerability in the widely used OpenSSL library and Web servers running version 1.0.1 to 1.0.1f, which includes most  Linux servers and embedded devices like smart phones.  Even major cloud service providers (e.g. Google, Amazon) were vulnerable to this.   We also know that many proxy clients (web spiders, application proxies) are vulnerable to malicious web sites exploiting this bug, in what is now being called Reverse Heartbleed.

This is a serious vulnerability for two reasons: OpenSSL is widely used, the attack was simple, the data that can be stolen is valuable   (SSL Certificate private key, user session tokens and passwords), the attack leaves no trace, and the vulnerability has been there for some time. 

There is a great unknown here – as the attack leaves no fingerprint, we don’t know if this has been exploited in the wild.  To date there is no evidence one way or the other that has been made public on this question.

What should you do?

For infrastructure you manage:

  1. Review all web servers, application proxies, outbound web proxies, security appliances, and embedded devices for this vulnerability – if you have been running “perfect forward secrecy” you should not be vulnerable to this weakness.
  2. If vulnerable
    1. update the OpenSSL library to the latest version OR turn off the service OR disable SSL
    2. Consider replacing SSL certificates used on these  servers – the private key may be compromised
    3. Reset your admin passwords
    4. Inform users of the need to reset their password

For services your staff are using:

  1. Review outbound proxy site lists for use of SSL
  2. For specific business related services, ensure all sites being accessed have patched this vulnerability
  3. Educate staff of the need to ensure SSL sites they access have patched the Heartbleed vulnerability and the potential need to change their password

April 2014

About Business Aspect
Business Aspect assists customers with the execution of their business strategy through either large-scale business transformation or by addressing smaller challenges in specific areas of the business. It focuses on the business first, and then identifies technology needs as an enabler of required business outcomes.
It has skills, experience and expertise in; business and technology strategy, architecture, risk, control, planning, design and governance. Through its services, Business Aspect addresses all layers of the business, including people, organisational change, process change, information management, information and communications technology applications and technology infrastructure.
Business Aspect solves complex business problems through the collaborative efforts of its team of highly experienced personnel, and the application of proven intellectual property. A key strength is the diversity of the background and skills its senior consultants bring to planning initiatives involving people, process and systems.