Heartbleed: What Should Your Business Do?

Heartbleed isn’t a new song from your favorite pop star. It’s actually an Open SSL bug that has exposed at least half a million websites to hackers — the “ultimate web nightmare,” according to Mashable.

Why is Heartbleed so devastating? Because it has exposed what almost everyone once thought was unexposable. For years, security experts have advised users to double check that sites that handle sensitive personal information (such as social security numbers and bank information) are using SSL technology, which typically means the communication protocol in the URL switches from HTTP to HTTPS.

Codenomicon, an IT security testing company, has set up an information portal on Heartbleed.com that provides an overview of the Heartbleed bug and its impact. The company explains the threat like this:

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Worried yet? You should be.

Now That We’ve Found Heartbleed, What's Next?

So Heartbleed is here, and it’s a big threat to enterprise IT systems all over the world. But what can businesses do to protect their intellectual property, and how effective will those solutions be?

Sadik Al-Abdulla, director of security solutions at CDW, highlights on the CDW Blog four things every IT worker should do in a post-Heartbleed world:

1. Identify Vulnerable Systems

Your asset management and software inventory will give you the first sign post. Internet-facing services are certainly the most critical to check first. In the long run, once you’re past the immediately critical issues, you will need to include this in your annual vulnerability assessment. Top priority is Internet-facing SSL/TLS; including web servers, SSL VPNs, and some VPN tunnels.

So which systems are vulnerable? This isn’t an easy answer. The technically precise answer is: The affected versions of OpenSSL are OpenSSL 1.0.1 through 1.0.1f. Later versions (1.0.1g and newer) and previous versions (1.0.0 and older) are not vulnerable.

Still, this is challenging to answer comprehensively as OpenSSL is built into many other products, software, and appliances. Effectively, anything with a web interface is likely to include an SSL implementation, possibly OpenSSL, and possibly a vulnerable version of OpenSSL.

2. Patch

Affected services should be updated to remove the vulnerability. In many cases this will be applying a vendor supplied patch or software/firmware release, though for directly managed OpenSSL instances it will mean selecting a more recent version and upgrading/migrating.

3. Revoke Certificates, Then Reissue to Rekey.

Any certificate present on an affected system was vulnerable to the loss of its private key. You will need to reissue the certificate. You need to change the locks and issue new keys.

4. Change Passwords That Could Have Been Exposed

This applies to your personal life as well. This is a good opportunity to change your own Internet passwords, and recommend friends and families do the same.

Of course, each company will need to evaluate their unique environments to put together a solid game plan on what they should do to address Heartbleed, but it’s important to get started with those assessments right away.

Also, be aware that implementing fixes might break other things in your IT environment. Bloomberg reported recently on Team Snap, which implemented a Heartbleed fix and disrupted customer access to their sites when the fix was deployed by the company’s web host. This shows that disaster recovery and backup processes must be in place before any security fixes for Heartbleed are deployed.