A newly discovered bug found in widely used web encryption technology was uncovered by researchers, prompting an announcement from Homeland Security and other regulatory agencies to review technology environments to determine if the bug posed any potential risk to their customers or data. The bug, named the Heartbleed bug, affected security technology, Open SSL, which is used by millions of websites.
The internet and social media are a buzz over the Heartbleed bug. If you are on Facebook, Twitter, or any other social media channel, it’s impossible to miss the posts and comments. You have to be careful who you take advice from though as there is a lot of bad advice out there.
I am not surprised to see such a reaction since we’ve been through so much with the recent data breaches, but the reality is that much of the initial response is creating confusion.
What is the Heartbleed bug?
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. There are known and published fixes to this vulnerability, which is not a design flaw in SSL/TLS, but a vulnerability that can be exploited based on how the encryption technology is implemented or deployed.
To learn more about what the basics of the bug visit heartbleed.org.
What should you do?
A quick google search for “Heartbleed bug” will produce over 51,000 results already so there is a plethora of information about what it is and what to do. One of the better consumer facing responses I’ve seen is from the USAToday. I wanted to take a few moments to share some tips on addressing concerns about the risks:
- Checked to see if it is vulnerable
- Patched its systems
- Grabbed a new SSL certificate
- Told you it is fixed
- Ensure that third party vendors that use OpenSSL are aware of the vulnerability, and are taking appropriate action steps;
- Monitor the status of their vendor’s efforts;
- Identify and upgrade vulnerable internal systems and services; and
- Follow appropriate patch management practices and test to ensure a secure configuration
1. Don’t change all your passwords immediately. Yes eventually you’ll want to change passwords at affected sites as a precaution but there is an order and protocol all companies need to follow. Changing your password before the technology provider has completed their assessment process or deployed a fix could leave you more vulnerable. Mark Schloesser, a security researcher with Rapid7, based in Amsterdam, Netherlands added that doing so “could even increase the chance of somebody getting the new password through the vulnerability,” because logging in to an insecure server to change a password could reveal both the old and new passwords to an attacker. Never share passwords across applications, it creates more risk for you when one site may be affected. You should only change your password in response to the Heartbleed bug after a website or internet company has:
2. Don’t force companies to respond before they know an accurate answer. This type of vulnerability requires technology organization’s IT and Security teams to conduct a thorough review of operating system vendors and distribution, software vendors, including appliance vendors to assess and determine the need to install a fix. Service providers will need to identify how the technology is used or configured. Nothing is more dangerous in a situation like this than getting incorrect information. Your partners are all working diligently to assess their level of vulnerability but until they know 100%, wait patiently to hear from them.
3. Partner with your service providers to understand the risk potential. Assessing vulnerability potential is a standard process for threat and vulnerability management. Systems that are not safe will need a patch and then they will need to apply a new SSL certificate. Once their risk mitigation steps are complete they will provide and notification to their clients
The FFIEC has also released an OpenSSL “Heartbleed” Vulnerabiltiy Alert setting expectations for financial institutions. In the guidance, the following key steps were identified:
Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.
Reposted with permission from Forward Banker