[IMGCAP(1)]By now most of you have seen and heard stories about the recent Heartbleed bug and you’re probably trying to make sense of the information and determine exactly what it means to you, your firm, your vendors and your clients. LBMC Security & Risk Services explains the issues and provides five key takeaways to ensure impact is minimized and to help you protect your firm and provide your clients with actionable advice and peace of mind.
What’s all the fuss about?
At the center of the issue is a security bug in OpenSSL, which is an encryption library used to secure much (estimates are as high as two-thirds) of the Internet’s secure web traffic. From a practical standpoint, OpenSSL is one of the programs used to create secure web connections, which result in the padlock icon shown in browsers when you conduct online banking transactions or shop at e-commerce sites.
The bug’s name is a play on words related to the program feature (heartbeat) which contains the flaw. The heartbeat feature was added to OpenSSL approximately two years ago. So, while we only learned about it last week, this issue has been around for a while.
The good news is this is an isolated programming bug in certain versions of this particular encryption library and not a design flaw in the underlying Secure Sockets Layer (SSL). This means the fix is relatively simple: install a software patch or upgrade to a version that isn’t vulnerable. It also means that if your organization doesn’t use OpenSSL, your servers are not impacted.
Why should I care?
What makes this bug such a big deal, aside from how widespread it is, is the type of data that can be disclosed to attackers. The data returned often includes usernames/passwords and certificates or keys used by servers to encrypt web sessions with clients. Disclosure of this type of information can completely undermine a site’s security model and result in massive data breaches.
What actions should I take to protect my firm?
The first thing to do is determine if your firm is using OpenSSL. Your IT staff or IT Contractor should be able to provide this info. Internet-facing services should be addressed first, but make sure to also look at internal communication links. It’s fairly common for databases and other applications to use OpenSSL to secure internal server-to-server communications.
Once you have identified which systems are affected, you will need to upgrade to a version of OpenSSL that is not vulnerable. After the upgrade, make sure to restart any services using OpenSSL. This will help ensure the upgrade is applied properly.
After your systems have been upgraded, you should strongly consider revoking the old SSL certificates, creating new encryption keys, and obtaining new SSL certificates. This is a prudent course of action because the bug has been around for so long, it can be extremely difficult (sometimes impossible) to determine if the certificate and keys have already been compromised.
When repairs are complete, you should considering notifying the site’s users and recommending they change their passwords.
If you utilize IT service providers (e.g. cloud services), you should also contact them to determine if their services were impacted, and if so, determine if they have completed their remediation efforts. Once they have a fix in place, you should change all passwords used to access their services.
How can I protect my personal info?
Individuals should take a risk-based approach and focus on the most sensitive websites they use first. These include online banking, brokerage and investment sites, and frequently used e-commerce sites. First, determine if the site was impacted by the Heartbleed bug—most sites are either prominently posting messages or proactively sending communications to their user base. If the site wasn’t impacted, no action is necessary. If it was, you should determine the status of their remediation. If repairs are complete, then users should change their passwords. Changing passwords before the web site has fixed the issue simply results in a potential disclosure of the new password.
Key takeaways: 5 steps
For businesses, the key steps include:
1. Identify which systems under your control have been impacted (make sure to evaluate both server and client software)
2. Upgrade those systems to a version of OpenSSL that is not vulnerable
3. Create/obtain new encryption keys and SSL certificates
4. Revoke the old certificates
5. Notify your clients/customers that they should change their passwords.
For individuals, if sites you use were impacted, make sure they have fixed their systems, and then change your passwords afterward.
Jason Riddle is Practice Leader for LBMC Managed Security Services, where he helps clients defend their networks. For more information on keeping your network safe visit www.lbmcsecurity.com or call Jason at 615- 690-1984.