Originally posted April 17th 2014 @ http://bit.ly/1mITCZu
The so-called “Heartbleed” bug has caused quite an uproar since its presence came to light on April 7. Uncovered within the OpenSSL (secure socket layer) network security protocol, this Internet security flaw allows attackers unauthorized access to sensitive server data, including private encryption keys.
Though just discovered, the vulnerability has existed for more than two years. Further, the transport layer security (TLS) network security protocol may be vulnerable as well.
If an attacker gains access to cryptographic keys located in the memory of vulnerable servers and applications, they can be used to impersonate the site and collect such additional information as passwords.
The Heartbleed bug should be taken seriously, and financial institutions must complete the following steps in order to detect and remediate possible vulnerabilities:
Stage 1: Discovery
- Scan all devices and network systems that might utilize SSL/TLS protocols. The vulnerability affects versions 1.0.1a through 1.0.1f of OpenSSL. Keep in mind that OpenSSL version 1.0.1g, the newest version, directly addresses this vulnerability. Further, versions older than the 1.0.1 line are not vulnerable.
- Scan all possible common ports for SSL/TLS.
- While public-facing services—those with a public IP address—are the most at risk and warrant top priority, scan private assets for this vulnerability as well.
- Update all versions of OpenSSL to 1.0.1g, and contact your vendors for all services that you do not directly control. Alternatively, you can have OpenSSL recompiled on compromised devices by enabling this flag: -DOPENSSL_NO_HEARTBEATS.
- If you locate any vulnerable devices or services, consider your private key compromised. Contact your certificate vendor to generate a new certificate as soon as possible.
- Ensure you are using a unique certificate for each device or service you manage. In other words, for cases in which your organization has multiple websites and uses a single certificate for all of them, if one website is compromised, they all should be considered compromised. Avoid using a single “wildcard” certificate going forward.
- After applying a new certificate to a service, consider having all users change their passwords.
- SSL/TLS best practices are well-documented. Qualys SSL Labs, for example, provides a full overview of best practices.
Also, for those looking to learn more about the vulnerability and what steps should be taken to mitigate risk, we invite you to join us for a complimentary webinar on Tuesday, April 29, at 3:00PM CT. We’ll share insight into what financial institutions should do to safeguard their systems. You may register here.
Together, we will ensure the Heartbleed bug is stomped out of your systems for good.
