Has an entire year actually passed since the Heartbleed vulnerability was discovered? It seems like only yesterday that my social media news feeds were in pure panic mode. Chicken Little, the sky is falling! Or, in this case, the Internet is broken and our privacy is gone and everything we ever posted is going to be stolen!
The mass hysteria was unlike anything I’ve witnessed before or since in regards to IT security, and I’d be willing to bet if I asked 10 people about Heartbleed today, at least eight of them would have no memory of it. They’ve moved along to the next crisis, real or imagined.
So Heartbleed might be out of mind, but it isn’t out of our networks. And that’s the problem. A year later, 74 percent of Global 2000 companies are still vulnerable, according to a new study by Venafi. In August, a similar survey found that 76 percent of Global 2000 companies hadn’t fully addressed Heartbleed. I’m not a math whiz, but a 2 percent improvement over an eight-month period doesn’t sound positive. Plus, this just includes the 2,000 biggest companies in the world. I have my doubts that if large corporations are still struggling with Heartbleed, smaller companies are doing any better.
Why haven’t companies done more to fix the Heartbleed vulnerability? The Venafi research explained it:
Organizations have either given up on properly replacing keys and certificates, most likely not grasping the full risk exposure this creates, or do not have the knowledge to understand how to complete remediation. As detailed by Gartner and industry experts such as Bruce Schneier, security teams must go beyond simply patching and also replace the private key, re-issue a new certificate, and revoke the old one.
Also, as CSO Online pointed out:
There were four steps to eliminating Heartbleed, and most organizations only completed one or two of them, the most common being updating OpenSSL.
Not completely fixing Heartbleed could end up being very expensive. According to the Ponemon Institute’s 2015 Cost of Failed Trust report, by not fixing the vulnerability, companies could be paying up to $53 million over the next two years as a result of attacks on keys and certificates.
As I said first thing in this post, Heartbleed caused panic like I’ve never witnessed before. Yet, is this report also playing Chicken Little about the dangers of an unchecked Heartbleed? CSO Online referred to Robert Graham with Errata Security, who said that because only a small number of networks were actually affected by Heartbleed, the concerns of “3 out of 4 companies” not having fixed the problem “slants” the study.
Maybe so. However, I think that a year after the fact, the numbers should be better than this. It would be good to know, too, just how many users are still at risk.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba