How Heartbleed Is Changing Security

Email     |     Share  
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10
Next How Heartbleed Is Changing Security-2 Next

Most devastating vulnerability ever

While the media have sounded the alarm about the dangers of Heartbleed, the security community has mixed reactions over just how devastating the bug really is to enterprise security.

Steve Pate, chief architect at HyTrust, said we should be very concerned because of how much information was compromised:

The fact that information could have been taken from hundreds of thousands if not millions of servers on the Internet is of great concern. Since the bug has been out there, undetected by the open source community and thousands of companies using OpenSSL for two years, it has left many scratching their heads and wondering how this could have happened and for so long.

Chris Fedde, president of Hexis Cyber Solutions, sees Heartbleed as a way to reshape the way we consider enterprise security. First and foremost, we have to re-evaluate the way we look at open source code. But, he added, we will see long-term consequences for companies that use OpenSSL:

For enterprises, the devastation is going to come in the hours of remediation and mitigation of this vulnerability as well as assuring customers of their mitigations given all the media coverage. OpenSSL use is fairly ubiquitous and often under the hood of network appliances and software designed and performing security-reliant but not necessarily security-related tasks. To be sure they’re fully remediated from this vulnerability, they are going to need to take stock of their assets, the libraries used in those assets, and the business practices around those assets. At that point, they'll have a prioritized list of what needs to be upgraded or mitigated. This is not a trivial task in any enterprise environment.

Few cybersecurity issues have people talking, and worried, like the Heartbleed bug.

As Chester Wisniewski explained in a CNN article:

The bug itself is a simple, honest mistake in the computer code that was intended to reduce the computing resources encryption consumes. The problem is that this bug made it past the quality assurance tests and has been deployed across the Internet for nearly two years.

Heartbleed hit in ways that we once naturally assumed were secure. It affected OpenSSL, an open source code, and the open source community has long prided itself on its high levels of security. And it affected encryption, which every security expert recommends when asked how to best transmit data. Mike Gross, director of professional services and risk management at 41st Parameter, stated:

Heartbleed exposed a major gap in security that will have significant downstream effects on consumers for years. While the Heartbleed flaw itself had a relatively simple fix on the surface and consumer-facing sites and Web portals, the big unknown is whether all known servers and mobile apps affected by the flaw have been patched across large and complex enterprises. That's a very difficult undertaking and a single gap could expose consumers to the same data compromise risk and organizations to a repeat of the recent scramble.

What is most worrisome to many computer users is the widespread reach of Heartbleed. This isn’t a simple breach of one company or a vulnerability that has touched one software application. It affects the financial industry, small businesses, firewalls, printers, machinery in power plants. The list is seemingly endless.

How will enterprise security react to Heartbleed? Is this the push needed to finally re-evaluate passwords and other ineffective methods of network security?


Related Topics : Unisys, Stimulus Package, Security Breaches, Symantec, Electronic Surveillance

More Slideshows

Privacy rollback Security Pros Give Their Opinions on ISP Data Privacy Rollback

IT staff, organization leaders, and the average citizen have all expressed levels of concern over the FCC about-face in regard to ISP privacy. Here’s what the security experts say. ...  More >>

IT security skills 7 Top Skills for Security Pros

Executives at several top tech firms outline the skills they need now and in the near future, including IaaS and IoT security expertise. Other skills listed may surprise you. ...  More >>

IT security careers The Most In-Demand Security Jobs and How to Get Them

Security professionals are in demand right now, and entry-level security jobs generally fall into either an engineer or analyst role. Find out more about required skills and career paths. ...  More >>

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.