Few cybersecurity issues have people talking, and worried, like the Heartbleed bug.
As Chester Wisniewski explained in a CNN article:
The bug itself is a simple, honest mistake in the computer code that was intended to reduce the computing resources encryption consumes. The problem is that this bug made it past the quality assurance tests and has been deployed across the Internet for nearly two years.
Heartbleed hit in ways that we once naturally assumed were secure. It affected OpenSSL, an open source code, and the open source community has long prided itself on its high levels of security. And it affected encryption, which every security expert recommends when asked how to best transmit data. Mike Gross, director of professional services and risk management at 41st Parameter, stated:
Heartbleed exposed a major gap in security that will have significant downstream effects on consumers for years. While the Heartbleed flaw itself had a relatively simple fix on the surface and consumer-facing sites and Web portals, the big unknown is whether all known servers and mobile apps affected by the flaw have been patched across large and complex enterprises. That’s a very difficult undertaking and a single gap could expose consumers to the same data compromise risk and organizations to a repeat of the recent scramble.
What is most worrisome to many computer users is the widespread reach of Heartbleed. This isn’t a simple breach of one company or a vulnerability that has touched one software application. It affects the financial industry, small businesses, firewalls, printers, machinery in power plants. The list is seemingly endless.
How will enterprise security react to Heartbleed? Is this the push needed to finally re-evaluate passwords and other ineffective methods of network security?
Click through as Sue Marquette Poremba takes a closer look at Heartbleed and the effect it is having on network security strategies.
Most devastating vulnerability ever
While the media have sounded the alarm about the dangers of Heartbleed, the security community has mixed reactions over just how devastating the bug really is to enterprise security.
Steve Pate, chief architect at HyTrust, said we should be very concerned because of how much information was compromised:
The fact that information could have been taken from hundreds of thousands if not millions of servers on the Internet is of great concern. Since the bug has been out there, undetected by the open source community and thousands of companies using OpenSSL for two years, it has left many scratching their heads and wondering how this could have happened and for so long.
Chris Fedde, president of Hexis Cyber Solutions, sees Heartbleed as a way to reshape the way we consider enterprise security. First and foremost, we have to re-evaluate the way we look at open source code. But, he added, we will see long-term consequences for companies that use OpenSSL:
For enterprises, the devastation is going to come in the hours of remediation and mitigation of this vulnerability as well as assuring customers of their mitigations given all the media coverage. OpenSSL use is fairly ubiquitous and often under the hood of network appliances and software designed and performing security-reliant but not necessarily security-related tasks. To be sure they’re fully remediated from this vulnerability, they are going to need to take stock of their assets, the libraries used in those assets, and the business practices around those assets. At that point, they’ll have a prioritized list of what needs to be upgraded or mitigated. This is not a trivial task in any enterprise environment.
Or it might be all hype
Mike Davis, CTO of CounterTack, is one of several security experts who think Heartbleed is overhyped, stating:
While it is a risk to many UNIX operating systems as they use OpenSSL, the real at-risk devices in the enterprise are endpoints as that is where most attacks now occur. In this case, luckily, most enterprises use Microsoft Windows as the OS, which is not affected by Heartbleed or the reverse Heartbleed attack since Microsoft does not use OpenSSL. This limits the risk for most enterprises to their servers, network equipment and appliances.
Kurt Baumgartner, principal security researcher, Kaspersky Lab, said that the Heartbleed vulnerability hasn’t yet proven to be as destructive as many other security challenges. However, he added that we are still in the early stages of Heartbleed. It is too soon to know the true effects of the vulnerability.
There is a benefit to all of the hype. Baumgartner said Heartbleed was a very intense exercise in security response, and the disclosure process might have minimized destruction. Davis said it is a wake-up call for those companies that use OpenSSL to demand a more structured incident response and for better communication regarding critical security issues.
Or, as Morey Haber, senior director of Program Management, BeyondTrust, simply put it:
I think this will be another security blip on the radar overall but this hopefully will help educate people on the need for better password management and two-factor authentication.
Information at risk
According to Baumgartner, several types of data are really at risk because of the vulnerability:
- Private keys maintained by OpenSSL secured online services.
- In turn, the content of most encrypted communications secured by those keys.
- Any and all content maintained in memory on the vulnerable servers (webmail, PII, etc.) that should be encrypted and handled securely.
- In-memory characteristics of the online service, whether it’s application characteristics, etc. This data may further other attacks on the service.
The immediate risk with Heartbleed was that attackers could continue to expose the vulnerability and access any data being submitted via OpenSSL. The long-term risk, said Gross, is that consumers entering a username and password into a high-traffic, low-security site that has not been fully patched will expose that data to attackers who can exploit it anywhere the same username and password are used across the Web:
Most consumers have dozens (if not hundreds) of online profiles and likely share just a handful of passwords across those sites, so the risk remains that one “lowest common denominator” gap could expose every other organization in the user’s laundry list of online accounts.
Is this the end of the password as we know it?
When the Heartbleed bug was first announced, the rallying cry of computer users everywhere was “I must change every single password!” The chance that usernames and passwords could be compromised was the issue that resonated with computer users. But as we tried to figure out which passwords to change, the general question arose: Will Heartbleed finally make us rethink passwords as we know them?
But the big story with Heartbleed isn’t that it’s just a tedious password issue — it’s that for a significant portion of the Internet, there has been a long-term and foundational failure in the privacy of communication, said Geoff Webb, senior director of Solution Strategy at NetIQ:
It’s very, very ugly. Yes — we need to worry about passwords, but we really need to worry about what part of our private communications for the past couple of years have been exposed.
Still, Webb and other experts don’t believe that Heartbleed will be the end of passwords. Yes, it showed why passwords aren’t the best tool for authentication, but this is the method almost every company relies on. Will there eventually be a push to get rid of passwords? Yes, but Heartbleed does not appear to be that push.
Will two-factor authentication become more accepted due to Heartbleed?
Two-factor authentication is always better than just a username and a password, said Greg Foss, senior security research engineer at LogRhythm Labs, explaining:
I have seen many popular services moving towards this approach, especially now that multifactor authentication is much easier and more cost-effective to implement than it was a few years ago. My guess would be that the most prominent multifactor authentication mechanism will rely on the users’ smartphone. It’s fairly simple, they log in using a username and a password, then the application sends them a text message with a random pin or passcode; once they enter this, they are granted access.
But this isn’t a foolproof method either, according to Tom Cross, Lancope’s director of security research. It’s important for people to understand that Heartbleed can also be used to steal Session IDs. Cross pointed out that there have been real-world reports of sophisticated attackers bypassing two-factor authentication in OpenSSL-based VPNs in order to gain access to corporate networks by stealing Session IDs using the Heartbleed vulnerability.
Changes to enterprise security
Even if passwords are here to stay and two-factor authentication is seen as a small step above passwords and usernames, experts believe that Heartbleed will force enterprises to evaluate security methods already in place.
According to Steve Hultquist, CIO and VP of Customer Success at RedSeal Networks, we’re likely to see wider implementation of systems that offer complete, network-wide visibility and that allow companies to see which paths are potentially open and which servers are vulnerable, prioritizing the most important issues first and helping the enterprise to apply patches accordingly. Hultquist added that in most organizations today, there are still cracks in the security architecture, gaps in visibility, and a resulting inability to actually see what could happen across the network. We’re likely to see redoubled efforts to bridge the gaps between security groups, security products, logs data and analytics, and network infrastructure systems.
Expect to see more scrutiny on open source applications and a push for larger companies using these applications to provide financial assistance for better testing and security reviews, added Dodi Glenn, ThreatTrack‘s senior director of Security Intelligence and Research Labs. Glenn also pointed out that we may see more creative approaches to passwords and authentication, such as graphical passwords and more widespread use of tokens for authentication.
Heartbleed, open source and security
Has Heartbleed changed attitudes toward open source protocols and security? Those within the open source community are still strong supporters, and there are those who believe that, more often than not, the larger the number of people looking at and improving code, the better the chance a vulnerability will be caught before it does damage. There are a lot of positives to open source – rapid development of new applications and thousands of people testing code.
And bugs happen. They certainly happen in closed sources, so it is not surprising that they will happen in open source.
However, there will likely be a greater push for more vigilance. New code should be better scrutinized, especially in critical security areas like OpenSSL. As Steve Pate said:
Better penetration testing tools will be developed and larger organizations are likely to hire more security experts to ensure that the software they develop and the third-party products they integrate are thoroughly tested and reviewed.
Steps enterprise can take to relieve customer concerns
To the average consumer who doesn’t understand the difference between open source and closed source, or has no idea what OpenSSL was designed to do, stories about Heartbleed and its potential dangers are frightening. Greg Foss said absolute best measures businesses can take right now are as follows:
- Assure that their servers have been patched to remediate against the Heartbleed vulnerability.
- If they were vulnerable, admit this and take steps to recover, which includes patching and replacing any SSL certificates that may have been exposed.
- Once patched, notify users of the affected service that they should change their account credentials at next logon.
- Review firewall and server logs as far back as available and search for evidence of Heartbleed exploitation.
- Implement checks using their vulnerability scanning software to search for the Heartbleed vulnerability within the network and remediate and open holes.
- Review patching and change management policies/procedures and verify that emergency patching is covered adequately.
- Communicate these measures to all affected parties (management, users, customers, etc.).