How Heartbleed Is Changing Security

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10
Next How Heartbleed Is Changing Security-2 Next

Most devastating vulnerability ever

While the media have sounded the alarm about the dangers of Heartbleed, the security community has mixed reactions over just how devastating the bug really is to enterprise security.

Steve Pate, chief architect at HyTrust, said we should be very concerned because of how much information was compromised:

The fact that information could have been taken from hundreds of thousands if not millions of servers on the Internet is of great concern. Since the bug has been out there, undetected by the open source community and thousands of companies using OpenSSL for two years, it has left many scratching their heads and wondering how this could have happened and for so long.

Chris Fedde, president of Hexis Cyber Solutions, sees Heartbleed as a way to reshape the way we consider enterprise security. First and foremost, we have to re-evaluate the way we look at open source code. But, he added, we will see long-term consequences for companies that use OpenSSL:

For enterprises, the devastation is going to come in the hours of remediation and mitigation of this vulnerability as well as assuring customers of their mitigations given all the media coverage. OpenSSL use is fairly ubiquitous and often under the hood of network appliances and software designed and performing security-reliant but not necessarily security-related tasks. To be sure they’re fully remediated from this vulnerability, they are going to need to take stock of their assets, the libraries used in those assets, and the business practices around those assets. At that point, they'll have a prioritized list of what needs to be upgraded or mitigated. This is not a trivial task in any enterprise environment.

Few cybersecurity issues have people talking, and worried, like the Heartbleed bug.

As Chester Wisniewski explained in a CNN article:

The bug itself is a simple, honest mistake in the computer code that was intended to reduce the computing resources encryption consumes. The problem is that this bug made it past the quality assurance tests and has been deployed across the Internet for nearly two years.

Heartbleed hit in ways that we once naturally assumed were secure. It affected OpenSSL, an open source code, and the open source community has long prided itself on its high levels of security. And it affected encryption, which every security expert recommends when asked how to best transmit data. Mike Gross, director of professional services and risk management at 41st Parameter, stated:

Heartbleed exposed a major gap in security that will have significant downstream effects on consumers for years. While the Heartbleed flaw itself had a relatively simple fix on the surface and consumer-facing sites and Web portals, the big unknown is whether all known servers and mobile apps affected by the flaw have been patched across large and complex enterprises. That's a very difficult undertaking and a single gap could expose consumers to the same data compromise risk and organizations to a repeat of the recent scramble.

What is most worrisome to many computer users is the widespread reach of Heartbleed. This isn’t a simple breach of one company or a vulnerability that has touched one software application. It affects the financial industry, small businesses, firewalls, printers, machinery in power plants. The list is seemingly endless.

How will enterprise security react to Heartbleed? Is this the push needed to finally re-evaluate passwords and other ineffective methods of network security?


Related Topics : Unisys, Stimulus Package, Security Breaches, Symantec, Electronic Surveillance

More Slideshows

PAM PAM Solutions: Critical to Securing Privileged Access

To protect the company from those insiders who abuse their privileged access and from hackers with stolen credentials, many companies are turning to a privileged access management (PAM) solution. ...  More >>

Fake news How Can We Fix the Fake News Problem?

Is fake news a security issue? Some say yes, as it can be used as a social engineering tool to spread disinformation and conceivably to get unsuspecting users to click on malicious links. ...  More >>

blockchain The World According to Blockchain

Blockchain comes with many costs and is surrounded by confusion. Here, we examine realistic use cases, drawbacks and the potential of blockchain. ...  More >>

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.