Best practices to prevent and mitigate incidents like Heartbleed
By Steven Rosen April 16, 2014
- Consumers have received alerts, but securing corporate information is much more complex
- Important to deploy adequate tools to help keep track of patches and bugs across systems
RECENTLY, Malaysians were made aware of Heartbleed, a major encryption flaw that affects OpenSSL web servers.
Known as one of the biggest security threats online, the flaw allows cybercriminals access to crucial and corporate information stored on the cloud across various websites such as Facebook, Google and Twitter.
As such, patrons of these open platforms may have been exposing their crucial and private data for the past two years.
Since its inception in 2012, OpenSSL has been a popular choice amongst companies as it is a free platform. In fact, according to a recent Netcraft Web Server survey across 959 million websites globally, around 66% are powered by technology built around OpenSSL.
However, some of the technology used to secure communication was jeopardised for over two years by the Heartbleed bug.
While consumers have received alerts from several websites to update their passwords to protect their information, securing corporate information is much more complex.
Companies need to track and assess their systems for exposures and may not be aware of what to do, or may even procrastinate. This delay creates an opportunity for hackers to seize the moment and exploit the data at hand.
What businesses can do
If businesses have been using OpenSSL, a quick reactive process should be in place to analyse and identify the risks they are exposed to, and they should then take steps to immediately address them.
After this, they should run an audit to ensure no other information has been compromised on the system.
However, the challenge businesses face is that the bug masks itself as a heartbeat, in a transparent form, and this makes it near impossible to trace if any information from memory has been compromised through this exploit.
To mitigate this issue, it is important for businesses to deploy adequate tools to help keep track of patches and bugs across systems.
Here are some crucial moves businesses can take into consideration:
- Implement a standard operating environment (SOE) which helps to standardise all applications and tools that are in use;
Use a configuration management database (CMDB) which assesses all servers, network elements and collects configuration specific information and includes them into a single database.
- If an issue comes up, the CMDB can run a report and businesses would immediately be aware of what areas have been compromised, and address them appropriately
An IT Infrastructure Library (ITIL), which is the enterprise standard across the world on how IT should be structure.
- Part of ITIL is a patch management process, which ensures the SOE is healthy, functionally capable and secure. An added benefit is its ability to keep track of functional and security patches that can identify and quickly deploy patches for the system if there is a compromise.
Many people may not be aware that Windows or iOS updates are in fact patches for functional or security issues. They are either mandatory or optional for certain software, and a robust management system can be designed to automate such updates on a weekly or monthly basis whenever they become available.
To continue using OpenSSL
If companies want to continue using OpenSSL, they can choose to use wild card certificates with one encryption key for each subdomain, or generate a single encryption key for all subdomains.
Security best practices would recommend that you use a separate key for each subdomain, but based on the criticality of the systems and data, it may be more cost beneficial to use a wild card certificate.
While organisations can still choose to use OpenSSL, it is also the company's responsibility to ensure that all security gaps associated with OpenSSL and other free tools or platforms are actively monitored and addressed.
Steven Rosen is CIO at Xchanging Malaysia; Xchanging provides business processing, technology and procurement services internationally for customers across multiple industries.
Heartbleed being monitored by CSM and MCMC
Heartbleed pierces OpenSSL, exposing 66% of Net to attack
McAfee releases Heartbleed Checker for concerned consumers