Earlier this year, CivSource reported on the discovery of a server vulnerability called ‘Heartbleed’ which left the door open to sensitive information on servers ranging from governments to corporations and financial institutions. For the impacted servers, remediation involves more than just a simple patch. A number of public sector entities that were impacted worked through those changes, however, much of the broader economy lags behind. New research from Venafi shows that 10 weeks into the response, 97% of Global 2000 public facing servers remain vulnerable to Heartbleed.
Heartbleed is an OpenSSL vulnerability that allows attackers to extract data in memory simply by communicating with a host server. Successful exploits show that sensitive data, including passwords, SSL/TLS keys, and X.509 digital certificates, could be extracted. Allowing the exploit to remain unattended leaves the door open for attackers to spoof legitimate websites, decrypt private communications, and steal sensitive data sent over SSL. In addition to applying the OpenSSL patch, organizations must assume that all keys and certificates were compromised, given the extent and duration of the vulnerability.
“I think what we’re seeing with this research is what happens when you have a culture inside security response teams that fixes vulnerabilities by patching and moving on. That’s not something that really works with Heartbleed,” says Kevin Bocek, Vice President, Security Strategy and Threat Intelligence, at Venafi in an interview with CivSource. “Adversaries are getting more brazen using SSL against organizations, that’s only going to continue and security teams are going to have to be more adaptive.”
The report looks at the Global 2000, a group of companies that encompasses most of the sectors of the economy including discount retailers, hotels, major banks, and computing. Within that cohort, discount retailers lead the pack in terms of response, which seems to indicate that rolling vulnerabilities from the Target breach to Heartbleed has had a real impact.
However, telecommunications services lag far behind in their response, which is notable given the widespread use of these services by individuals and organizations. Telecommunications services account for 41% of the confirmed Heartbleed vulnerable systems from the Global 2000 scan. Set that number inside the high profile fight telecommunications companies are waging to break the internet for profit by ending net neutrality, and the now viral Comcast customer service phone call seems like just the tip of the iceberg in terms of the problems you’ll be dealing with from these service providers.
Following Heartbleed’s discovery, experts from Bruce Schneier to Gartner warned that, to fully remediate Heartbleed, all SSL keys and certificates must be replaced. Gartner analyst Erik Heidt warned that past “lazy” security and patch management was insufficient and that all keys and certificates should be replaced. While that process takes time, and some of these keys will just expire on their own, it is troubling that so many of the world’s public facing systems remain compromised. Other vulnerabilities like Cupid, and OpenSSL CCS injection, only add to the myriad ways adversaries can get in without adequate remediation.
“If someone walks into your house through an open door and steals your house keys, you don’t then rely on the same locks once you’ve closed the door. Organizations must find and replace all of their keys and certificates—all of them. Otherwise massive security gaps and open doors remain,” Bocek says. “The attacks are only going to get more sophisticated over time. We’ve seen exploits already where malicious activity was hidden fully inside trusted, new certificates and makes it into secure systems. Security teams can’t just assume that these systems are secure anymore, or rely on patches and signatures. It’s going to require training and a culture shift toward becoming an adaptive response team.”