Have You Budgeted for the Next Heartbleed?
Blog Article Published: 05/15/2014
By Gavin Hill, Director/Product Marketing and Threat Intelligence, Venafi Last month the Heartbleed vulnerability took the world by storm. IT groups across the globe scrambled to patch systems that were susceptible to the OpenSSL vulnerability known as Heartbleed. Y2K—the millennium bug—has been dwarfed in comparison to the impact the Heartbleed vulnerability has had on the world. Let’s face it, software has vulnerabilities and cybercriminals will take advantage of them. We can expect another “Heartbleed-like” vulnerability and should prepare—now. The question is, have you budgeted for it? Have you considered the costs associated with responding to the Heartbleed vulnerability? I’m not talking about the financial impact from the theft of intellectual property or brand damage but the man-hours and salary costs to respond. Before doing so, here’s a quick recap on the severity of the Heartbleed vulnerability:
- An attacker can steal keys and certificates without a trace.
- The stolen keys and certificates can then be used in trust-based attacks like phishing, man-in-the-middle (MITM), and replay attacks.
- The only way to remediate is to patch susceptible OpenSSL systems and replace all keys and certificates.
- Replacement of all keys and certificates is recommended, because you don’t know which systems—even non-OpenSSL ones—may have had keys and certificates stolen via stepping-stone attacks. You must assume all keys and certificates have been stolen!
- Generate a new key
- Issue a certificate signing request (CSR)
- Install the new key and certificate on the respective system
- Revoke the old certificate