14 DAY TRIAL // It’s been months since Heartbleed was discovered, and yet, the world’s servers are largely unprotected against the vulnerability.
According to a research from security solutions developer Venafi, 97 percent of the Global 2000 organizations’ externally facing servers continue to be vulnerable to cyber attacks due to incomplete Heartbleed remediation.
That’s a staggering number that should make us all think twice about what companies we deal with because our very own personal data may be on the line.
The fact that all these servers continue to not be properly patched leaves the door open for attackers to spoof legitimate websites, to decrypt private communications and to steal sensitive data sent over SSL.
As a reminder, Heartbleed is an OpenSSL vulnerability that went undiscovered for more than two years. The security problem appears because attacks exploiting Heartbleed don’t leave any traces behind, which means it is almost impossible to know when and what type of data got picked up by the hackers.
Successful exploits show that there’s plenty of sensitive data that can be picked up by the attackers, including passwords, SSL/TLS keys, as well as X.509 digital certificates.
Venafi points out that on top of applying the OpenSSL patch, organizations must assume that all keys and certificates were compromised, given the extent and duration of the vulnerability. They should not only issue new certificates, but also revoke the old ones.
For the Threat Research Analysis, Venafi Labs looked at 1,639 Global 2000 organizations across more than 550,000 public-facing servers and found critical security flaws. Only 387 Global 2000 organizations have fully remediated Heartbleed, which accounts for 3 percent of the total public-facing servers scanned.
The remaining 97 percent continue to be exposed to ongoing cyber attacks and malicious activity. “Enterprises must also assume, just as many did with user IDs and passwords, that all keys and certificates were compromised—not just the keys and certificates that secured the systems hosting the Heartbleed vulnerability—and must be revoked and replaced. Thousands of applications behind the firewall, including those of Cisco, Juniper, HP, IBM, Oracle, McAfee, Symantec and many others, remain exposed,” the report reads.
Kevin Bocek, vice president for security strategy and threat intelligence at Venafi, says that IT security teams are under the false impression that they’ve remediated Heartbleed by just applying the available patch. “But if someone walks into your house through an open door and steals your house keys, you don’t then rely on the same locks once you’ve closed the door,” he points out, urging organizations to find and replace all of their keys and certificates.
As for the future, Venafi’s experts believe it’s difficult to predict things. The company has told Softpedia that they hope that, with the help of this report, more organizations will become aware of the continued security exposure and seek to remediate the situation with market-available technology capabilities.
“The more sophisticated attacks become, the more extensive the remediation process will have to be. CISOs should not and cannot tolerate this situation. Some IT security leaders may be told by incident response teams that a full-scale rekey, reissue, and revoke is not necessary. Others may be told that it’s too complicated or time consuming. And there has been a false assumption that patching is all that’s required. Some may be misinformed, possibly by websites that show remediation is complete, but have no awareness of changes to keys and certificates, only to basic patching,” Venafi told Softpedia.