You’ve probably heard all about the Heartbleed vulnerability by now. Although it might not mean the total collapse of the Internet, as initial wild reports suggested, it’s also not something you can simply ignore. There are definitely some steps business IT departments should take to ensure their networks are secure.
The first step is to educate yourself and your team about the Heartbleed vulnerability—what it is, how it works, and where you might be at risk. I won’t go into detail here; since this problem was announced a couple weeks ago, ideally you’ve already taken this step. If not, you can find a bounty of information on the web, but here are few good places to start:
- The Heartbleed Bug
- Heartbleed – Reports from the Field
- Heartbleed: Security experts reality-check the 3 most hysterical fears
Once you understand the problem, you need to evaluate your environment and determine if you need to update any instances of OpenSSL. Are your servers up to date? Do you run any in-house developed applications that might use OpenSSL? Do you have any networked appliances that could be using a compromised version of OpenSSL for authentication? Keep in mind that some VPNs and some mobile devices might also rely on this open source encryption standard, so be sure to be thorough in your evaluation.
A common recommendation is to update your certificates with a Certificate Authority (CA). Because it can be difficult to tell if you have already been compromised through Heartbleed, which would mean the security of any certificates is no longer valid, it’s best to revoke any existing at-risk certificates and replace them with new ones. Check with your CA for the procedures if there’s any doubt.
Although detection of a Heartbleed compromise might be difficult, it isn’t necessarily impossible. With good network monitoring, unusual traffic or information requests could be spotted. If nothing else, this is a good reminder that careful monitoring should always be part of your overall security plan. Remember, the Heartbleed vulnerability was in the wild for two years undetected; if someone had attempted to exploit this hole to access your network, would your network monitoring have raised the red flag?
Finally, this is also a good time to revisit your network password policies. As part of Heartbleed clean-up, you probably need to have end users reset their passwords, particularly if there’s any chance your systems were open to attack. Of course, you’re always safer if you use passwords that expire after a set period and prompt users to change passwords at that time—and this includes administrator passwords. Also, as Orin Thomas at Windows IT Pro points out, this is a good opportunity to consider two-factor authentication. If nothing else, it would be worth your while to educate your users about two-factor authentication for personal sites such as Facebook and Gmail, particularly if they access those sites from the business network (and let’s face it, we know they do).
With a little common sense and action, you can ensure your network is protect against the Heartbleed vulnerability. Using good network monitoring and establishing safe password policies now can also help you in the event that similar problems are disclosed in the future.
Interested in this topic? Visit our special webinar on Heartbleed bug! You will soon be able to find all the information about it here.