Recommendations for the Heartbleed SSL security vulnerability
Global Velocity, in collaboration with Josh More from Erya Security, wants to keep you informed about a relatively new Internet security vulnerability. We feel that security works best when everyone functions as a team, be they consultants, vendors or clients. Collaborations such as this allow us to get the word out about ways to help you improve security, compliance, and reduce the risk of a data breach.
By now, you’ve almost certainly heard of the recent Heartbleed SSL security issue. When such critical concerns arise, we like to do our best to cut through the hype. In our experience, the root cause of most security issues is not under investment, but misplaced investment … a possible knee-jerk reaction that seldom provides tangible benefits.
So without getting into the technical details, what does this SSL security issue mean to you? The first thing is that, while a patch fixes the flaw, it does not address the core concern. Because the weakness is two years old, we must assume there is a high likelihood that some sensitive data was lost. Thus, we must determine both which data is at risk and what to do about it.
At the time of this email, the likely concerns fall into four categories: keys, certificates, passwords and vendors. Due to how the attack works, this information is vulnerable to theft and there is a possibility that it along with other related sensitive data might have been stolen. This means:
- If you are running a Linux-based web server, or a Windows server with a proxy or load balancer, anyone who has stolen the key can pretend to be you. Thus, if they trick your customers to connecting to them, they win.
- If you use an SSL-based VPN, anyone who has stolen either a key or a certificate may connect to your network as anyone else.
- Any passwords you use to connect to frequently-used secured sites (such as Yahoo, Google, Amazon, etc) may be known to attackers.
- Vendors may have provided you with vulnerable software.
The problem is that, unless you had robust security monitoring in place, you can’t know if you’ve been attacked. While it’s likely that you weren’t, the risk of uncertainty will just continue to increase as time goes by. Luckily, fixing these problems is free. Here are the steps that industry experts are recommending you take:
- Apply all your SSL patches. Remember that this applies to any system that uses HTTPS, not just web servers. Firewalls running VPN services are also at risk.
- Once you’ve patched and restarted the services, re-generate your private keys and re-issue your certificates. If attackers have stolen your keys, they can still attack you after you’ve patched.
- Revisit your accounts and change your passwords. There are some good lists of sites to review, but really, if you’ve not changed all your passwords recently, just do it. It’s time. Consider a password wallet like KeePass to create and track customs passwords for each site.
- Run through a list of all your vendors and see if, if they provide software or a web application, ask them how they’re addressing the Heartbleed security issue. If they don’t have an answer for you, consider whether you trust them with your data.
We wanted to send this email to prevent yet another round of fear and doubt from stealing the resources you need to protect yourself and run your business. As you can see, despite what’s being reported far and wide, while the situation is serious and we’ll be dealing with this issue for a long, long time, the sky is not falling. If you have further concerns about this, or similar data security issues, please reach out to us.
Eyra Security is here to help you learn how to make the most powerful security improvements with the least investment. More information: https://www.eyrasecurity.com/
Global Velocity specializes in providing enterprise and cloud sensitive data control that is both cost-effective and flexible for businesses of all sizes. More information: http://www.globalvelocity.com/
We sincerely hope this email was worth the time you took to read it. Since we all only ever improve with feedback, please let us know what we could do better. Feedback Form
- Josh More, President, Eyra Security
- Sponsored by Global Velocity