With impacts on an estimated 60-70% of websites, Heartbleed is easily the security vulnerability with the highest degree of potential impact ever. There’s lots of good guidance out there at this point as to what end users can try to do to insulate themselves from any negative consequences.
Large organizations obviously need to determine where they have websites and network equipment that is vulnerable, in order to rapidly remediate this. Scanning your IP address range (both for internal addresses, and for IP addresses exposed to the Internet) should be done ASAP, to allow you to identify all sites, servers, and other equipment using Open SSL, and needing immediate patching.
In the last few days, it has become clear that we’re not just talking about websites/web servers. Numerous network equipment vendors have used OpenSSL in their networking products. Look closely at your routers, switches, firewalls, and make sure that you understand in which of these OpenSSL is also an issue. The impact of OpenSSL and Heartbleed on these infrastructure components is likely to be a bigger problem for organizations, as the top router manufacturers all have products affected by this vulnerability.
Taking a step back from the immediate frenzy of finding OpenSSL, and patching websites and network infrastructure to mitigate this security risk, it’s pretty clear that we have a lot of work to do as a security community on numerous fronts:
- Open source security components that gain widespread use need much more serious attention, in terms of finding/fixing software vulnerabilities.
- For IT hardware and software vendors, and for the organizations that consume their products, OpenSSL and Heartbleed will become the poster child for why we need more rigorous supply chain security mechanisms generally, and specifically for commonly used open source software.
- The widespread impacts from Heartbleed should also focus attention on the need for radically improved security for the emerging Internet of Things. As bad as Heartbleed is, try to imagine a similar situation when there’s billions of IP devices connected to the internet. This is precisely where we are headed absent big changes in software assurance/supply chain security for IoT devices.
Finally, there is a deeper issue here: CIOs and IT people should realize that the fundamental security barriers, such as SSL are under constant attack – and these security walls won’t hold forever. So, take this as a warning not to simply patch your SSL and re-issue your certificates, but to re-think your strategies for security defense in depth, such as increased protection of critical data and multiple independent levels of security.
You also need to ensure that your suppliers are implementing security practices that are at least as good as yours – how many web sites got caught out by Heartbleed because of something their upstream supplier did?