The Heartbleed security bug has left vendors scrambling to patch vulnerable products, websites and services, but enterprises shouldn't sit idly by and wait for new patches and reissued certificates. Companies must do their own due diligence to determine how much the exploit affected their own environments. They may find they need to re-evaluate their entire approach to security.
Heartbleed is a security vulnerability within certain versions of OpenSSL, an open source implementation of Secure Sockets Layer (SSL). OpenSSL is supposed to send out a "heartbeat extension" to verify the connection between two servers or devices is live and is encrypting sensitive information on Web servers, but researchers discovered OpenSSL is flawed. Attackers can access encrypted content, usernames, passwords and private keys for X.509 certificates by sending malformed heartbeat requests. The security bug is bringing up new questions for the industry around the viability of OpenSSL -- which is used by approximately 66% of all active websites.
"This needs to be a 'trust but verify' conversation," said John Pironti, president of Rowley, Mass.-based consultancy IP Architects LLC. "Blindly trusting open source code to be bug-free and viable is probably not a good idea at this point."
What vendors are doing about the Heartbleed security bug
Many enterprises have been relatively helpless, waiting for vendors to patch their products and services. The most important thing companies should be doing is implementing the patches where they can, and updating the OpenSSL software," said Joseph Schumacher, senior security consultant for Chicago-based security and risk management consulting company Neohapsis.
Many large networking vendors use OpenSSL code within their offerings. Products or services using any version of OpenSSL released between March 2012 and April 2014 were affected.
Several offerings from Juniper Networks -- including its network and cloud access control platform, Unified Access Control (UAC) -- were affected by the OpenSSL vulnerability, but the company patched all its affected products. The last patch for UAC was issued late last week. "Every Juniper product affected by the Heartbleed vulnerability now has a fix," according to a Juniper spokesperson. "We continue to work closely with customers to help them update their systems."
Multiple Cisco products and platforms incorporate a version of the OpenSSL package affected by the Heartbleed security bug, including its Nexus 1000V Switch for Microsoft Hyper-V, and several telepresence offerings and IP phones. Cisco has issued several software updates, and is still working on more patches and workarounds. The company is still investigating some products to determine if -- and how much -- they have been impacted, according to a Cisco security advisory.
While Cisco has been slow and deliberative with its patches, some vendors have rushed out patches that were not complete. Akamai Technologies Inc. attempted to get ahead of Heartbleed and immediately introduced a patch to block any potential exploits. The Cambridge, Mass.-based content delivery network provider later determined the patch was only partially effective, and has since replaced it with a new patch, which allows end users to keep the same OpenSSL version, but alters the code so access to sensitive data is blocked, Neohapsis' Schumacher said.
The Heartbleed security bug: What immediate action should enterprises take?
Some vendors are rallying to help enterprises get a better understanding of Heartbleed's impact within their environments. Seattle-based ExtraHop Networks has been showing its customers how to use its wire data analytics to detect vulnerabilities and exploits from Heartbleed. ExtraHop has even announced a new Heartbleed security bundle -- a free offering that expands on ExtraHop's compliance and security capabilities, said Tanya Bragin, principal product manager at ExtraHop.
Prior to the Heartbleed security bug, ExtraHop's security tools already analyzed audit and compliance information -- including SSL. "By the virtue of looking at wire data for application performance management, our platform allowed us to … detect certain exploits," she said. "Our platform was already counting heartbeats, but it was kind of buried in our reporting."
Hackers can exploit the Heartbleed vulnerability by sending malformed heartbeat requests to servers to trick them into revealing data from previous transactions. ExtraHop's new Heartbleed security bundle highlights the volume of these heartbeats, which servers are targeted, and which parties are sourcing the attacks on a geomap.
"We can tell customers who have us deployed whether or not the [Heartbleed] vulnerability was being, or had even been, targeted and exploited," Bragin said.
Along with taking advantage of updated patches and performance monitoring tools, intrusion protection tools can also help identify and block rogue access to sensitive data. If patches aren't available yet, enterprises should be exploring how they can mitigate vulnerabilities -- like putting an unaffected server in front of a service to make that initial connection to the public Internet, or even shutting down a service until it can be remediated, Neohapsis' Schumacher said.
To some extent, enterprises' hands are tied, but that doesn't mean businesses can't reach out to their vendors, he said. "You don't have to sit back. If you think you have a system or are using a product that is vulnerable to Heartbleed, you need to investigate that further, reach out to your vendors, or look at different security alternatives, depending on the sensitivity of the data," he said. "If you're trying to protect things like banking information, you should not be just waiting on vendors to update their security."
While there may not be many ways for enterprises to truly evaluate whether a vendor patched their systems, enterprises can demand proof that changes were made by asking for evidence, such as records of change tickets and updates made to their systems, he added.
"The industry also needs to keep an eye out for any similar vulnerabilities that might be out there, and then be able to react quickly," Schumacher said.
Should open source be trusted?
Despite the Heartbleed security bug, enterprises shouldn't avoid open source technology. The publicity around the OpenSSL flaw will likely have a reverse effect, attracting more resources for securing open source projects, IP Architects' Pironti said.
Cisco, along with companies like Google, Facebook, IBM and Microsoft, are joining forces to boost support for open source projects, and OpenSSL will be the first priority, according to Nigel Glennie, a spokesperson from Cisco's Product Security Incident Response Team.
And the more eyes, the better, Pironti said. "It's great to use open source because it's free, readily available code, but enterprises and vendors still have to do assurance testing themselves, and not just trust the open source community will handle it."
Attackers, researchers exploit Heartbleed security vulnerability
Heartbleed OpenSSL vulnerability may pose risk to Android users
Revoked certificates cause issues after Heartbleed