Risks of Not Fixing the Heartbleed Flaw

Posted on by Fahmida Y. Rashid

By now you’ve seen reports about the data breach at Community Health Systems where attackers stole non-medical records for 4.5 million patients, and how attackers targeted the Heartbleed flaw to get on the network. This should be a warning to IT admins: Did you fully address the bug in your own networks?

"Unless fully remediated, Heartbleed leaves open doors for attackers to extract data, including credentials like passwords and encryption keys, which provide long-term visibility and access to the kind of data stolen from Community Health Systems," says Kevin Bocek, vice-president of security strategy and threat intelligence at Venafi.

The Heartbleed vulnerability in OpenSSL (CVE-2014-0160) meant sensitive data, such as encryption keys, bits of network traffic, credentials, and session keys could be extracted from the memory of unpatched systems. A trusted and anonymous source close to the CHS investigation told TrustedSec that attackers grabbed user credentials from a Juniper device’s memory, and used the information to log in to the VPN at CHS. The attack is believed to have occurred in April, shortly after the flaw was disclosed publicly.

If you have identified all your Heartbleed-vulnerable hardware and software systems and patched them with the OpenSSL fix, then you may feel confident that you got ahead of the problem quickly. However, in reality, you are only partially done, and have plenty left to do.

After Heartbleed was publicly disclosed in early April, vendors rushed out patches to update OpenSSL on affected systems. The fact that OpenSSL is widely used to secure online communications, from Web servers to various pieces of networking gear, meant IT staff worked overtime to patch their systems. However, the intense focus on patching meant the other steps—regenerating keys, revoking old certificates and issuing new ones signed with the new keys, and deploying new certificates—didn’t get as much attention and were ignored by many companies.

"Organizations have been operating under a false sense of security that an OpenSSL patch would solve the problem," Bocek says. A recent Venafi research found that a staggering 97 percent of the public-facing servers at Global 2000 companies were vulnerable to attack because they had not been completely remediated.

The first step after patching is to find and replace all of the SSL keys and certificates—all of them, not just the one for Heartbleed-affected systems, Bocek says. Go ahead and assume the worst, that attackers have already been inside and poking around the network. It makes the task harder, especially if you aren’t sure where all your keys are. 

The next step is to get new certificates signed by the new keys, deploy them, and revoke all the old ones. This is important, because without new keys and certificates, attackers can continue to use the previously stolen keys.

"If someone walks into your house through an open door and steals your house keys, you don’t then rely on the same locks once you’ve closed the door," Bocek says.

Even after researchers discovered how the bug could be exploited, there was some question whether there would be actual attacks targeting the flaw. That question may have caused some organizations to deprioritize the flaw and delay remediation. It makes sense—when there are so many security crises demanding attention, there are some tough decisions on what should be considered a likely threat and what the risks are.

For IT staff who have struggled over the last few months to explain why Heartbleed required immediate attention, the 4.5 million records stolen from CHS is a clear illustration of the risks.

If you haven’t taken care of the keys and certificates yet, make this a priority. We now have the worst case scenario—attackers can use Heartbleed to steal customer records—so let’s not repeat it again.

Of course, regardless of how attackers manage to get access, it’s just as important for organizations to watch what is leaving their environment. No matter how you look at it, 4.5 million records is a lot of data to leave the network without being detected, over days or even weeks or months. Let’s fix what’s broken, but don’t forget to pay attention to what is coming out of the network.

Fahmida Y. Rashid

Managing Editor, Features, Dark Reading

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs