Many organizations responded to the Heartbleed Bug by conducting the appropriate risk assessments and vulnerability scanning to determine whether they were running vulnerable versions of Linux containing the affected OpenSSL versions (1.0.1 through 1.0.1f). If the vulnerability was found, they quickly moved to close it, but many organizations determined that the servers or systems they were running weren’t at risk.
The simple fact is that for hundreds of thousands of sites that ran the vulnerable OpenSSL code – which was in distribution for a year – we will probably never know whether the vulnerability was exploited, or exactly what data may have been compromised as a result of Heartbleed’s memory scraping.
Regardless of whether an organization ran servers with the Heartbleed vulnerability, it doesn’t mean that they weren’t affected or open to other cybersecurity risks. Companies interact with other company websites. Banks, financial services providers, even social networking sites where the company maintains or manages interactions may have been affected by Heartbleed. The passwords used to access these sites may have been compromised, as well as the encryption keys used to make interactions with them secure. To ensure that all the potential risks of information stored on these service providers’ sites are assessed and dealt with, take the following plan and modify as needed:
Even if a server was never vulnerable to Heartbleed, organizations may well be affected by it and affected seriously. Use this plan as an outline for making sure that responsible steps are being taken to protect companies from avoidable problems related to this programming bug.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Alan Brill is a senior managing director at Kroll’s cyber security practice. He has worked on many of Kroll’s major international projects including large-scale reviews of information security and cyber-incidents for multi-billion dollar corporations and criminal investigations of computer intrusions working closely with Kroll computer forensics experts. With more than 33 years of consulting experience, Alan has assisted firms with a wide range of technology security issues working extensively on developing methodologies for collecting evidence from corporate information systems. He can be contacted at ABrill@kroll.com