On Heartbleed’s anniversary, 3 of 4 big companies are still vulnerable
A year ago today, researchers disclosed a virulent computer bug that rocked the foundations of the web. The vulnerability made it possible for anyone to steal and read encrypted information off supposedly secure servers, thus undetectably compromising secret keys, usernames and passwords, and the content of Internet traffic.
Far from just a theoretical concern, Heartbleed has been blamed for the breach of 4.5 million patient records at the hospital group Community Health Systems by the alleged Chinese hacker group “APT18.” And the bug may have been exploited by others, including intelligence agencies, for years prior.
Now on the one year anniversary of Heartbleed’s announcement, a new report shows that most large companies have not fully addressed the issue. According to a scan of Forbes Global 2000 companies by the Salt Lake City, Utah-based security firm Venafi, 74% of these organizations with public-facing systems vulnerable to Heartbleed (that’s 1,642 companies) have not taken every step to remediate the problem across all servers. “That’s 1,223 of the world’s largest and most valuable businesses still exposed to attacks,” the report says.
Venafi’s vice president for security strategy Kevin Bocek likens the situation to not changing the lock on one’s home when others may have the key. “It’s disappointing,” he says, “because the steps to perform remediation were really clear.”
What are the steps? It takes roughly three to remediate the Heartbleed bug. First, patching: Updating to the latest versions of OpenSSL, the software initially found vulnerable to Heartbleed, prevents the bug from continuing to be exploited. (Every organization—thank goodness—accomplished this step, according to the report.) Second, creation of new private keys: This prevents an attacker—someone who exploited the bug prior to patching—from being able to spy on encrypted traffic between an affected host and a user. And third, reissuance of security certificates (including the revocation of old, potentially compromised certificates): This last step eliminates attackers’ ability to spoof organizations and to fool or phish their customers.
In order to steel one’s systems against Heartbleed’s hemorrhaging effects, all three steps ought to be followed. A couple of days after Heartbleed was revealed, Gartner research director Erik Heidt outlined that guidance in a blog post. He highlighted the final steps, the subject of Venafi’s findings, in particular:
Step 3: Reissue Certificates, BUT FIRST regenerate your key pairs!
The existence of this fault on a server undermines any confidence in the confidentially of keys that have been used on that server. Issuing a new certificate is necessary, but not sufficient. Many organizations perform “lazy” certificate rotations, and do not create new keys! This is a bad practice. Because this attack enables the recovery of the private key itself, certificate rotation alone will not protect you! New private keys must be generated.
The message is loud and clear: Don’t be “lazy.” Assume your crypto has been compromised, and start from scratch. Despite the counsel, Venafi’s survey found that only 15% of the more than 600,000 hosts belonging to Global 2000 companies it scanned had completed all three steps. The rest remain susceptible to Heartbleed-derived attacks.
On a call with Fortune, Heidt seems to assume a more measured stance. “It’s difficult to make a condemning statement,” he says, mentioning that for big businesses, the ones that have to invest time and money in new certificates and keys, it’s a matter of managing priorities—that means, determining which data on which servers are most worth protecting, and which ongoing attacks are most important for organizations to focus on mitigating. (Patching, on the other, is relatively easy and low-cost.)
“This gets into the kinds of risk calculus questions that actuaries love but business people hate,” Heidt says. “You can’t simply leap from ‘they didn’t do this very simple concrete behavior’ to ‘they didn’t make the right decision.'”
For Venafi, however, the matter is more black and white. The firm, which secures and protects keys and certificates, has an obvious interest in harping on the final steps of Heartbleed remediation. That’s how it makes money.
But it’s not alone in calling out organizations for not going the whole nine yards. A November study out of the University of Maryland found that “while approximately 93 percent of the websites analyzed had patched their software correctly within three weeks of Heartbleed being announced, only 13 percent followed up with other security measures needed to make the systems completely secure.” Those other security measures involve the revoking and reissuing of keys and certificates, primarily. So, Venafi’s portrait of large corporation’s public key infrastructure has been corroborated in the academic sphere.
Bocek agrees that step one—patching—should be every company’s highest priority, and he says he was “encouraged” to see the quick and immediate reaction to Heartbleed. “IT is pretty good at patching,” Bocek says. “But they’re still failing when comes to the complex incident response remediation.”
Heidt, on the other hand, places even more emphasis the importance of that critical first step. Heartbleed, he notes, is not the only vulnerability lurking in the digital wilds. He tells Fortune:
Unpatched systems continue to be the superhighway for attackers to gain access to systems. Heartbleed has an exceptionally good patch rate, but organizations need to not just be focused on vulnerabilities that get lots of media attention. Having addressed Heartbleed but having dozens of other unpatched vulnerabilities on the same machine isn’t exactly winning.
Let today’s anniversary remind you that—whether it’s step one, two, or three—when it comes to security, you shouldn’t skip a beat.