Cybersecurity Alert: Heartbleed Security Vulnerability Related to OpenSSL Encryption

Does your organization use e-mail…instant messaging…what about VPN? If so, this Cybersecurity Alert contains important information for your organization to consider.

What is Heartbleed?

Heartbleed is a material security vulnerability that may put computer systems and protected information at risk; specifically, those systems that utilize OpenSSL encryption. OpenSSL is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols commonly used to protect (encrypt) data in transit. OpenSSL is a popular open-source code library for implementing encryption in websites, e-mail servers and applications, which is used in common network services such as web servers, e-mail servers, virtual private networks (VPN), instant messaging and other applications to protect passwords and other sensitive data from eavesdropping.

On April 7, 2014, security researchers reported the existence of a coding error in OpenSSL versions 1.0.1 through 1.0.1f. The vulnerability has been nicknamed Heartbleed and has existed since December 31, 2011.

What is the Potential Risk?

The Heartbleed vulnerability could allow an attacker to potentially access a server’s private cryptographic keys compromising the security of the server and its users.  If compromised, an attacker may be able to decrypt and/or attack network communications that would otherwise be protected by encryption. With this access, attackers could potentially steal login credentials, access sensitive e-mail or gain access to internal networks.

Common websites and apps that you and/or many of your employees visit on a daily basis could be at risk. For example, Gmail, Yahoo Mail, Facebook, Dropbox and many others have been vulnerable to Heartbleed. Often times employees use the same passwords for personal and business purposes, which increases the risks of exposure of your organization’s sensitive data associated with employees’ use of many of these sites.

What are Some Potential Steps in Response to this Risk?

Key steps in response to the Heartbleed vulnerability risk should include the following: (1) determine the level of exposure for your organization (if any) and (2) if your organization does have exposure to this vulnerability, implement actions commensurate with the assessed level of risk to address this risk and monitor the status of those actions until the risk is mitigated.

Example:

    (1)      Determine the level of exposure for your organization

Consider asking the following questions:

  • Are our systems utilizing OpenSSL versions 1.0.1 through 1.0.1f or 1.0.2?
  • Do we have vendors that are using OpenSSL, and what version are they using?
  • Do we have a process to monitor and assess the impact of these vulnerabilities?

    (2)      Implement actions commensurate with the assessed level of risk

  • Ensure that third party vendors who use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps
  • Monitor the remediation efforts of their vendors
  • Identify and upgrade vulnerable internal systems and services
  • Follow appropriate patch management practices and test to ensure a secure configuration
  • Consider replacing private keys and X.509 encryption certificates after applying the patch for each service that uses the OpenSSL library
  • Operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the OpenSSL patch
  • Emphasize to employees the necessity to maintain different passwords for business and personal use

Printable Version