The impact of the Heartbleed bug – an OpenSSL vulnerability that affected more than 500,000 websites – is one of the most far-reaching security breaches in recent times. The fact that one of the most fundamental backbones of internet security has been dealt a severe blow is undeniable.
On the heels of the Heartbleed fallout, many businesses were left scrambling for an information security solution that would work and remove the risk of future vulnerabilities. Is hindsight really 20-20? What have businesses learned?
Upgrade is essential
The Heartbleed bug is actually a vulnerability in OpenSSL that allows sensitive information to be scraped from the servers; therefore, many IT security teams have been forced to upgrade to OpenSSL 1.0.1g or higher. The true impact of the risks from the Heartbleed bug may not be fully realised for months or years, however, simply because it has actually been around for years.
The bug is not very fast – only 64 kilobytes of data can be transferred at a time – but there is a real risk that sensitive and private data has already been compromised.
One of the key lessons to be learned from the Heartbleed fiasco is to implement layered encryption mechanisms to protect data. Those IT departments that relied solely on OpenSSL as their encryption solution were at the highest risk. Multi-layered encryption mechanisms are more complex and should be used on all digital media devices, including those in hard disk RAID environments.
Proactive security audits are also an integral part in mitigating future risk. Keep an eye on the security mechanisms used at every level of the public and private facing network and remember that nothing is ever completely secure. Understanding that information security is an ever-evolving phenomenon is essential.
Proper auditing procedure
A disconcerting aspect of the Heartbleed bug is that there is no way of telling if a particular service has been exploited or attacked. There are no logs and no signs of intrusion, which may be why it took so long for the bug to be fully publicised. There really is no way to tell if any sensitive data has been leaked or hacked.
IT professionals taking action in response to Heartbleed should consider the level of security required for certain data; for example, does the data require one or more layers of protection? When dealing with personal data, it may be best to err on the side of caution.
The sheer fact that businesses may never know whether their customers’ data has been leaked or stolen should foster the motivation to beef up security efforts by using multiple layers of encryption and proper auditing mechanisms whenever possible.
Written by Montash.
We are hosting a Cyber Security Breakfast Briefing with Mandiant, a FireEye Company on Thursday 15th May 2014, 8am – 10am at Grand Connaught Rooms, Holborn, London. Entries are priced at £20, with all proceeds going to Groundwork Charity.
We would like to take this opportunity to invite you to attend this event.
The briefing will be an open discussion forum for top cyber security experts to discuss the latest threats that companies face and how best to combat them. The forum will highlight the potential cyber threats that target businesses on a large scale and will examine the crossover of security risks in both the real world and cyber world.
Montash is a multi-award winning, global IT recruitment firm. Specialising in permanent and contract positions across mid-senior appointments which cover a wide range of industry sectors and IT functions, including:
ERP, BI & Data, Information Security, IT Architecture & Strategy, Scientific Technologies, Demand IT and Business Engagement, Digital and E-commerce, Infrastructure and Service Delivery, Project and Programme Delivery.
With offices based in London, Montash has completed assignments in over 30 countries and has appointed technical professionals from board level to senior and mid-management in permanent and contract roles.
For more information please visit www.montash.com