Moss Adams Article on Heartbleed

The article below was published by Moss Adams.

Protecting Yourself and Your Organization from Heartbleed

by Francis Tam, Partner, and Kevin Villanueva, Senior Manager, IT Auditing & Consulting Practice
The Heartbleed bug is a vulnerability found in the OpenSSL cryptographic software library that could allow the theft of normally encrypted information, such as user names and passwords. OpenSSL is an open-source implementation of the secure socket layer and transport layer security protocols used to secure connections to a Web site or device.
A very popular encryption algorithm, OpenSSL is used by two-thirds of the sites on the Internet for their SSL connections, such as HTTPS. A number of desktop applications as well as networking equipment also use OpenSSL to secure connections. So the vulnerability affects many applications and systems, which makes it a high-risk issue for just about every organization.
The bug affects an OpenSSL extension known as the “heartbeat,” which makes it possible to keep a secure communication channel open without renegotiating security protocols over and over again. When the heartbeat is exploited, it leads to the leak of memory contents from the server to the client and vice versa.
Heartbleed affects connections not only to social media, news, banking, and other sites but also to firewalls, routers, and VPNs. In fact, Cisco Systems reported that 65 of its products were under investigation and another 16 had been confirmed vulnerable as of April 10. And while the majority of top Web sites such as Amazon, Facebook, and PayPal have already fixed the vulnerability, customers that use networking equipment affected by Heartbleed will wait a lot longer for a fix, since a new patch will need to be developed and installed on the devices.
Heartbleed is found only in OpenSSL versions 1.0.1 through 1.0.1f. Earlier versions and version 1.0.1g aren’t vulnerable. The bug has been around for several years but was found only earlier this month by white hat security researchers. Now that it’s out in the open, the black hat community of hackers will try to take advantage of it to steal sensitive information.
Officially known as CVE-2014-0160, the Heartbleed bug allows a malicious user to request data or eavesdrop on communications that could include the site’s SSL encryption keys, user passwords, credit card information, and other sensitive data passed between the client and the device using normal encryption technologies. The difficulty with the bug is that there’s no way to tell whether the site or device has been exploited via Heartbleed since all communications occur over an encrypted channel and no abnormal traffic patterns or traces are left behind in logs.
So what can you do to protect your organization? The first thing to understand is that if you’ve implemented Web servers for remote e-mail, e-commerce activities, or other applications; provide network or system access to customers and clients; or use open source technologies, you’re likely vulnerable to Heartbleed. Here are some good practices for addressing the threat Heartbleed poses to your data security posture:

  • Communicate to your customers that your Web site was vulnerable and that they’ll need to change their passwords once the issue has been addressed through system patching.
  • Revoke compromised certificates and issue new SSL certificates. For all impacted Web servers, you should assume encryption key information was leaked and issue new certificates.
  • Work with vendors to obtain security patches and fixes to address the vulnerability.
  • After patching the affected systems, have a penetration test performed to validate that the vulnerability has been fixed.
  • Instruct customers to change their passwords as soon as the vulnerability has been patched and the fix has been verified.

If your organization is subject to any data security or privacy regulations, it’s imperative that you address the Heartbleed vulnerability as soon as possible to avoid heavy fines and penalties as a result of a breach as well as reputation loss. There are many regulations as well as state and federal laws, such as the Payment Card Industry Data Security Standard, the Health Insurance Portability and Accountability Act, and the Federal Information Security Management Act, that require organizations to have processes, policies, and technologies in place to secure payment card, health, financial, and other personally identifiable information or sensitive information. If the Heartbleed vulnerability is found on systems that acquire, process, store, or transmit these types of data, your organization will be considered out of compliance and possibly in violation of applicable laws.
For individual users, you simply have to change the passwords you used on the affected Web sites. However, you should do so only after the site owner has indicated that its systems have been patched with updated versions of OpenSSL. In addition, it’s a good idea to check to see if a site that you use is vulnerable to Heartbleed via one of the free online Heartbleed vulnerability-checking sites. Consider running this type of tool on sites you visit frequently and on which you maintain confidential or financial information such as banking and health-related data.
We’re Here to Help
For more information on the Heartbleed bug’s immediate impact on your organization’s systems, check with your software and device vendors. And for questions about how to better protect your systems from vulnerabilities in the future, contact your Moss Adams IT auditing and consulting professional.
http://www.mossadams.com/articles/2014/april/protecting-yourself-from-heartbleed

The Heartbleed bug is a vulnerability found in the OpenSSL cryptographic software library that could allow the theft of normally encrypted information, such as user names and passwords. OpenSSL is an open-source implementation of the secure socket layer and transport layer security protocols used to secure connections to a Web site or device.
A very popular encryption algorithm, OpenSSL is used by two-thirds of the sites on the Internet for their SSL connections, such as HTTPS. A number of desktop applications as well as networking equipment also use OpenSSL to secure connections. So the vulnerability affects many applications and systems, which makes it a high-risk issue for just about every organization.
The bug affects an OpenSSL extension known as the “heartbeat,” which makes it possible to keep a secure communication channel open without renegotiating security protocols over and over again. When the heartbeat is exploited, it leads to the leak of memory contents from the server to the client and vice versa.
Heartbleed affects connections not only to social media, news, banking, and other sites but also to firewalls, routers, and VPNs. In fact, Cisco Systems reported that 65 of its products were under investigation and another 16 had been confirmed vulnerable as of April 10. And while the majority of top Web sites such as Amazon, Facebook, and PayPal have already fixed the vulnerability, customers that use networking equipment affected by Heartbleed will wait a lot longer for a fix, since a new patch will need to be developed and installed on the devices.
Heartbleed is found only in OpenSSL versions 1.0.1 through 1.0.1f. Earlier versions and version 1.0.1g aren’t vulnerable. The bug has been around for several years but was found only earlier this month by white hat security researchers. Now that it’s out in the open, the black hat community of hackers will try to take advantage of it to steal sensitive information.
Officially known as CVE-2014-0160, the Heartbleed bug allows a malicious user to request data or eavesdrop on communications that could include the site’s SSL encryption keys, user passwords, credit card information, and other sensitive data passed between the client and the device using normal encryption technologies. The difficulty with the bug is that there’s no way to tell whether the site or device has been exploited via Heartbleed since all communications occur over an encrypted channel and no abnormal traffic patterns or traces are left behind in logs.
So what can you do to protect your organization? The first thing to understand is that if you’ve implemented Web servers for remote e-mail, e-commerce activities, or other applications; provide network or system access to customers and clients; or use open source technologies, you’re likely vulnerable to Heartbleed. Here are some good practices for addressing the threat Heartbleed poses to your data security posture:

  • Communicate to your customers that your Web site was vulnerable and that they’ll need to change their passwords once the issue has been addressed through system patching.
  • Revoke compromised certificates and issue new SSL certificates. For all impacted Web servers, you should assume encryption key information was leaked and issue new certificates.
  • Work with vendors to obtain security patches and fixes to address the vulnerability.
  • After patching the affected systems, have a penetration test performed to validate that the vulnerability has been fixed.
  • Instruct customers to change their passwords as soon as the vulnerability has been patched and the fix has been verified.

If your organization is subject to any data security or privacy regulations, it’s imperative that you address the Heartbleed vulnerability as soon as possible to avoid heavy fines and penalties as a result of a breach as well as reputation loss. There are many regulations as well as state and federal laws, such as the Payment Card Industry Data Security Standard, the Health Insurance Portability and Accountability Act, and the Federal Information Security Management Act, that require organizations to have processes, policies, and technologies in place to secure payment card, health, financial, and other personally identifiable information or sensitive information. If the Heartbleed vulnerability is found on systems that acquire, process, store, or transmit these types of data, your organization will be considered out of compliance and possibly in violation of applicable laws.
For individual users, you simply have to change the passwords you used on the affected Web sites. However, you should do so only after the site owner has indicated that its systems have been patched with updated versions of OpenSSL. In addition, it’s a good idea to check to see if a site that you use is vulnerable to Heartbleed via one of the free online Heartbleed vulnerability-checking sites. Consider running this type of tool on sites you visit frequently and on which you maintain confidential or financial information such as banking and health-related data.

We’re Here to Help

For more information on the Heartbleed bug’s immediate impact on your organization’s systems, check with your software and device vendors. And for questions about how to better protect your systems from vulnerabilities in the future, contact your Moss Adams IT auditing and consulting professional.
– See more at: http://www.mossadams.com/articles/2014/april/protecting-yourself-from-heartbleed?cm_mid=3385162&cm_crmid=680110a3-2a0a-e011-8837-0050569b0032&cm_medium=email#sthash.v0CcCV8u.dpuf

The Heartbleed bug is a vulnerability found in the OpenSSL cryptographic software library that could allow the theft of normally encrypted information, such as user names and passwords. OpenSSL is an open-source implementation of the secure socket layer and transport layer security protocols used to secure connections to a Web site or device.
A very popular encryption algorithm, OpenSSL is used by two-thirds of the sites on the Internet for their SSL connections, such as HTTPS. A number of desktop applications as well as networking equipment also use OpenSSL to secure connections. So the vulnerability affects many applications and systems, which makes it a high-risk issue for just about every organization.
The bug affects an OpenSSL extension known as the “heartbeat,” which makes it possible to keep a secure communication channel open without renegotiating security protocols over and over again. When the heartbeat is exploited, it leads to the leak of memory contents from the server to the client and vice versa.
Heartbleed affects connections not only to social media, news, banking, and other sites but also to firewalls, routers, and VPNs. In fact, Cisco Systems reported that 65 of its products were under investigation and another 16 had been confirmed vulnerable as of April 10. And while the majority of top Web sites such as Amazon, Facebook, and PayPal have already fixed the vulnerability, customers that use networking equipment affected by Heartbleed will wait a lot longer for a fix, since a new patch will need to be developed and installed on the devices.
Heartbleed is found only in OpenSSL versions 1.0.1 through 1.0.1f. Earlier versions and version 1.0.1g aren’t vulnerable. The bug has been around for several years but was found only earlier this month by white hat security researchers. Now that it’s out in the open, the black hat community of hackers will try to take advantage of it to steal sensitive information.
Officially known as CVE-2014-0160, the Heartbleed bug allows a malicious user to request data or eavesdrop on communications that could include the site’s SSL encryption keys, user passwords, credit card information, and other sensitive data passed between the client and the device using normal encryption technologies. The difficulty with the bug is that there’s no way to tell whether the site or device has been exploited via Heartbleed since all communications occur over an encrypted channel and no abnormal traffic patterns or traces are left behind in logs.
So what can you do to protect your organization? The first thing to understand is that if you’ve implemented Web servers for remote e-mail, e-commerce activities, or other applications; provide network or system access to customers and clients; or use open source technologies, you’re likely vulnerable to Heartbleed. Here are some good practices for addressing the threat Heartbleed poses to your data security posture:

  • Communicate to your customers that your Web site was vulnerable and that they’ll need to change their passwords once the issue has been addressed through system patching.
  • Revoke compromised certificates and issue new SSL certificates. For all impacted Web servers, you should assume encryption key information was leaked and issue new certificates.
  • Work with vendors to obtain security patches and fixes to address the vulnerability.
  • After patching the affected systems, have a penetration test performed to validate that the vulnerability has been fixed.
  • Instruct customers to change their passwords as soon as the vulnerability has been patched and the fix has been verified.

If your organization is subject to any data security or privacy regulations, it’s imperative that you address the Heartbleed vulnerability as soon as possible to avoid heavy fines and penalties as a result of a breach as well as reputation loss. There are many regulations as well as state and federal laws, such as the Payment Card Industry Data Security Standard, the Health Insurance Portability and Accountability Act, and the Federal Information Security Management Act, that require organizations to have processes, policies, and technologies in place to secure payment card, health, financial, and other personally identifiable information or sensitive information. If the Heartbleed vulnerability is found on systems that acquire, process, store, or transmit these types of data, your organization will be considered out of compliance and possibly in violation of applicable laws.
For individual users, you simply have to change the passwords you used on the affected Web sites. However, you should do so only after the site owner has indicated that its systems have been patched with updated versions of OpenSSL. In addition, it’s a good idea to check to see if a site that you use is vulnerable to Heartbleed via one of the free online Heartbleed vulnerability-checking sites. Consider running this type of tool on sites you visit frequently and on which you maintain confidential or financial information such as banking and health-related data.

We’re Here to Help

For more information on the Heartbleed bug’s immediate impact on your organization’s systems, check with your software and device vendors. And for questions about how to better protect your systems from vulnerabilities in the future, contact your Moss Adams IT auditing and consulting professional.
– See more at: http://www.mossadams.com/articles/2014/april/protecting-yourself-from-heartbleed?cm_mid=3385162&cm_crmid=680110a3-2a0a-e011-8837-0050569b0032&cm_medium=email#sthash.v0CcCV8u.dpuf

The Heartbleed bug is a vulnerability found in the OpenSSL cryptographic software library that could allow the theft of normally encrypted information, such as user names and passwords. OpenSSL is an open-source implementation of the secure socket layer and transport layer security protocols used to secure connections to a Web site or device.
A very popular encryption algorithm, OpenSSL is used by two-thirds of the sites on the Internet for their SSL connections, such as HTTPS. A number of desktop applications as well as networking equipment also use OpenSSL to secure connections. So the vulnerability affects many applications and systems, which makes it a high-risk issue for just about every organization.
The bug affects an OpenSSL extension known as the “heartbeat,” which makes it possible to keep a secure communication channel open without renegotiating security protocols over and over again. When the heartbeat is exploited, it leads to the leak of memory contents from the server to the client and vice versa.
Heartbleed affects connections not only to social media, news, banking, and other sites but also to firewalls, routers, and VPNs. In fact, Cisco Systems reported that 65 of its products were under investigation and another 16 had been confirmed vulnerable as of April 10. And while the majority of top Web sites such as Amazon, Facebook, and PayPal have already fixed the vulnerability, customers that use networking equipment affected by Heartbleed will wait a lot longer for a fix, since a new patch will need to be developed and installed on the devices.
Heartbleed is found only in OpenSSL versions 1.0.1 through 1.0.1f. Earlier versions and version 1.0.1g aren’t vulnerable. The bug has been around for several years but was found only earlier this month by white hat security researchers. Now that it’s out in the open, the black hat community of hackers will try to take advantage of it to steal sensitive information.
Officially known as CVE-2014-0160, the Heartbleed bug allows a malicious user to request data or eavesdrop on communications that could include the site’s SSL encryption keys, user passwords, credit card information, and other sensitive data passed between the client and the device using normal encryption technologies. The difficulty with the bug is that there’s no way to tell whether the site or device has been exploited via Heartbleed since all communications occur over an encrypted channel and no abnormal traffic patterns or traces are left behind in logs.
So what can you do to protect your organization? The first thing to understand is that if you’ve implemented Web servers for remote e-mail, e-commerce activities, or other applications; provide network or system access to customers and clients; or use open source technologies, you’re likely vulnerable to Heartbleed. Here are some good practices for addressing the threat Heartbleed poses to your data security posture:

  • Communicate to your customers that your Web site was vulnerable and that they’ll need to change their passwords once the issue has been addressed through system patching.
  • Revoke compromised certificates and issue new SSL certificates. For all impacted Web servers, you should assume encryption key information was leaked and issue new certificates.
  • Work with vendors to obtain security patches and fixes to address the vulnerability.
  • After patching the affected systems, have a penetration test performed to validate that the vulnerability has been fixed.
  • Instruct customers to change their passwords as soon as the vulnerability has been patched and the fix has been verified.

If your organization is subject to any data security or privacy regulations, it’s imperative that you address the Heartbleed vulnerability as soon as possible to avoid heavy fines and penalties as a result of a breach as well as reputation loss. There are many regulations as well as state and federal laws, such as the Payment Card Industry Data Security Standard, the Health Insurance Portability and Accountability Act, and the Federal Information Security Management Act, that require organizations to have processes, policies, and technologies in place to secure payment card, health, financial, and other personally identifiable information or sensitive information. If the Heartbleed vulnerability is found on systems that acquire, process, store, or transmit these types of data, your organization will be considered out of compliance and possibly in violation of applicable laws.
For individual users, you simply have to change the passwords you used on the affected Web sites. However, you should do so only after the site owner has indicated that its systems have been patched with updated versions of OpenSSL. In addition, it’s a good idea to check to see if a site that you use is vulnerable to Heartbleed via one of the free online Heartbleed vulnerability-checking sites. Consider running this type of tool on sites you visit frequently and on which you maintain confidential or financial information such as banking and health-related data.

We’re Here to Help

For more information on the Heartbleed bug’s immediate impact on your organization’s systems, check with your software and device vendors. And for questions about how to better protect your systems from vulnerabilities in the future, contact your Moss Adams IT auditing and consulting professional.
– See more at: http://www.mossadams.com/articles/2014/april/protecting-yourself-from-heartbleed?cm_mid=3385162&cm_crmid=680110a3-2a0a-e011-8837-0050569b0032&cm_medium=email#sthash.v0CcCV8u.dpuf