LRQA Nettitude Blog

Heartbleed – How to respond

Posted by Ben Densham on Apr 9, 2014 3:37:54 PM

You can’t have failed to notice the media storm in the IT and security press around the recent vulnerability in the bedrock of the internet – SSL. The service designed to be protecting our data when sent over the big bad public wire has been wide open since early 2012 within many OpenSSL deployments (unpatched OpenSSL 1.01 or 1.02beta).

This affect both web servers and any other network based services running these versions of OpenSSL.

But what should you do? How should you respond to this vulnerability responsibly?

Step 1: Find out where your problem exists

Run a vulnerability scan on your networks and systems to find out where you have the problem. This can be done from a range of tools (vulnerability scanners).

You can also check you service for the existence of this vulnerability at:

http://filippo.io/Heartbleed/

Step 2: Patch

Many vendors, including all the major players, now have a patch out. See the list at ISC:

https://isc.sans.edu/forums/diary/Heartbleed+vendor+notifications/17929

You need to protect your WebServers, and any other services which use the vulnerable versions of OpenSSL, from being susceptible to this issue.

Step 3: Replace any existing SSL Certificates

Simply patching does not remove the risk that any compromised keys cannot be still used to decrypt the data being sent to/from your service. You need to revoke your existing SSL certificate and request a new one to be created and installed.

Step 4: Password Resets

Any passwords that have been sent to your systems/applications may have been compromised. You should request that your users change their password. Not to another one used elsewhere, but to a new, complex unique one following good password practise.

However, please don't ask your users to change their passwords until you have patched your services and replaced any SSL certificates. In other words, follow these steps in order and only complete the next one when the previous has been completed.

For reference the original vulnerability reference can be found at:

https://www.openssl.org/news/secadv_20140407.txt

To contact Nettitude's editor, please contact media@nettitude.com.

Topics: 2014 Security Breaches, BYOD, Cyber Security, Nettitude, Penetration Testing, Security Awareness Training, Security Blog, Security Testing, Uncategorized

About LRQA Nettitude

LRQA Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

Subscribe Here!

Recent Posts

Posts by Tag

See all