Internet Vulnerability

What is Heartbleed?

The Heartbleed vulnerability is a bug in OpenSSL, a popular open-source protocol used extensively on the Internet, which allows anyone who knows how to exploit the vulnerability to access and read the memory of systems thought to be protected.

Vulnerable versions of OpenSSL allow compromise of secret keys, user names, passwords, and even actual content. Many security experts believe that this vulnerability has actually existed for at least two years and might have been exploited for just as long. Although many companies have issued statements claiming that they have now remedied the vulnerability in their environment, there is truly no way of knowing how much data has fallen into the wrong hands through the exploitation of this vulnerability.

Lessons Learned

According to a recent IBM report from their X-Force research and development team, there were many lessons learned from the Heartbleed attacks. For example, having an incident response plan-and maintaining an asset database-were both absolutely critical to reducing exposure to the attacks. Organizations that had struggled to maintain a current asset database were left blind to which systems were vulnerable and which systems were critical. Even if they had an incident response plan, they needed an up-to-date asset database in order to deploy it.

On the other hand, companies that had maintained their asset database and incident response plan were able to rapidly deploy patches on critical systems vulnerable to attack, thereby reducing their exposure to Heartbleed. They also face significantly less risk for threats in the future.

It’s also important to understand the detection and defense strategies for attacks such as Heartbleed. In certain scenarios, organizations can utilize firewalls to block out the bulk of the attacks toward their networks. IBM applies this methodology when large global attacks happen and the majority of the attacks stem from a small subset of hosts. This blocking technique can provide short, temporary reprieve from attack activity, providing valuable time for critical systems to be patched.

Firewalls are an excellent defense when a small subset of hosts are generating the attacks. In addition, intrusion detection and prevention devices can provide an even greater protection by blocking attacks at the offending packet level. This alleviates the need for maintaining an active list of attackers and reduces the risk involved while systems are patched.

Common Vulnerability Scoring System

IBM uses version 2 of the Common Vulnerability Scoring System (CVSS) to communicate the severity of vulnerabilities. They score vulnerabilities from three different perspectives: as a vulnerability database that tracks third-party vulnerability disclosures, as a security research organization that discovers new vulnerabilities, and as a large software vendor that needs to help customers accurately assess the severity of vulnerabilities within its products.

The most obvious example of how some CVSS scores do not always represent true risk and impact to an organization is the Heartbleed vulnerability. Heartbleed was disclosed earlier this year, but it had actually existed for two years. This vulnerability received a CVSS base score of 5.0, which falls into the medium-risk level. However, with the number of products impacted, the time and attention IT teams spent patching systems and responding to customer inquiries, as well as the potential sensitivity of data exposed, the true impact of the Heartbleed vulnerability was greater than the CVSS base score would indicate.

IBM is working with other organizations on developing a new CVSS, version 3. Its release and adoption is expected to help foster more consistency in risk assessment across organizations and more confidence in the use of CVSS as one of the primary components within an organization’s overall incident response plan. This way, when disclosures such as Heartbleed occur in the future, the industry as a whole will be better prepared for potential threats.

To view the IBM report, go to this web page.

If you are interested in attending our ISO 27001 Information Security Lead Auditor course, go to this web page to view the course description and class schedule.