By now, you’ve likely heard about the recently discovered Heartbleed bug. At its simplest, this bug allows cyber criminals to exploit a flaw in technology that encrypts sensitive information, making all types of communications sent over an “HTTPS” connection, including emails and online credit card payments, as easy for them to read as this sentence. But that’s not all – once that sensitive personal and/or company data is obtained, cyber criminals can then use the stolen online personas to gain access to other password-protected areas, such as online banking accounts, social media channels and corporate networks. Security expert Bruce Schneier said that “on the scale of 1 to 10, this is an 11.” Understandably, there’s a lot of media attention being given to this topic. But before hitting the panic button, read on to see how exactly your enterprise, or even you personally, might be affected.
What’s the Heartbleed bug again?
Secure sockets layer (SSL) and transport layer security (TLS) are widely used protocols that secure a wide range of communications across the Internet, from IMs to remote access, and Heartbleed is a vulnerability specific to an open-source implementation of these protocols aptly called OpenSSL. The bug gets its name from the nature of its attack, which involves piggybacking on an OpenSSL feature known as heartbeat. By exploiting this susceptibility, cyber criminals can compromise users’ cryptographic SSL keys, making what should be encrypted communications appear in plain text.
According to Neil Rubenking of PC Mag’s SecurityWatch, the website “that was created to report on Heartbleed states the combined market share of the two biggest open source Web servers using OpenSSL is more than 66 percent.” And, as Douglas Crawford of Best VPN notes, “[Heartbleed] particularly affects websites that are powered by the Apache web server, but as this is over 50 percent of all websites on the Internet, this is of little comfort.” The threat to the average end user is apparent – cyber criminals exploiting this encryption flaw can easily intercept credit card information and other types of sensitive personal data. But enterprises are at risk, too, especially given the large number of organizations that have coped with BYOD by implementing SSL VPNs.
We often discuss how the mobile security industry as a whole tends to be more reactive than proactive when it comes to identifying and mitigating threats. However, in a strange twist of irony, older versions of SSL are immune to Heartbleed. But that doesn’t mean that you shouldn’t take action. Rather, it’s a good idea to leverage ephemeral keys (a cryptographic key that is generated for each execution of a key establishment process) to further solidify an enterprises defense against the bug. If you are operating with a VPN that uses the compromised OpenSSL, ZDNet’s Steven J. Vaughn-Nichols hits the nail on the head – you need to revoke your old SSL digital certificate from your certificate authority (CA) and get a new one. If you don’t, “It would be like you replaced your old lock with a brand new one… that takes the same old key.”
Once the certificate has been renewed, the next step is to contact your VPN provider to find out how they’re handling the situation. If your VPN has central management capabilities, compromised certificates can be automatically revoked and replaced with new ones for all users by network administrators. A centrally managed VPN that can interoperate with other network and security technologies is a crucial component of a broader defense in depth strategy. If a user is compromised, technologies such as dynamic personal firewalls, a robust anti-virus solution, anti-malware software, etc. can work together to mitigate further risk and keep other users and the network safe. Despite its effectiveness, unfortunately it often takes a major revelation such as the Heartbleed bug to help enterprises recognize the importance of shoring up their network security.
If your provider is not hurrying to patch the hole in their OpenSSL implementation and/or taking steps to better implement a defense in depth framework, you may be justified in hitting the panic button. In these instances, it’s imperative to make your customers aware of the threat and what you’ve done to address it, in addition to outlining the proactive steps they can take to protect themselves. For more information, please reach out to NCP engineering via emailing firstname.lastname@example.org or LinkedIn.