When news of Heartbleed broke, Internet users were advised to change all their online passwords as a precaution, and enterprise IT security teams scrambled to neutralize the immediate threat by applying a patch. But like many serious conditions, the real danger posed by the Heartbleed bug is longer term and much more quiet than the initial hoopla caused upon its discovery. What makes this particular difficult to combat is that we only know that data was exposed, it is not yet known how much of it has been compromised. It’s like the preverbal “snake in the grass”; we know it is there, we just don’t know when it is going to strike. Eventually, we’ll hear about some real-world consequences worthy of being front-page news.
While security-sensitive developers and users are enacting the limited quick-fixes like; patching the security flaw and changing passwords, the larger issue is that most companies haven’t properly catalogued the technology they’re using to manage traffic to both in-house applications and purchased software. Knowing where to start requires an organization to thoroughly document the technologies it has deployed, where they are implemented, and for what purpose they are used? After the short-term remedies are applied, the long-term rehabilitation, a meticulous cataloging of technology deployments, will have to get underway in order to lessen the effects of future attacks on a company’s systems.
Because the Heartbleed bug is embedded in the open source (OpenSSL) cryptography library that is used by a sizeable percentage of the Web’s secure Web servers, millions of people have been potentially affected. Even on closed, proprietary platforms, serious breaches will occur, often because people are lax about applying patches to known security vulnerabilities. But the bug is a major challenge for financial institutions. A server powering a customer portal for leaving feedback on customer service might not collect highly sensitive information, whereas a compromised online banking application that collects usernames and passwords used to access accounts poses a huge risk. A catalog detailing what open source code was used to build every application and where it is deployed would give an IT team the tools they need to prioritize the cleanup.
Now that the period of discovery of the Heartbleed bug is past, a time of investigating the vulnerabilities and applying mitigation will continue. Fixing Heartbleed will not be cheap, some experts say the cleanup costs, including patching systems and reissuing digital certificates, could run to hundreds or even thousands of dollars per server. Implementing effective solutions will require leadership and on-going commitment from the very top of the organization.