May 1, 2014
by David Burg
Not all companies will feel the hemorrhage of data loss as a result of the Heartbleed bug, but many will—and a number around the world already have. Determining the potential impact to your business and taking the right steps to manage short-term and downstream legal, financial, regulatory, and reputational risks is critical. The impact of these risks are potentially severe and may include loss of revenue, loss of confidence and brand value, diminished market share through customer drift, and potential competitive marginalization.
As you have read by now, Heartbleed is a security defect in the OpenSSL encryption technology used by almost two-thirds of web servers in vertical industries around the world. The Heartbleed vulnerability is retrospectively hard to detect. As a result, over the past two years it may have compromised millions of websites, online shopping destinations, and security applications, as well as software like instant messaging, remote access tools, and networking devices.
Some of the most popular destinations on the web—including search engines, e-mail services, and social networking sites—were reportedly affected by the bug, although most high-traffic sites moved quickly to update software to close the vulnerability. In fact, information security firm Sucuri scanned the 1 million most popular websites (as ranked by traffic) and found that 98% had patched their servers—and that all of the top 1,000 sites had done so.
As with many newly identified flaws, the full extent of the damage and the chances of continuing contamination are not immediately known. Even certain aspects of the technical patching may prove to be uncommonly complex. That’s because, in addition to information systems and websites, many tablets and smartphones may have been compromised by Heartbleed.
The types of data made vulnerable by Heartbleed include encrypted sensitive information such as user names, passwords, and payment card information, as well as electronic communications, IP and trade secrets, and postings of information to various social media sites.
The vulnerability may introduce a variety of risk events. For example, the US Federal Trade Commission has warned that criminals may leverage Heartbleed to “…create a fake version of a website that would fool browsers and users alike.” Transnational criminal enterprises could then add damaging information to the fraudulent websites as a means to capture the authentication credentials to exploit legitimate customers, which would likely result in brand devaluation.
Furthermore, for those engaged in information theft—whether individually, behind the flag of a nation-state, or under the veil of organized crime—Heartbleed may be the gift that continues to give long after the technology vulnerability has been closed.
Already, the defect has spawned a fresh round of social-engineering scams that target individual users. Accordingly, end user awareness and education is important, and as such, businesses should immediately inform employees and end users about Heartbleed-related phishing scams. Advise employees to ignore e-mail messages related to remediation of the bug—unless the e-mails very clearly come from your company’s IT team—and to avoid clicking links or providing credentials in response to any e-mail. Also instruct employees and customers to disregard services that claim to check for the presence of Heartbleed or remove the defect from personal computers and other devices.
One thing is clear: The fix of the defect itself will not eliminate the risk implications. A failure to consider both immediate and long-term risks may prove to be a critical differentiator, one that determines if a future business deal is signed or derailed.
Given the potential impact of Heartbleed, every company’s board of directors should consider convening a special risk session, whether or not the business uses OpenSSL. The familiar phrase “trust but verify” is especially significant in Heartbleed investigations. A verbal assertion from the IT organization that OpenSSL poses no threat will not be sufficient to understand potential risks for now and the future. The board also should understand how the defect may influence the organization’s acceptable risk profile and risk tolerance.
What you can do to protect your business
It’s important to understand that your business and your customers (members of your business ecosystem) may be at risk, even if you do not use OpenSSL technology.
The first step will be to determine if any entity in your internal and external ecosystem employs OpenSSL. Cybersecurity teams should look for trace elements of the defect and evidence of compromise across the enterprise. It is critical to note that simply determining that OpenSSL is not used by your business does not eliminate the possibility of exposure to Heartbleed.
Conducting in-depth analysis on systems to identify unauthorized exfiltration of restricted data may prove difficult. Evidence of intrusion linked to Heartbleed may exist, but the nature of the defect makes it very difficult to detect exploitation. What’s more, sophisticated threat actors such as nation-states and transcriminal enterprises have become very skilled at concealing exfiltration of data.
Compounding the risks is the common practice of using one password for multiple sites. A recent survey found that 73% of people use the same password for multiple websites and 33% do so for every online account. As a result, websites that were not directly impacted by Heartbleed may be indirectly compromised through use of these user credentials. Hackers who exfiltrate a password for an e-mail account, for instance, may use that password in an attempt to gain access to online banking sites, which offer lucrative criminal opportunities.
Indeed, Heartbleed underscores the inherent vulnerability of passwords: They simply cannot be trusted. Asking or requiring customers and employees to change passwords will not be a sustained solution. For some businesses, the Heartbleed vulnerability may present an opportunity to make a business case for multi-factor authentication.
Businesses that are compromised by Heartbleed may find mitigation of the bug difficult because there is no single quick or easy fix. At the most basic level, cryptographic software of compromised websites should be immediately patched, new security keys (digital certificates) should be issued, and employees and customers should be strongly encouraged to change their passwords. In some cases, businesses may need to take systems offline for testing and remediation; it also may be necessary to implement and initiate new investigative and fraud-monitoring processes.
The scope of investigating and managing the Heartbleed vulnerability may stretch the capabilities of some businesses’ internal security departments. For these companies, it may be advantageous to work with an external third-party firm with the cybersecurity and forensic experience and resources to assist them to develop and implement a response plan and mitigate potentially serious business risks. An effective, rapid response to Heartbleed will be an important test of the resilience and capability your security team—and ultimately could be essential to ongoing business success and preservation of reputation.