When the news of Heartbleed broke a few weeks ago, business owners understandably started to panic. The OpenSSL vulnerability was seen by many as a significant blow for both web security and the concept of open source development.
While the scare has since died down a little, some businesses still have some work to do to ensure safety. So what is it all about and what needs to be done to mitigate the risks?
You cannot ‘catch’ Heartbleed as such. Despite reports of this threat being a ‘virus’ or a ‘hack’, it was basically a security cock-up at internet level which left lots of private internet data vulnerable.
Digital Spy described it as follows: “Imagine the internet is a castle and SSL/TLS encryption is a part of the wall and moat around it used to keep out invaders. A mistake by a German software programmer basically left a small door open in the wall for invaders to get in.”
When the vulnerability was first highlighted, very few people knew it existed, meaning the risks were relatively low. Now it’s been spread across the world’s news outlets, however, more hackers will be looking to capitalise.
Companies first need to check whether their OpenSSL versions have been affected. Firms using OpenSSL 0.9.8 and 1.0.0 won’t have been impacted by the discovery and are safe to continue without taking any action. Those utilising all versions between OpenSSL 1.0.1 and 1.0.1f can’t afford to sit around.
Upon finding out that they’ve been affected, companies must update to the most recent version of OpenSSL, before revoking any compromised cryptographic keys and reissuing X.509 certificates with new ones.
By now, most IT firms will have released bug fixes for their products, so CIOs should make sure their software, operating systems and devices are patched accordingly. Once all of this has been done, companies need to advise all users – internal and external – to create new passwords; only then can safety be assumed.