In the latest of what seems to be a never-ending series of serious security concerns, IT professionals were notified recently of the newest threat, Heartbleed, which affects the most popular security platform, OpenSSL. Heartbleed, caused by a minor omission of code, affects roughly two-thirds of internet servers and poses a considerable threat to millions of internet users. Business owners need to reevaluate their web security protocols to ensure they are protected.
OpenSSL is an encryption library used for online security by the vast majority of websites (indicated by the padlock seen in your URL bar). It takes information and converts it to a code that can only be deciphered by the recipient (i.e. the website server). By doing this, it prevents third-parties from intercepting and stealing sensitive information. The previous version of OpenSSL included an extension, called Heartbeat, which maintains a secure connection for an extended period of time. The security threat comes from a bug in the extension's code.
This bug is particularly concerning because it allows third-parties to potentially obtain past session information and impersonate the server for future attacks. To make matters worse, there is no trace left behind by the attacker. It is nearly impossible to know if a site has been compromised or if any information has been stolen; it is not apparent by simply examining the code or logs.
Addressing the Problem
Addressing the Heartbleed bug is not easy. Your IT personnel should assess any internet facing SSL secured services (VPN servers, portals, webmail, etc.) used by your organization, including any that are internally developed and those that use vendor solutions. Your IT organization should also assess the vulnerability of any critical customer and vendor sites used by your organization, banking websites, etc. This can be accomplished by using a tool such as SSLLabs and by contacting customers and vendors to ask them if they're affected by and/or addressing the issue. Once you know the extent of the impact of the Heartbleed bug on your organization, you and your IT professionals can determine the proper resolutions. The fix for the issue was published on April 7th, but it will likely take several days before most affected servers are properly patched.
To Clients of Weaver
Weaver has taken the same steps prescribed above for its own internal systems and third-party solutions. We have confirmed that none of our software vendors that house our client’s data are affected by the Heartbleed bug at this time. Read Weaver's full statement.
This issue serves as a reminder that organizations need to be proactive in evaluating security threats and determining that adequate processes exist to deal with emerging threats. If you need assistance determining whether your organization has taken appropriate action on this issue, Weaver stands by ready to help.
© Copyright 2014 Weaver and Tidwell, L.L.P.