According to Venafi, 97% of Global 2000 organisations’ public-facing servers remain vulnerable to cyber attacks due to incomplete Heartbleed remediation. This leaves the door open for attackers to spoof legitimate websites, decrypt private communications, and steal sensitive data sent over SSL.
Undiscovered for over two years, Heartbleed is an OpenSSL vulnerability that allows attackers to extract data in memory simply by communicating with a host server.
Successful exploits show that sensitive data, including passwords, SSL/TLS keys, and X.509 digital certificates, could be extracted. In addition to applying the OpenSSL patch, organisations must assume that all keys and certificates were compromised, given the extent and duration of the vulnerability.
Following Heartbleed’s discovery, experts from Bruce Schneier to Gartner warned that, to fully remediate Heartbleed, all SSL keys and certificates must be replaced.
Gartner analyst Erik Heidt warned that past “lazy” security and patch management was insufficient and that all keys and certificates should be replaced. Venafi Labs research from July 2014 found that critical security flaws remain due to a systemic failure to replace vulnerable keys and revoke and replace digital certificates.
For its Threat Research Analysis, Venafi Labs evaluated 1,639 Global 2000 organizations across more than 550,000 public-facing servers and found critical security flaws using the Venafi Labs Vulnerability Report.
The report reveals that only 387 Global 2000 organizations have fully remediated Heartbleed, accounting for an astonishingly small three percent of the total public-facing servers scanned. The remaining ninety-seven percent have significant exposure to ongoing cyber attacks and malicious activity.
Enterprises must also assume, just as many did with user IDs and passwords, that all keys and certificates were compromised – not just the keys and certificates that secured the systems hosting the Heartbleed vulnerability – and must be revoked and replaced. Thousands of applications behind the firewall, including those of Cisco, Juniper, HP, IBM, Oracle, McAfee, Symantec and many others, remain exposed.
Kevin Bocek, vice president, security strategy and threat intelligence, Venafi, said:
“IT Security teams are under the false notion that they have remediated Heartbleed by applying a software patch. But if someone walks into your house through an open door and steals your house keys, you don’t then rely on the same locks once you’ve closed the door. Organizations must find and replace all of their keys and certificates — all of them. Otherwise massive security gaps and open doors remain. Enterprises need to equip themselves with systems to detect keys and certificates across their networks and in the cloud, and rapidly respond and remediate by replacing them.”
Recommended response and remediation:
- Know where all of an organisation’s keys and certificates are located
- Generate new cryptographic keys, request new certificates
- Apply new keys and certificates, revoke old ones
- Validate remediation to ensure new keys and certificates are in place and operational