Security Risk Management

Hearts Bleed Over Latest SSL Vulnerability

Sonali Shah | April 9, 2014

openssl-logoOn April 7, the open-source OpenSSL project issued an advisory regarding a critical vulnerability identified as CVE-2014-0160 and called “Heartbleed.” This flaw, which takes advantage of OpenSSL’s heartbeat feature, has been present in OpenSSL for over two years, but was only recently discovered. It allows an attacker to trick systems running any version of OpenSSL 1.0.1. from the past two years into revealing 64 KB of data sitting in its system memory per request. There is no limit to the number of requests an attacker can make. Attackers can gain access to private keys, user names, passwords, credit card data, and other sensitive information. They can spoof a website by launching a more effective man-in-the-middle attack. What is both scary and brilliant about attacks exploiting this vulnerability is that they leave no trace in the server logs.

BitSight is pleased to announce a new feature on the Customer Portal launched yesterday that shows if a company is vulnerable to the Heartbleed bug. Companies are classified into one of the following three categories:

  • Vulnerable: The domain for this company uses an unpatched version of OpenSSL and is vulnerable to this attack.

  • Secure: The domain for this company either uses a patched version of OpenSSL or a different SSL library.

  • Unknown: The domain for this company either does not use SSL or the SSL library was unable to be determined.

As a way to measure the ability of companies to quickly respond to these types of vulnerabilities, we looked at how the companies in the S&P 500 index have performed. As of 10 pm ET on April 8, 2014, most companies in the S&P 500 index are secure. The fact that OpenSSL released a patch at the same time they announced the vulnerability and that the nation’s largest public companies were mostly quick to patch their systems is certainly good news.

The questions that remain now are how many organizations were exploited before the patch was applied,  how many organizations will revoke their certificates and get a new one, and how long this process will take. This is certainly an issue we will watch in the days and weeks to come.

Suggested Posts

3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...

READ MORE »

Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...

READ MORE »

Takeaways from the 2017 Gartner Security & Risk Management Summit

This year marked another great Gartner Security & Risk Management Summit with over 3,000 attendees, bringing together CEOs, CIOs, CISOs, IT Directors, Risk Managers, and other risk and security professionals to National Harbor, MD from...

READ MORE »

Subscribe to get security news and updates in your inbox.