Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How you need to respond to Heartbleed, and how you can explain it to others

Michael Santarcangelo | April 14, 2014
Your executive action plan to respond to Heartbleed: what you need to know, steps to take, and how to explain it to others.

Introduced into the code over two years ago and somewhat difficult to detect (in many circumstances), we need to assume in most cases that any system or device running a vulnerable version of openSSL over might have been compromised.

The latest reports confirm this bug impacts hardware and software in a whole range of commercial and open source solutions, including routers, virtual servers, and popular software packages like Tor (https://blog.torproject.org/).

Anticipate more reports with more devices - including purpose built solutions and industrial control systems to be next.

Consider the elements on your network, in your systems, and part of your solutions. Recognize that sometimes the elements that rely on openSSL is not always evident. When in doubt (and it's good to be a bit doubtful), test. When testing, check interconnected systems.

2. Patch where possible.
Most Internet-facing servers are designed to be patched. And most already have patches available. However, given the growing nature of affected systems and devices, it may take a few days before patches are ready for some devices and solutions. That requires a combination of diligence and patience. 

After patching, test again.

Often patches are applied without the need to restart machines and services. In this case, some reports have surfaced where people need to restart. The key is to test and verify the success of applied patches.

In the rare circumstance where patching isn't possible, gather the team to assess and plan. If you run into one of these situations, reach out for help.

3. Revoke, re-issue and re-install the SSL certificate(s)
This is key (no pun intended). This is also an area a lot of people are likely to overlook or, worse, skip because they think they weren't affected.

"If you're not going to get a new cert, you're missing the point of this bug," explained Jason Soroko, Head of Malware Research, Entrust - A Datacard Company.

The fix isn't complete until the cert is revoked and re-issued.

4. Assess the situation
In the event you captured and kept TLS logs, take time to review the logs and look for signs of compromise. If the logs aren't available, minimally assess if/how/why people need to change their passwords. Determine what, if any, other information could have been compromised or impacted.

5. Communicate clearly, and transparently, to employees, partners and consumers
Clear and transparent communication is key to trust. When explaining the situation, outline the steps you took and confirm you revoked and replaced the certificates. Explain any potential impacts. Ars Technica is an example of an excellent announcement (read it here).   

We're already seeing signs of "yup, we patched" surface. The problem is those messages fail to inspire the confidence that they revoked the old certs and issued and installed new certs.

 

Previous Page  1  2  3  4  5  Next Page 

Sign up for Computerworld eNewsletters.