Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Here are the options with Heartbleed-flawed networking gear (Hint: there aren't many)

Antone Gonsalves | April 14, 2014
Companies faced with the threat posed by networking equipment that contains the notorious Heartbleed bug have few security options beyond working closely with affected vendors, most notably Cisco Systems and Juniper Networks.

However, the same solution cannot be easily applied to employees using a vulnerable SSL VPN connection between their smartphones and tablets and the corporate network, Williams said. Companies could switch all traffic to a non-standard port, but that would entail changes to the end-user device, as well as the networking gear, which might not be practical.

In those cases, CSOs will likely have to weigh the risk of continuing to allow employees to use the VPNs versus taking them down until a patch can be applied.

"This is going to come down to risk tolerance for each individual company," Williams said.

"Basically, they're going to have to take a look and say, 'We assess the risk to be so low, or the cost to be so high, that we'll accept the risk based on the lost revenue if we didn't allow them (employees) to connect.'"

Cybersecurity firm Codenomicon discovered and published information about the Heartbleed bug Monday night. On Thursday, U.S. Department of Homeland Security warned companies that cybercriminals could exploit the vulnerability.

"At this time there have not been any reported attacks or malicious incidents involving this particular vulnerability, but because it is a highly visible media topic, it is possible that cybercriminals could exploit it in the future," the advisory said.

 

Previous Page  1  2 

Sign up for Computerworld eNewsletters.