It has been reported that although almost six months have passed since the Heartbleed security flaw, hundreds of thousands of devices worldwide still remain vulnerable. Below are comments from several experts in the IT security industry:
Richard Cassidy, senior security architect, Alert Logic writes:
"Why Heartbleed – amongst a plethora of other threats – is still prevalent almost 6 months post its discovery is not surprising at all. We know from our own research at Alert Logic that many threats exist across customer networks long before they are detected or more importantly, remediated. Heartbleed technically has been exploitable since OpenSSL 1.0.1 was widely adopted back in March of 2012 and if we look at many other threats including the recent theory that BlockPOS malware that’s wreaked havoc across ePOS networks, we know that these exploits were long “exploitable” before the industry was even made aware them!
Recent security reports trend that over 17% of customers take many months to remediate/contain known threats, with 4% reported to take a year or more. Compare this to the fact that attacks are on average taking ‘minutes’ to compromise 75% of targeted customer networks and it’s no surprise therefore that the challenge is almost an insurmountable one for organisations today.
The race in closing the “threat-window” - that is the time it takes to identify the threat (through whatsoever means) and then put in place the remediation actions to mitigate that threat – becomes a marathon for many organisations, not least because the larger the organisation is, the more complex the structure - in terms of networks, systems, applications and security teams - tends to be. Administrators are working hard to maintain existing processes and critical business systems, fighting against stringent change-control processes; couple this with limited resources and a light-changing threat landscape, their is only so much that can be achieved.
All in all it’s about improving security processes and practices to tackle serious security flaws head-on and implementing technologies that allow organisations to achieve the outcome they require, as opposed to having yet more systems that report yet more data, which requires deeper analysis by the organisation itself. Security teams need to be given the time and resources required to ensure compromises are remediated fully. The other
Challenge is that security technologies are becoming more complex in nature (largely due to the fact that threats are becoming just as complex) and businesses are being left to manage the content of these complex technologies often with limited training and expertise. If we don’t understand how to effectively use the tools we are being left to work with, then the outcome will always be less than desired. It is for this reason that we are seeing a greater propensity for security management to be delivered as a service. Organisations need to be able to identify threats faster across their complex platforms, so that the process of mitigation/remediation can begin far sooner and customer confidence maintained. Businesses are already realising that sacrificing mission critical application and services uptime to remediate a security flaw (such as Heartbleed) bodes far greater with their customers and partners who would much rather suffer a short outage in the service they are accessing, than to see their data compromised."
TK Keanini, CTO, Lancope says:
“All vulnerabilities present opportunities for threat actors to exploit, but what makes Heartbleed particularly difficult is that it is hard to identify and maybe even harder to fix due to the fact that it is in a specific version of the OpenSSL library.
The vulnerable version of the OpenSSL library has been widely used in all types of applications – some of which may be embedded systems (like the Internet of Things) and the discovery and remediation can only take place by the vendor as the end user has no access to source code or the means to replace the library themselves. These vendors are not performing security related testing, and thus it will take a long time before they are made aware of the flaw and it will be at the expense of many exploited system.
If it is so hard to discover, then why are attackers still finding them? Attackers are simply more motivated, have more time and sadly more tools and techniques to go about the discovery and exploitation process of Heartbleed. Defenders need to up their game and start to play at the same level as the attackers. There is no reason why the attacker should have the upper hand here, and yet year after year they do.
As a defender, what evidence do you have that your infrastructure is not vulnerable to Heartbleed on a daily basis? What evidence do you have that attackers are not actively trying to discover the Heartbleed vulnerability on your network? If you cannot produce this level of evidence, stop what you are doing and find a way to get it. People think security is hard, it really is quite simple and it begins with information that can back up claims and assertions about the state of your security.”
Michael Sutton, VP of security research, Zscaler writes:
“Heartbleed represented an unprecedented challenge for the security community both in terms of impact and reach. The vulnerability is trivially easy to exploit, leaks critical information and impacted a huge portion of the Internet due to the ubiquity of OpenSSL usage. While a significant portion of affected machines were patched in the days following Heartbleed's initial disclosure, the rallying cry has since faded. With an impact the size of Heartbleed, we can be sure that vulnerable machines will be discovered for years to come. Further complicating the challenge is the fact that the heartbeat packets that trigger the flaw are unlikely to be detected by monitoring systems. Therefore, it is unlikely that a company would even know that it was being probed and would not therefore take action. The likely first indication of attack as was the case with Community Health comes when the impact of the attack is observed in the form of compromised accounts or machines and by then the damage has already been done.”
Amichai Shulman, CTO, Imperva observes:
"While I do not necessarily want to belittle the importance of the “Heartbleed” vulnerability, it does seem odd to me that the only incident directly related to this vulnerability is the recent Community Health breach. This is especially intriguing given the claim by Venafy (below) that so many “Internet devices” remain vulnerable. It just does not add up. I’ve said it in the past with respect to Heartbleed and I’ll say it again now – we have seen vulnerabilities who received far less media attention than Heartbleed being successfully and massively exploited in the wild. What is it that we are missing here?"
Toyin Adelakun, VP, Sestus says:
"There is likely to be a "Heartbleed overhang" for quite some time into the future. There are two aspects to the Heartbleed bug: firstly, the bug itself, which can allow the contents — keys, passwords and other credentials and data -- of SSL servers’ memory to be extracted by unauthorised parties; and secondly, the contents i.e. credentials and data thus stolen.
In instances of high-profile vulnerabilities such as this, the rate of remediation spikes early on, and then decays over time. In essence, the remediation rate — across geographies and across industries — will follow a positively skewed distribution with an extremely long tail.
The issue here is that there are two such curves: the rate of remediation of the Heartbleed bug itself, which would be effected by websites upgrading their OpenSSL software servers; and the rate of remediation of the credential/data loss, which would be effected by websites, service providers and end-users re-issuing cryptographic keys, changing passwords and/or re-generating data that might have been stolen.
There is a high likelihood that the credential-loss remediation rate has tracked lower than the bug remediation rate. And there is a high likelihood that that situation will prevail for quite some time. On that basis, the headline “hack” may indeed still be a risk, but focus should also increase on making sure that secondary breaches — i.e. those exploiting the gains of Heartbleed bug breaches — are remediated as quickly as possible, by all and sundry. Otherwise, what I’ve called the “Heartbleed overhang” may stretch into the future and morph into the means for advanced persistent threats (APTs)."