The recently exposed Heartbleed bug has sent the internet into a panic not seen since Y2K. Dave Howell reports on how the latest security scare should be handled.

IT security has always been a major concern for organisations, which spend a high proportion of their time and resources combatting the latest threats to their IT infrastructures and increasingly, the cloud-based services some enterprises are adopting.

The latest security threat is serious, as it affects more than 60% of the active servers on the internet, and was described by a leading security expert as a “catastrophic flaw”. The Heartbleed bug is a vulnerability in the OpenSSL security protocol that is favoured by many of the commercial websites consumers use every day to make purchases. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. However, the bug also impacts on cloud-based services, most notably social media sites, which is the main concern.

You can see which sites were the most vulnerable on Mashable. Organisations should check if any of their services use servers other than those supported by the HBP Group, which are not vulnerable to Heartbleed. Also, as Windows Server technology uses different security protocols, these platforms are not affected.

Twitter stated: “We were able to determine that twitter.com and api.twitter.com servers were not affected by this vulnerability”, with Facebook commenting: “We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed, and we’re continuing to monitor the situation closely.” Google also announced: “We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, App Engine, AdWords, DoubleClick, Maps, Maps Engine, Earth, Analytics and Tag Manager. Google Chrome and Chrome OS are not affected.”

Taking action

The practical steps that organisations can take now revolve around a holistic approach to digital security. The key is multiple-layers of resilience that begins at the desktop and ends with the cloud service vendor. Businesses need to consider the journey that sensitive data is taking in and out of their systems, and ensure adequate security protocols are in place at key strategic points.

All of the major services that have been affected by the Heartbleed bug are updating their servers. If any servers used are identified as being vulnerable, check with the vendor to ensure the security patch is in place before passwords are changed to ensure these accounts are then protected from attack.

Organisations can also use a number of tools to check any web services in use across their enterprises for the Heartbleed bug. These testing systems can also be used after a security patch has been applied to ensure this is operating as expected, before new passwords are issued. Two of the leading testing services include: LastPass and Qualys SSL Server Test.

Ongoing security

The Heartbleed bug is yet another example of a security flaw that has gone unnoticed for several years. Organisations can easily feel defenceless in the face of these events, which are out of their control. However, we are not powerless to act. Where use of the cloud may begin with social media, and the storage and access of data, the future will inevitably see an expansion of cloud use — with security playing an increasingly important role.

However, there is a wider issue revealed by the Heartbleed bug: the trust that businesses place in their services they use. And for those managing platforms that have a consumer-facing aspect, how trust and privacy can be protected.

PwC state in their report into data privacy: “The way your business thinks about data privacy — and the extent that is recognized outside of the organization — is important today. Privacy can be seen as a differentiator, with organizations calling out companies they see as putting customers first when it comes to privacy. The Electronic Frontier Foundation and Online Trust Alliance, for example, annually recognizes the top companies for consumer privacy and data protection.”

TRUSTe reveals, regarding its research: “The potential impact of the concern over business privacy practices is significant as consumer trust is falling. Just over half of US Internet users (55%, down from 57% in 2013) say they trust businesses with their personal information online. Furthermore, 89% say they avoid companies they do not trust to protect their privacy. Also 70% said they felt more confident that they knew how to manage their privacy than one year ago, but this can cause consumers to take actions, which negatively impact businesses.”

Organisations can create a secure environment for their employees and customers. Updating security policies in light of Heartbleed is vital. There will undoubtedly be more incidents like this in the future, but considering the security protocols in use across your organisation can do much to mitigate future weaknesses.

Last reviewed 18 April 2014