Six months ago one of the scariest and potentially damaging vulnerability was found that impacted millions of systems using Open SSL. Heartbleed opened the door for hackers to easily gain access into any systems running Open SSL and get at critical and private information. This sent the IT Security world on fire and businesses scrambling to plug the holes. For the first time the world had brought IT Security to the main stream headlines and it was given attention to a broad audience that hasn’t been seen since before. This is could have been a turning point for individuals and businesses to realize that IT security needs to be on the front burner rather than an afterthought that’s too expensive to deal with now.
Unfortunately the short attention span of the society today pushed Heartbleed out of the minds of the leaders but unfortunately it has slipped back into the conversations of the security experts. Security groups that originally estimated over 600,000 vulnerable systems have reported recently there are still over 300,000 systems that have not been fixed over 6 months after Heartbleed was announced. Just under half detected are still open to attack and exploitation.
One of the more recent public breaches, Community Health Systems which exposed 4.5 millions accounts to hackers, has been attributed to Heartbleed. A well-known exploit with a fairly simple resolution to correct. It only takes a focused and disciplined IT Security department with managerial support to get it done. Regardless of the size of the organization, when a threat like this is announced at the level it was with a very public announcement of a fix, it should have been priority number one. I know in my organization we triple checked our environment both internally and externally and slammed the brakes on anything not related to patching Heartbleed. We demanded it for IT security, the business demanded it and our customers demanded it. It was done. Through that exercise we discovered that we didn’t know everything about our environment as we thought. I hope we weren’t a rarity when it comes to our thoroughness for issues like this. When you look at the reports of the numbers of Heartbleed exploits that are still out there not patched, it’s unsettling of the lack of focus on this.
If there’s a lack of movement on a national headline security risk, what else is being overlooked for the smaller weekly threats? Who in IT cares or do they? It’s hard to defend a majority of the people out there but when 50% or more systems are still not patched it’s a scary thought to what else is wide open, getting exploited daily without anyone knowing about it or caring.
Most of the mainstream companies took action immediately, publicly and assuring their customers this was being dealt with by them if they were impacted by this. However, we all don’t conduct business with our financial information, usernames and passwords with ‘mainstream’ companies.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.