Tuesday, April 15, 2014

Best practices can prevent and mitigate future incidences like the Heartbleed OpenSSL bug

By Steven Rosen, Chief Information Officer, Xchanging Malaysia

Recently, Malaysians were made aware of ‘Heartbleed’, a major encryption flaw that affects OpenSSL web servers. Known as one of the biggest security threats online, the flaw allows cybercriminals access to crucial and corporate information stored on the cloud across various websites such as Facebook, Google and Twitter. As such, patrons of these open platforms may have been exposing their crucial and private data for the past two years.

Since its inception in 2012, OpenSSL has been a popular choice amongst companies as it is a free platform. In fact, according to a recent Netcraft Web Server survey across 959 million websites globally, around 66% are powered by technology built around OpenSSL but some of the technology used to secure communication was jeopardised for over two years by the ‘Heartbleed’ bug.

While consumers have received alerts from several websites to update their passwords to protect their information, securing corporate information is much more complex. Companies need to track and assess their systems for exposures and may not be aware of what to do, or procrastinate. This delay creates an opportunity for hackers to seize the moment and exploit the data at hand.

What businesses can do to mitigate the risk
If businesses have been using OpenSSL, a quick reactive process should be in place to analyse and identify the risks they are exposure to, and take steps to immediately address them. After which, organisations should run an audit to ensure no other information has been compromised on the system.

However, the challenge businesses face is that the bug masks itself as a heartbeat, in a transparent form and makes it near impossible to trace if any information from memory has been compromised through this exploit.

To mitigate this issue, it is important for businesses to deploy adequate tools to help keep track of patches and bugs across systems. Here are some crucial tools businesses can take into consideration:

Implementing a standard operating environment (SOE) which helps to standardise all applications and tools that are in use  
A configuration management database (CMDB) which assesses all servers, network elements and collects configuration specific information and includes them into a single database
If an issue comes up, CMDB can run a report and businesses would immediately be aware of what areas have been compromised, and address them appropriately
IT Infrastructure Library (ITIL), which is the enterprise standard across the world on how IT should be structured
Part of ITIL is a patch management process, which ensures the SOE is healthy, functionally capable and secure. An added benefit is its ability to keep track of functional and security patches that can identify and quickly deploy patches for the system if there is a compromise

Many Malaysians may not be aware that Windows or iOS updates are in fact patches for functional or security issues. They are either mandatory or optional for certain software, and a robust management system can be designed to automate such updates on a weekly or monthly basis whenever they become available.

What companies can do if they want to continue using OpenSSL
Companies can choose to use wild card certificates with one encryption key for each subdomain, or generate a single encryption key for all subdomains. Security best practices would recommend that you use a separate key for each subdomain, but based on the criticality of the systems and data, it may be more cost beneficial to use a wild card certificate.

While organisations can still choose to use OpenSSL, it is also the company's responsibility to ensure that all security gaps associated with OpenSSL and other free tools or platforms are actively monitored and addressed.

No comments: