Friday, April 11, 2014

Don’t Have Heartburn Over the Heartbleed Vulnerability

The Heartbeat bug has been in the epicentre of the Internet security storm recently and termed the worst security vulnerability to date. Trend Micro Inc. (TYO: 4704;TSE: 4704), the global leading internet security vendor, has moved swiftly to immediately assessed our products and services for the vulnerability and if appropriate, has taken appropriate action to address the issue.  Trend Micro has also provided some answers to a simple FAQ below to address the confusion and concerns of organizations and consumers.

What is the Heartbleed bug?

The Heartbleed bug is a problem that affects SSL, the technology that helps protect your information on the Internet. You’re likely most familiar with SSL when you shop online or enter sensitive information on a site and see the “lock” that tells you your information is protected.

What does this mean?

This means that information that you thought was being protected by SSL may not be as safe as anyone thought. Sensitive information like passwords, credit card information, or other personal information could have been exposed to others without your knowing.

What should ORGANISATIONS do?

Countless organisations have spent the last few days testing and patching their systems in response to the Heartbleed bug. Much like the current issue, it is inevitable that new vulnerabilities will be found in the future and the following are steps that organisations can implement to ensure faster detection and remedial action:

·         Continuous vulnerability scanning: The first step in remediating a bug like Heartbleed is to detect it. Organisations should be continuously testing their deployed web applications for the latest vulnerabilities. Security solutions like Trend Micro for Web Apps provides continuous application scanning along with security expert testing to ensure the time to detect vulnerabilities is minimized.

·         Immediate SSL certificate reissue: In response to Heartbleed, many organisations are now faced with reissuing their SSL certificates with new keys which is a time consuming process. Organizations can explore security solutions such as the Trend Micro Deep Security for Web Apps that will allow organisations to easily rekey their SSL certificates and issue the new key in a matter of minutes. This  helps to minimise the time critical systems are exposed to vulnerability.

·         Instant virtual patching: Upgrading libraries like OpenSSL needs to be done with care to ensure other functionality is not impacted – usually through regression testing. This takes time, which prolongs exposure to vulnerability. Solutions like the Trend Micro Deep Security provides advanced intrusion detection and prevention, which allows virtual patching. This allows attacks exploiting vulnerabilities to be immediately blocked without requiring update to server configuration.

What can CONSUMERS do?

·         How do I fix this?

You don’t. In this case, this isn’t a problem with your computer or devices. It’s a problem that websites have to take care of by fixing SSL on their site.

·         Can I tell if a site has this problem?

Unfortunately, not really. This is something that only the people running the site can know for sure.

·         Is there anything I can do to protect myself?

While you can’t protect yourself from this specific issue, you can take some steps to protect yourself from effects that this issue might have. Specifically, you can do the following:

o    Make sure you’re running up-to-date security software on all your systems.

o    Watch for suspicious activity of any kind. On your online accounts and your financial accounts.

o    Change passwords promptly for sites that recommend you do so.

·         Is there anything else that I should know about this?

This is a new situation and there’s always a lot of confusion and conflicting information in these situations. The important thing is to not panic, follow the steps that we’ve outlined, let the people who can fix this do so, and follow any additional instructions they give.

For the latest updates on the Heartbleed bug and any other security issues, kindly follow the Trend Micro TrendLabs Security Intelligence Blog at

No comments: