Last year, the infamous Heartbleed bug attacked like a hurricane, leaving destruction in its path. Talked about in news sources all over the world, the vulnerability was definitely one we thought we would never forget. Unfortunately, we are experiencing déjà vu, and many organizations are still in danger.
In order to eradicate Heartbleed, SSL certificates need to be swapped out and replaced, new keys generated, and patched applied. Recent report findings from Venafi indicate that approximately three out of four (74%) Global 2000 organizations failed to do that, leaving them susceptible to compromise. Dark Reading’s Sara Peters summarizes the Venafi report in her latest article:
Venafi has identified 580,000 hosts belonging to Global 2000 organizations that have not been completely remediated. Why have these organizations done such an inadequate job eradicating Heartbleed threats?
“It’s a combination of one, not knowing the correct steps to follow, two, not knowing where to find all keys and certificates, three, not having the knowledge or systems to be able to replace keys and certificates quickly and in large quantities,” says Kevin Bocek, Vice President Of Security Strategy And Threat Intelligence at Venafi.
“We also know that most organizations don’t know where keys and certificates are located and how they’re used,” says Bocek. “Recently, we released Ponemon Institute research that shows that 54% of organizations don’t know how many keys and certificates they have and where they are used.”
The United States and Germany are still only 41 and 42 percent remediated, respectively.
“Overall, organizations need to do a better job of being able to change out keys and certificates,” says Bocek. “Google has moved to three-month certificate lifetimes — basically assuming that keys and certificates will be compromised at some point. Being proactive as well as being able to respond to incidents or vulnerabilities like Heartbleed faster is needed for the future. One thing is certain: we’ll only be using more encryption, more keys and certificates in the future.”
For more report findings from the Venafi Heartbleed report, see the full article.
IT SECURITY SUPPORT: Blue Mountain Data Systems provides IT Security Support Services for Federal Civilian Agencies. Looking to find Vulnerability Scanning and Testing, Penetration Testing, Risk Assessment & FISMA Reporting for your Federal Agency? Call Paul Vesely at 703-502-3416.