Heart Stopping News of Compliance Threat Requires Your Attention
In the course of the last week, a critical vulnerability has been discovered in the widely used OpenSSL encryption software. Dubbed Heartbleed because it intercepts data from heartbeat requests in the system. This bug has been part of OpenSSL software versions 1.0.1 through 1.0.1f (and the 1.0.2 beta version) that have been in use since March 2012.
Early this week, experts have begun to assess the extent of the potential vulnerability from this dangerous bug. News from mainstream media to cerebral technical blogs and forums have hearts racing around the world.
OpenSSL 1.0.1g was released yesterday (April 8, 2014) to correct the Heartbleed bug. It is imperative that this patch is installed immediately on any server for any site using the popular encryption system. Once OpenSSL is updated, follow-up steps will need to be taken including securing new encryption keys and mandating that users change passwords.
Updates and Patch Releases are Critical to Regulatory Compliance and Security.
When software or systems that your organization uses become out of date or reach end of life, those systems are no longer in compliance. With one missing update or patch, you could find yourself out of compliance overnight. It is critical that you have a process in place to manage updates and patches as they become available. For example, your own policy can follow the lead of Microsoft’s “Patch Tuesday”. For over a decade, Microsoft has made patch releases a regular event for IT professionals to plan for and respond to with minimal disruption to day- to-day activities.
If your organization’s regular operations do not include a designated effort to maintain updated systems to remain secure and compliant, you may inevitably find yourself distracted or interrupted while vital updates slip by. The risks from the missed or delayed maintenance of your system are just too great to be overlooked. You may even find yourself the victim of a zero day attack if there is even a slight delay in responding. With the publicity surrounding the Heartbleed bug today, systems that are affected are more vulnerable now that the situation has come to light. A slow response to Heartbleed may be very dangerous to the confidentiality, integrity, and availability of your data.
If you have a process in place, you have likely already taken note of the OpenSSL 1.0.1g patch and have made the update or made plans to do so. If you do not have a consistent process in place, the Heartbleed bug should make you take notice. Be sure to make the time to take the necessary steps without delay to protect your systems, your information, and your compliance.
The OpenSSL Patch and Steps to Take in Response to Heartbleed
If your systems use the OpenSSL encryption systems, it is imperative that you take the necessary steps to update and remain compliant.
If you are an executive or compliance officer:
- Begin a thorough investigation immediately to identify any servers, systems, apps, or sites that may be using an affected version of OpenSSL.
- Work with your team or take the steps outlined below for administrators to ensure that you have installed the patch and that your sites are again secure.
- Consider following up with a new risk assessment, including vulnerability scans to identify any other gaps in your security or your processes.
If you are a system administrator and your system has been running an affected version of OpenSSL:
- Download the OpenSSL 1.0.1g patch and upgrade all affected systems and servers right away. Go to OpenSSL.org for updates.
- Revoke affected keys and reissue keys from the Certificate Authority. All session keys and session cookies must be invalidated as well.
- Change passwords. Require all users within your organization to update their passwords. This is also an excellent opportunity to remind everyone in your organization to follow password management best practices.
If you are a user of any system that may be affected:
- If you are employed by a HIPAA Covered Entity or Business Associate, any other organization subject to regulatory compliance, or any business with sensitive data, check with your system administrator to see if your systems may have been affected and what steps they are taking to update the OpenSLL software. Changing your passwords before this update is made may be futile.
- If you are concerned about your personal computing activities and the security of your own data, watch for notification from the companies that you have accounts with and change your passwords promptly when instructed to do so.
Investigations into how and why this code found its way into an incredibly massive number of sites will go on for quite some time. But immediate steps have been taken to correct the error in the code and the faster you act to take the necessary steps for your own security, the better.
You can check this Heartbleed test to find out if a server is affected. (Please do not rely solely on one simple tool, however.) You may also refer to this alert from the Department of Homeland Security for more information. Experts are calling the Heartbleed bug “catastrophic” so your immediate and diligent attention is required.
If Loricca can help you with any of your Information Security or Compliance needs, please contact us.