-
1Symantec Report: Heartbleed
July 2014
Symantec Report:
HEARTBLEEDThe Heartbleed bug has become one of the most serious
network
security problems of the year. This e-book will discuss what the
Heartbleed bug is and how your business should respond to it.
-
2Symantec Report: Heartbleed
The Origins of HeartbleedOpenSSL, the program that gave birth to
Heartbleed, is one of the most popular open-source utility
protocols on the market. Its a digital toolkit available for
operating systems, enabling the construction of nearly any type of
Web server.
OpenSSL operates cryptographic protocols for Internet security
functions in order to authenticate the parties on either side of an
exchange, while also encrypting data on both sides for extra
security purposes. Heartbleed exploits these protocols to impact
server security. About half the worlds Web servers OpenSSL, leading
to an enormous potential for the Heartbleed bug to cause
damage.
A Fault Uncovered and ExploitedThe first discovery of a bug
within the OpenSSL protocol that could affect a servers memory
occurred on April 7, 2014. Researchers named the bug Heartbeat
since it acted as a data pulse between two locations, passing
information back and forth, expanding the size of data packages as
requested on either end.
Quickly, analysts determined that data such as encrypted files,
session keys, private keys, passwords and other sensitive
information could be viewed or exploited by this new bug.
Though this bug was announced to the public only recently, the
SSL vulnerability extends back as far as the beginning of 2012 a
massive window of opportunity for security breaches. The name
changed from Heartbeat to Heartbleed since the bug targets a ping
that a server uses to ensure that the encryption information goes
back and forth much as our circulatory system does. An attacker
need only exploit this bug by sending a ping; the server complies
by sending data from its memory. A large ping with a large data
request will be matched by the server with an equally large data
handshake relaying any and all of the data that it can dredge up,
including extremely sensitive information like server
passwords.
Upon discovery of the bug, Web analytics teams informed OpenSSL
and the public: security experts and hackers alike began to take
action immediately after.
Its difficult and maybe impossible to know how many users have
been affected by the Heartbleed bug. A British parenting site
reported that user data had been stolen as a result of Heartbleed
hackers, yet the founder stated that there could be no way of
knowing the exact number of users who had been affected. Its
difficult to account for since the Heartbleed bug may leave no
signature or evidence.
-
3Symantec Report: Heartbleed
Fallout from HeartbleedWhen exploiting the Heartbleed
vulnerability, hackers look for servers with the greatest
potential. Consumers who log on to a Web page with passwords or
sensitive information arent the only target, so are the
administrators who run the server itself. The only way to eliminate
the problem requires that the website revoke its OpenSSL
certificate and bring in a new certification. With so many affected
servers, and certificates that need to be revoked and then renewed,
SSL providers need to keep track of individual sites, servers and
databases.
SSL certification agencies track, report and update the millions
of sites through master documents called certificate revocation
lists (CRLs). They use these lists to go through a staggering
number of servers to inspect, tally and then repair problems. With
increasing numbers of revocations, the more time has been needed to
determine whether or not a server represents a security risk due to
the Heartbleed bug. The sheer scale of lists and the time needed to
address every SSL node has caused some certification agencies to be
overwhelmed by the new workload.
The first publication to pick up on news of Heartbleed noted
that the real impact would not be felt in gigabytes of data but
rather in dollars lost as the number of CRLs shot up, accompanied
by increased cost of maintaining certification processes.
Analysis of the financial impact suggests that the rise of
Heartbleed will cost some $400,000 in monthly bandwidth alone as
servers need to be torn down and rebuilt, dumping and then
re-loading their data as they become de- and then re-certified.
Those who bought OpenSSL servers at cut-throat rates, moreover,
have found that they need to pay out the nose to a certification
agency in order to fix their problems.
Good News: You Can Take Action to Protect Your BusinessIf an
organization believes that their server may have been compromised
by the Heartbleed bug, its possible to take steps to minimize the
harm of lost or compromised data regardless of the size of the
company. Any person, team or corporation finding itself at risk of
the Heartbleed bug should take three particular steps: discover,
remediate and protect.
-
4Symantec Report: Heartbleed
DiscoverOne of the first steps in the discovery phase involves
determining which servers with OpenSSL protocols are at the highest
risk. Administrators should scan their networks and any assets.
An end-to-end vulnerability assessment will focus on everything
from servers to apps, analyzing an entire IT infrastructure in
order to monitor threats big and small. With these modules in
place, a company can address Heartbleed by checking platforms,
testing defenses, measuring risk and configuring security setups.
These tools should identify areas needing improvement in easily
understandable terms. With a vendor risk manager, furthermore, its
possible to determine your own risks as well as those of
third-party partners in your IT environment. Its not just your own
assets that must be protected.
Some SSL certificates including Symantecs come with free
vulnerability assessment. This gauges risks to your site from an
exterior source, taking the position of a hacker in order to see
your system through the eyes of an external threat.
A third method of Heartbleed discovery is detection of the
actual OpenSSL certification. Companies should be able to scan all
aspects of their IT environment in order to seek out active or
inactive SSL certifications in use that could potentially give
Heartbleed access to their database.
Following these steps in the discovery phase provides a focused
view on the Heartbleed bug threat, with a model of where to look
and what areas to address.
RemediateUpon locating the at-risk components of your servers
and platforms, you must resolve and recover from any Heartbleed
vulnerability by patching the code and recompiling data to lock out
external threats. With vulnerabilities in server and domains are
identified, there are three potential paths to take in the
remediation process: rolling back, updating and recompiling. Each
has its own potential benefits to specific servers and
platforms.
The roll-back process does exactly what it sounds like: an
individual or organization with a compromised server need only
return to the previous version of SSL, version 1.0.1. This older
version may lack a few features, but it has no vulnerability to the
Heartbleed bug and cannot be used for illicit data transfers.
-
5Symantec Report: Heartbleed
On the other hand, if a server owner wants to keep the advanced
features of the most recent version of SSL, she can update to the
newest 1.0.1g version of SSL, which has patched the Heartbleed
loophole.
Finally, its possible to entirely sidestep the threat of the
Heartbleed bug by recompiling the server without Heartbleed
compatibility. Upon choosing and running one of these three
remediation options, administrators should ensure that the fix has
been successful and that no threat of Heartbleed remains.
Whether your company chooses rolling back, updating or
reconfiguration, remediation still requires a server owner to
replace the SSL certificates. Moreover, the owner needs to generate
a new key pair for the certification because private keys can be
exposed in the course of the data dump.
Once customers have created a new private key pair, they should
destroy their old pair prior to creating their new SSL certificate
signing request (CSR). A new CSR from an old key pair has not
solved the Heartbleed problem, but has simply shifted it to a new
source. The good news is that an owner can effectively solve two
problems by creating a new key and generating a new certificate
because doing so allows them to upgrade their server.
After completing these steps, a final test will be necessary to
ensure that the process went smoothly and no complications have
left any cracks in your servers armor.
The last step involves revoking any old certificates. Sometimes
the certification agency will automatically revoke the old
certificates Symantec does so as a matter of policy. But if they
are not automatically revoked, however, your company will need to
nuke them so that they cannot be used to piggyback into the server
again.
ProtectThe Heartbleed bug can reveal a treasure trove of
passwords and user names, in addition to private keys. Fifty
percent of organizations rely solely on user names and passwords
for their security, while the average user has five separate
passwords that they use across two dozen or so different
accounts.
Your company must not only provide security against the
Heartbleed bug, but it also must move beyond the password to
two-factor identification methods. With a two-factor identification
protocol, the attacker must not only get through a firewall but
also provide additional authentication, so that an account is
protected even if the user name and password are compromised.
-
6Symantec Report: Heartbleed
Connecting a password to a mobile device with two-factor
authentication stops unauthorized access cold by locking out the
attacker from authentication and from the accounts within the
device. With a simple second step in the authentication process,
some 80 percent of data breaches could be eliminated. Protecting
your server from the risks of the Heartbleed bug or another digital
vulnerability isnt just about shutting down the weak points.
Rather, its about taking a proactive stance against all aspects of
digital piracy and theft. Creating layers of defense and adopting a
standpoint of readiness will enable your company to address any and
all threats.
Whether a company wants to batten down the hatches or simply
adopt a new prioritization for security, your company should look
beyond Heartbleed in order to be prepared for whatever comes
next.
When the weakest point in the security chain comes at the hands
of the human operators, a business needs to protect its environment
by addressing the human factor at the endpoint of their operations
and interface. Simple antivirus software and firewalls though they
both remain necessary must be partnered with multiple layers of
defenses all the way down to the endpoint.
Symantecs philosophy has always been that it is better to stop a
threat than to respond to one, and the first layer of the defense
is the network. Intrusion prevention creates a firewall that
detects and blocks any incoming efforts to exploit the Heartbleed
bug. This aspect of endpoint protection turns aside the majority of
Heartbleed queries or attempts simply by understanding and
combating the weakest point of entry.
On its own, antivirus software cannot always stop targeted or
persistent threats, both of which constitute the fastest-growing
malware trends on the Internet today. For that, you need a third
layer of protection.
-
7Symantec Report: Heartbleed
Resources Available Certificate Intelligence Center:
go.symantec.com/cic
Symantec SSL Knowledgebase: symantec.com/heartbleed
SSL Tool Box: ssltools.websecurity.symantec.com/checker
Website Vulnerability Checker: safeweb.norton.com/heartbleed
Symantec 2014 Internet Security Threat Report:
go.symantec.com/istr
News & Resources: symantec.com/outbreak/?id=heartbleed
Need Help Now?Symantec offers a comprehensive portfolio
that provides layered protection based around endpoint, gateways
and data center assets. To learn how Symantecs offers can
prevent a targeted attack from impacting your organization,
visit us at http://www.symantec.
com/security-intelligence or talk to Symantec security experts
by calling 855-210-1103.
Any protection solution must include a contextual awareness to
ascertain the reputation of incoming files from their source. It
must know how a program performs over the Web, know its size and
scope and scale, and be aware of exactly what to expect when it
come onto your mainframe. Doing so protects against mutated or
camouflaged threats by seeing through their exterior.
Symantec provides solutions at every state of Heartbleed
defense: discover, remediate and protect.
Symantecs discovery solutions locate the specific
vulnerabilities that the Heartbleed bug can prey on.
With remediation, Symantec closes the gap by filling holes in
the SSL protocol that allow Heartbleed hackers to tap into the node
and send off information-gobbling pings.
At the protection states, Symantecs solutions take proactive
measures to ensure that future attempts to steal data cannot
compromise an organization.