CISOs Respond to Heartbleed BugOutline Steps Taken to Mitigate Risks in Wake of Vulnerability
Christopher Paidhrin, security administration manager at PeaceHealth, a healthcare provider in the Pacific Northwest, says the entire security community has been "laser focused" on the Heartbleed bug.
"The scope and potential depth of compromise should remind all of us how interdependent we are on trust controls," he says.
Paidhrin says PeaceHealth was not exposed to the vulnerability because it does not use any of the vulnerable platforms. "Still, we checked to be sure. We have a checklist for this vulnerability. We do partner with many others, so we have been cautious to validate the exposure of our peers, partners, vendors and customers," he says.
"PeaceHealth is reaching out to our strategic partners to confirm our shared remediation status. Most of our partners share our concern and have taken steps to address this event."
Elayne Starkey, chief security officer for the State of Delaware, says her department responded in three steps. "Step one was to learn everything we could about it," she says. "Step two was to test our public-facing websites and identify what needed attention."
Step three, Starkey says, "was to alert our customer state agencies and begin the process of applying patches and replacing certificates."
Starkey says some of the state's systems and servers were exposed to the Heartbleed vulnerability, so security specialists are continuing to apply patches and replace certificates.
Organizations should remain vigilant regarding the OpenSSL vulnerability, Starkey says. "Monitor advisories closely [and] promptly assess the situation before taking action," she advises.
A Top Concern
The Heartbleed issue is a top concern at the University of Pittsburgh Medical Center, says CISO John Houston.
"It is an OpenSSL issue that is very broad in scope," he says. "We have been actively assessing the issue and have determined that many of our systems are not affected. For those systems that are affected, we are developing plans to remediate the issue."
Houston says his organization is also implementing a signature on its network traffic scanner to actively watch for malicious traffic.
A security leader at a major southeastern bank, who asked not to be identified, says the institution's first action upon learning about Heartbleed was to examine its Internet-facing services to determine if there was exposure. "Fortunately, there was not," he says. "We then began scanning our internal network for systems which were potentially vulnerable."
Based on its investigation, the institution found internal servers that were susceptible to the exploit, as well as additional low-level systems, such as printers. "We continue to work with the vendors to receive patches and replace the OpenSSL certificates which could potentially be compromised."
Kennet Westby, president at the risk management consulting firm Coalfire, says that a number of its internal platforms were affected by the bug. Additionally, two service providers and a remote access client were affected. "All of these have been addressed, patched and validated secure," he says.
Coalfire immediately initiated an internal alert as soon as information about the vulnerability was released. "Initial steps were to inventory any systems, applications or service providers where we could identify the use/integration of the vulnerable version of OpenSSL," Westby says. "We incorporated discovery and scanning tools to assist with this process as these checks were released."
Westby says the company will continue to focus on reducing the risk of any compromise by changing all account passwords in its internal systems, updating all SSL keys and certificates that could have been compromised and encouraging all users to change passwords with external service providers' services.
Technology companies Cisco and Juniper Networks, along with several other vendors, issued alerts about which of their products are vulnerable to the Heartbleed bug (see: Cisco, Juniper Issue Heartbleed Alerts).
Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as Web, e-mail, instant messaging and some virtual private networks (see: Heartbleed Bug: What You Need to Know).
"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software," says Codenomicon, the Finland-based security vendor that discovered the bug, along with a researcher at Google Security.
Codenomicon says Fixed OpenSSL has been released and needs to be deployed now across websites vulnerable to the bug. Additionally, organizations can use an online tool to see if their website is vulnerable.
The Federal Financial Institutions Examination Council issued a statement April 10 stating that it expects financial institutions to incorporate patches on systems and services, applications and appliances using OpenSSL and upgrade systems as soon as possible to address the Heartbleed vulnerability (see: Heartbleed: Gov. Agencies Respond).
(Managing Editor Marianne Kolbasuk McGee contributed to this story).