Around this time last year the media was awash with commentary about the Heartbleed bug with many news outlets popping up with advice, some of it good, some of it not so.
We wrote at the time how the mad rush to change passwords may have been counterproductive in the absence of all available information, and we hope you listened.
Fast forward to
today yesterday, and the furore had all but subsided, Heartbleed but a distant memory to most security managers and businesses.
Things change though, and so along came a report from Venafi, entitled “Hearts Continue to Bleed. Heartbleed One Year Later.”
The company’s findings make interesting reading, suggesting that around 76% of the top 2000 global organisations are still exposed to the bug via public facing systems.
That doesn’t sound good at all. Does it?
If the biggest and greatest organisations in the world are still susceptible to a bug that could see attackers snaffle up passwords, login cookies and crypto keys – one year on from its discovery – then we have a problem.
But do we?
Like a big ring fight, we have two giants going head to head to determine just where we stand with Heartbleed.
In the red corner, Gavin Hill, Director of product marketing and threat intelligence for Venafi who says,
In last year’s Venafi Labs report, a staggering 76% of Global 2000 organizations with public-facing, Heartbleed-vulnerable systems were still vulnerable. We would have expected to see a significant improvement this year. Unfortunately that’s not the case. There is only a 2% improvement in the number of Global 2000 organizations that have remediated Heartbleed.
Hill goes on to explain how the majority of the remediation work since last year was carried out purely to address certificates that were expiring anyway, citing comments from Gartner that imply corporate laziness.
Suggesting that organisations have also failed to act because they are yet to see any impact from the bug, Hill added that:
It would seem based on the trend of replacing keys only for impending certificate expirations that organizations have either given up on trying to fully remediate this massive vulnerability or simply don’t grasp the gravity of the situation.
Of course there are often two sides to every story and that is very much the case here.
In the blue corner stands infosec heavyweight Robert Graham of Errata Security who has an entirely different point of view.
Noting how Venafi sells the cure, Graham says:
The issue isn’t patches but certificates. Systems are patched, but while they were still vulnerable to Heartbleed, hackers may have stole the certificates. Therefore, the certificates need to be replaced. Not everyone has replaced their certificates, and those that have may have done so incorrectly (using the same keys, not revoking previous).
Thus, what the report is saying is that 75% haven’t properly updated their certificates correctly. Naturally, they sell a solution for that problem.
Graham then goes on to query the numbers, pointing out how only a small number of systems were susceptible to Heartbleed in the first place and noting the difficulty in identifying which certificates needed replacing anyway.
Graham goes on to suggest that security managers should not be losing too much sleep over Heartbleed, saying:
Most companies patched their systems before their certificates were stolen. For those who did get certificates stolen, it’s unlikely that their servers can be breached with that information. Sure, some user accounts may get compromised by hackers doing man-in-the-middle at Starbucks, but the servers themselves are safe. Even if you did everything wrong updating your certificates, you probably aren’t in danger. Sure, some of you are, but most of you aren’t.
The Truth Is Out There
So, who is right and who is wrong and do we have a winner?
I’m going to kop out and say… you decide.
But one thing that is for sure is the fact that Heartbleed may still pose a threat to some organisations – and now is as good a time as any to make sure that you have indeed patched your systems and correctly replaced your certificates.
You know it makes sense.