Just when you thought it was time to lay rest the mighty Heartbleed bug, news of its victim surfaced. Community Health Systems (CHS), America’s second largest profit-making hospital chain managing more than 200 hospitals, was breached and personal data belonging to 4.5 million healthcare patients was stolen.
Security experts have blamed the infamous Heartbleed bug for the theft.
Over four months ago, Heartbleed bug was discovered on 7th April and instantly made headlines. Google and Codenomicon were responsible for finding this bug which had remained hidden for more than two years. Heartbleed was a bug which had affected OpenSSL, the most prevalent software used for encrypting sensitive data on internet. Websites that use encryption, payment gateways, VPNs, apps including mobile apps, all use SSL and a large majority of them use OpenSSL.
Soon after the discovery, a fix was made available and it was widely believed that a flaw so dangerous will be fixed promptly by everyone affected. Unfortunately, that did not happen.
A security searcher reported in late June, that a whopping 300,000 servers were still exposed to Heartbleed. Many more reported that people have actually stopped fixing Heartbleed, citing reasons like complex IT systems, too many servers to fix etc. as the reason. Various organizations, instead of employing the help of security professionals, decided to rely on their own IT teams, and misjudged the enormity of Heartbleed bug. OpenSSL is used by a very large section of the world’ internet, therefore requiring the action to also be taken on a massive scale. And when in June, six more bugs were found, adding to the burden of IT teams, more remedial actions were required, more patches to be applied. It is not difficult to understand, why many servers remain un-fixed.
In our Mid-year security threats review e-book, we had mentioned that the thought process, few broken servers are not going to affect anyone, can be dangerous, and the effects of that are today there for all to see.
Is Community Health Systems the biggest victim of Heartbleed?
The initial victims of Heartbleed were UK’s parenting social network Mumsnet and the Canadian tax authority. Many more examples were and are still believed to have gone unnoticed, as Heartbleed exploit does not receive traces of the crime.
The breach of Community Health Systems data is believed to be the biggest identified breach related to the notorious bug, where the stolen data comprised of patients names, phone numbers, addresses, and social security numbers. CHS has stated that no financial information has been stolen.
Heartbleed had a simple fix, then how could the hackers cash it to such a huge extent?
This breach is a classic example of third party network serving as a passage for stealing the targeted victim’s data. CHS was using products made by a network equipment manufacturer. It was several weeks before the manufacturer was able to patch all its affected code after Heartbleed surfaced. And in the time that lapsed, hackers had begun their work.
A virtual patch could have protected its servers for the duration which lapsed between the zero-day and patch day. A web application firewall is an appropriate device to provide detect and protect services for an application for this crucial, vulnerable period, which occurs between when a vulnerability is publicly announced, and when it is finally fixed. Even if you have all the patches in place, you need a web application firewall, which detects malicious elements trying to penetrate your applications and block their attempts. Recent attacks have proven that hackers are employing sophisticated, targeted and persistent attacks against target organizations. They do not give up if they find one door blocked, they sniff, and lurk around looking for any opening, and then attack again. Organizations need to be ready for such attacks and have robust security solutions in place.
Fixing all vulnerabilities, as soon as they are found, is not easy, but that will not deter the hackers from exploiting them. Our security researchers have time and again enforced that security issues should be addressed before they are found by the wrong elements. You need to scan your applications for any weakness, continuously, and fix it or apply a stop-gap measure as soon as you find it. Once a vulnerability is out in open, hackers do not leave any chance to cash it before the patches are applied. Interestingly, the first breach at CHS is being traced back to April, the same month of Heartbleed’s announcement to the world.
We offer you an opportunity to get your website vulnerability scanner for free to check for Heartbleed vulnerability and ensure that no hackers use your precious customer data for their personal gain.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. He was instrumental in building the product/service and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. He has proven experience (10+ years) in the security industry and has held various mgmt/leadership roles in Product Development, Professional Services, and Sales during his time at Entrust Data card.