Post Heartbleed, now what?
It’s been over two weeks since the world got to know that websites online were vulnerable due to the OpenSSL Heartbleed vulnerability. By now, most website owners would have mitigated this risk by implementing the right security fixes in place and users would have updated their passwords across these websites. So, can we say all is well? No. Not so soon.
Firstly, it is still too early to say how much of a negative impact the Heartbleed vulnerability has caused to organizations. The first confirmed victims are reportedly Canada’s tax agency and a UK parenting site.
Secondly, our analysis has proved that some websites have been slower to implement the latest internet technologies, hence as a result was saved from this exposure. However, organizations cannot stay backward in technology for too long, else the vulnerabilities will catch up to them and they will get exploited, if not today, then sometime in the future.
Organizations will need to take stock of the versions of internet technologies in use. If they do not have the latest versions in place, then check which of the latest versions are the most stable and work with their IT departments/partners to implement them over the next few months. While this is happening, it will be good to have the right security tools in place and perform continuous website security checks that will share regular security updates to the business owners. Here are some recommendations which will help in achieving this:
- Place a Web Application Firewall to block vulnerabilities, thus instantly protecting websites from attacks
- Perform application security tests for web and mobile applications which will check for vulnerabilities and malware on a continuous basis
- Have a strong encryption program using SSL
- Conduct Vulnerability Assessments at least every quarter to understand the strength of your network to withstand attacks
- Get regular application security and compliance audits done to check the overall security posture of the organization‘s internet-facing assets