Three-quarters of Global 2000 organizations with public-facing systems vulnerable to the infamous Heartbleed flaw have still not fully remediated, according to new research from Venafi.
The security firm scanned the organizations over a year after Heartbleed was disclosed, using its certificate reputation service Venafi TrustNet.
It found 1223 of the world’s richest firms are still exposed to a dangerous flaw which has already led to a massive data breach at Community Health Systems, where millions of patients had their personal information stolen.
Some 67% of UK Global 2000 firms and 59% of their US counterparts still hadn’t remediated all public-facing servers, with the figure rising to 84% in Australia.
Security teams must go beyond patching and actually replace private keys, reissue new certificates and revoke old ones to be fully safe from Heartbleed, according to the Venafi report Hearts Continue to Bleed.
The problem comes down to IT teams not knowing the correct steps to follow; where to find all keys and certificates; and not having “the knowledge or systems to be able to replace keys and certificates quickly and in large quantities,” according to Venafi vice president of security strategy and threat intelligence, Kevin Bocek.
“Overall, organizations need to do a better job of being able to change out keys and certificates. Google has moved to three-month certificate lifetimes – basically assuming that keys and certificates will be compromised at some point,” he told Infosecurity.
“Being proactive, as well as being able to respond to incidents or vulnerabilities like Heartbleed faster is needed for the future. One thing is certain: we’ll only be using more encryption, more keys and certificates in the future.”
Bocek described Heartbleed as a “silent killer.”
“With compromised data like keys and certificates, encrypted data could be decrypted or websites spoofed,” he added. “In countries, such as China, with networks built for surveillance and man-in-the-middle attacks, these keys could be easily used.”
Phil Lieberman, CEO of Lieberman Software, argued that any IT leader who buys open source should have a clear idea of how it will be updated when the time comes.
“Many organizations don’t even know what devices or software they purchased that has open source with flaws. Given the lack of understanding of what is owned coupled with a lack of labor and expertise to patch them, most of the defective goods go un-remediated,” he added.
“There is also the issue of corporate career suicide as you explain why you bought open source-based products and why you are loathe to patching them as it may send the organization off the air permanently.”