1Symantec Report: Heartbleed

July 2014

Symantec Report:

HEARTBLEEDThe Heartbleed bug has become one of the most serious network

security problems of the year. This e-book will discuss what the Heartbleed bug is and how your business should respond to it.

2Symantec Report: Heartbleed

The Origins of HeartbleedOpenSSL, the program that gave birth to Heartbleed, is one of the most popular open-source utility protocols on the market. Its a digital toolkit available for operating systems, enabling the construction of nearly any type of Web server.

OpenSSL operates cryptographic protocols for Internet security functions in order to authenticate the parties on either side of an exchange, while also encrypting data on both sides for extra security purposes. Heartbleed exploits these protocols to impact server security. About half the worlds Web servers OpenSSL, leading to an enormous potential for the Heartbleed bug to cause damage.

A Fault Uncovered and ExploitedThe first discovery of a bug within the OpenSSL protocol that could affect a servers memory occurred on April 7, 2014. Researchers named the bug Heartbeat since it acted as a data pulse between two locations, passing information back and forth, expanding the size of data packages as requested on either end.

Quickly, analysts determined that data such as encrypted files, session keys, private keys, passwords and other sensitive information could be viewed or exploited by this new bug.

Though this bug was announced to the public only recently, the SSL vulnerability extends back as far as the beginning of 2012 a massive window of opportunity for security breaches. The name changed from Heartbeat to Heartbleed since the bug targets a ping that a server uses to ensure that the encryption information goes back and forth much as our circulatory system does. An attacker need only exploit this bug by sending a ping; the server complies by sending data from its memory. A large ping with a large data request will be matched by the server with an equally large data handshake relaying any and all of the data that it can dredge up, including extremely sensitive information like server passwords.

Upon discovery of the bug, Web analytics teams informed OpenSSL and the public: security experts and hackers alike began to take action immediately after.

Its difficult and maybe impossible to know how many users have been affected by the Heartbleed bug. A British parenting site reported that user data had been stolen as a result of Heartbleed hackers, yet the founder stated that there could be no way of knowing the exact number of users who had been affected. Its difficult to account for since the Heartbleed bug may leave no signature or evidence.

3Symantec Report: Heartbleed

Fallout from HeartbleedWhen exploiting the Heartbleed vulnerability, hackers look for servers with the greatest potential. Consumers who log on to a Web page with passwords or sensitive information arent the only target, so are the administrators who run the server itself. The only way to eliminate the problem requires that the website revoke its OpenSSL certificate and bring in a new certification. With so many affected servers, and certificates that need to be revoked and then renewed, SSL providers need to keep track of individual sites, servers and databases.

SSL certification agencies track, report and update the millions of sites through master documents called certificate revocation lists (CRLs). They use these lists to go through a staggering number of servers to inspect, tally and then repair problems. With increasing numbers of revocations, the more time has been needed to determine whether or not a server represents a security risk due to the Heartbleed bug. The sheer scale of lists and the time needed to address every SSL node has caused some certification agencies to be overwhelmed by the new workload.

The first publication to pick up on news of Heartbleed noted that the real impact would not be felt in gigabytes of data but rather in dollars lost as the number of CRLs shot up, accompanied by increased cost of maintaining certification processes.

Analysis of the financial impact suggests that the rise of Heartbleed will cost some $400,000 in monthly bandwidth alone as servers need to be torn down and rebuilt, dumping and then re-loading their data as they become de- and then re-certified. Those who bought OpenSSL servers at cut-throat rates, moreover, have found that they need to pay out the nose to a certification agency in order to fix their problems.

Good News: You Can Take Action to Protect Your BusinessIf an organization believes that their server may have been compromised by the Heartbleed bug, its possible to take steps to minimize the harm of lost or compromised data regardless of the size of the company. Any person, team or corporation finding itself at risk of the Heartbleed bug should take three particular steps: discover, remediate and protect.

4Symantec Report: Heartbleed

DiscoverOne of the first steps in the discovery phase involves determining which servers with OpenSSL protocols are at the highest risk. Administrators should scan their networks and any assets.

An end-to-end vulnerability assessment will focus on everything from servers to apps, analyzing an entire IT infrastructure in order to monitor threats big and small. With these modules in place, a company can address Heartbleed by checking platforms, testing defenses, measuring risk and configuring security setups. These tools should identify areas needing improvement in easily understandable terms. With a vendor risk manager, furthermore, its possible to determine your own risks as well as those of third-party partners in your IT environment. Its not just your own assets that must be protected.

Some SSL certificates including Symantecs come with free vulnerability assessment. This gauges risks to your site from an exterior source, taking the position of a hacker in order to see your system through the eyes of an external threat.

A third method of Heartbleed discovery is detection of the actual OpenSSL certification. Companies should be able to scan all aspects of their IT environment in order to seek out active or inactive SSL certifications in use that could potentially give Heartbleed access to their database.

Following these steps in the discovery phase provides a focused view on the Heartbleed bug threat, with a model of where to look and what areas to address.

RemediateUpon locating the at-risk components of your servers and platforms, you must resolve and recover from any Heartbleed vulnerability by patching the code and recompiling data to lock out external threats. With vulnerabilities in server and domains are identified, there are three potential paths to take in the remediation process: rolling back, updating and recompiling. Each has its own potential benefits to specific servers and platforms.

The roll-back process does exactly what it sounds like: an individual or organization with a compromised server need only return to the previous version of SSL, version 1.0.1. This older version may lack a few features, but it has no vulnerability to the Heartbleed bug and cannot be used for illicit data transfers.

5Symantec Report: Heartbleed

On the other hand, if a server owner wants to keep the advanced features of the most recent version of SSL, she can update to the newest 1.0.1g version of SSL, which has patched the Heartbleed loophole.

Finally, its possible to entirely sidestep the threat of the Heartbleed bug by recompiling the server without Heartbleed compatibility. Upon choosing and running one of these three remediation options, administrators should ensure that the fix has been successful and that no threat of Heartbleed remains.

Whether your company chooses rolling back, updating or reconfiguration, remediation still requires a server owner to replace the SSL certificates. Moreover, the owner needs to generate a new key pair for the certification because private keys can be exposed in the course of the data dump.

Once customers have created a new private key pair, they should destroy their old pair prior to creating their new SSL certificate signing request (CSR). A new CSR from an old key pair has not solved the Heartbleed problem, but has simply shifted it to a new source. The good news is that an owner can effectively solve two problems by creating a new key and generating a new certificate because doing so allows them to upgrade their server.

After completing these steps, a final test will be necessary to ensure that the process went smoothly and no complications have left any cracks in your servers armor.

The last step involves revoking any old certificates. Sometimes the certification agency will automatically revoke the old certificates Symantec does so as a matter of policy. But if they are not automatically revoked, however, your company will need to nuke them so that they cannot be used to piggyback into the server again.

ProtectThe Heartbleed bug can reveal a treasure trove of passwords and user names, in addition to private keys. Fifty percent of organizations rely solely on user names and passwords for their security, while the average user has five separate passwords that they use across two dozen or so different accounts.

Your company must not only provide security against the Heartbleed bug, but it also must move beyond the password to two-factor identification methods. With a two-factor identification protocol, the attacker must not only get through a firewall but also provide additional authentication, so that an account is protected even if the user name and password are compromised.

6Symantec Report: Heartbleed

Connecting a password to a mobile device with two-factor authentication stops unauthorized access cold by locking out the attacker from authentication and from the accounts within the device. With a simple second step in the authentication process, some 80 percent of data breaches could be eliminated. Protecting your server from the risks of the Heartbleed bug or another digital vulnerability isnt just about shutting down the weak points. Rather, its about taking a proactive stance against all aspects of digital piracy and theft. Creating layers of defense and adopting a standpoint of readiness will enable your company to address any and all threats.

Whether a company wants to batten down the hatches or simply adopt a new prioritization for security, your company should look beyond Heartbleed in order to be prepared for whatever comes next.

When the weakest point in the security chain comes at the hands of the human operators, a business needs to protect its environment by addressing the human factor at the endpoint of their operations and interface. Simple antivirus software and firewalls though they both remain necessary must be partnered with multiple layers of defenses all the way down to the endpoint.

Symantecs philosophy has always been that it is better to stop a threat than to respond to one, and the first layer of the defense is the network. Intrusion prevention creates a firewall that detects and blocks any incoming efforts to exploit the Heartbleed bug. This aspect of endpoint protection turns aside the majority of Heartbleed queries or attempts simply by understanding and combating the weakest point of entry.

On its own, antivirus software cannot always stop targeted or persistent threats, both of which constitute the fastest-growing malware trends on the Internet today. For that, you need a third layer of protection.

7Symantec Report: Heartbleed

Resources Available Certificate Intelligence Center: go.symantec.com/cic

Symantec SSL Knowledgebase: symantec.com/heartbleed

SSL Tool Box: ssltools.websecurity.symantec.com/checker

Website Vulnerability Checker: safeweb.norton.com/heartbleed

Symantec 2014 Internet Security Threat Report: go.symantec.com/istr

News & Resources: symantec.com/outbreak/?id=heartbleed

Need Help Now?Symantec offers a comprehensive portfolio

that provides layered protection based around endpoint, gateways and data center assets. To learn how Symantecs offers can

prevent a targeted attack from impacting your organization, visit us at http://www.symantec.

com/security-intelligence or talk to Symantec security experts by calling 855-210-1103.

Any protection solution must include a contextual awareness to ascertain the reputation of incoming files from their source. It must know how a program performs over the Web, know its size and scope and scale, and be aware of exactly what to expect when it come onto your mainframe. Doing so protects against mutated or camouflaged threats by seeing through their exterior.

Symantec provides solutions at every state of Heartbleed defense: discover, remediate and protect.

Symantecs discovery solutions locate the specific vulnerabilities that the Heartbleed bug can prey on.

With remediation, Symantec closes the gap by filling holes in the SSL protocol that allow Heartbleed hackers to tap into the node and send off information-gobbling pings.

At the protection states, Symantecs solutions take proactive measures to ensure that future attempts to steal data cannot compromise an organization.