Announced on April 7, 2014, the “Heartbleed” bug represents one of the most significant threats to data security to date. It is estimated that as many as a half million sites, including banking, social media, and e-mail sites, are affected. The “Heartbleed” bug is a flaw within OpenSSL, a cryptographic software used since March 2012 to protect information transmitted over the Internet, including e-mail, instant messaging, and even virtual private networks. OpenSSL is used to secure as many as two-thirds of all encrypted Internet connections.
The “Heartbleed” bug has lurked within the OpenSSL coding since its inception, allowing attackers to slowly, but effectively, draw out information stored in an affected system’s memory. Consequently, an attacker gains access to private information such as login names, passwords, security questions and answers, access tokens, and other forms of encrypted data. The unsettling reality is that the full extent of the damage caused by the bug is currently unknown, and may not be ascertainable for some time. This is because OpenSSL updates currently available will fail to protect a system user’s information if (s)he continues to use information (e.g., passwords) already obtained by attackers.
ADDRESSING THE “HEARTBLEED” BUG
While the time and resources needed to address the data security threat posed by the “Heartbleed” bug will depend on the configuration and complexity of your computer systems, a conceptual approach for assessing and addressing the task is illustrated below.
Click here to view the image.
BE PREPARED TO RESPOND TO A DATA SECURITY BREACH
From the moment you first learn of the breach:
- Obtain as much information as you can about the breach in order to identify the source(s) and cause(s) of the breach, effectively marshal resources to resolve the problem, and understand your business and legal responsibilities and remedies.
- Put your Data Security Response Team to work, including information technology, legal, risk management, human resources, corporate compliance, and public relations personnel.
- Provide timely, but just as important, accurate information to members of the leadership team, key stakeholders, insurers, key customers, vendors, and partners. Also give timely notifications as required by state and federal law.
- Act quickly to identify and fix the problem, restore company and consumer confidence, and meet legal obligations. The company’s Data Security Response Team must be a well-rehearsed rapid response team, trained to act accurately and efficiently.
- Document everything. From the moment you first learn about a breach, it is imperative that you create a record of all steps taken to address and remedy the situation
UNDERSTANDING THE RISK
The “Heartbleed” bug is an extraordinary data security threat. If affected sites and their users fail to proactively respond to this and other data security threats, they risk adverse consequences, such as civil penalties, loss of customer confidence, and increased litigation costs and insurance premiums.