With the widespread use of OpenSSL across enterprise applications and servers, the newly announced OpenSSL Heartbleed Vulnerability has introduced a level of risk that organizations need to take seriously.
What is the Heartbleed bug and are you vulnerable?
The Heartbleed bug is a serious vulnerability in the popular OpenSSL cryptographic software library. OpenSSL is an implementation of the SSL/TLS encryption protocol used to protect the privacy of Internet communications. OpenSSL is used by many web sites and other applications like email, instant messaging, and VPNs.
The Heartbleed vulnerability allows an attacker to read the memory of systems using certain versions of OpenSSL, potentially allowing them to access user names, passwords, or even the secret cryptographic keys of the server used for SSL. Obtaining these keys would allow malicious users to observe all communications on that system, allowing further exploit.
Who is affected by Heartbleed?
According to Netcraft data: although 66% of sites use OpenSSL, only 17% are susceptible to the Heartbleed Bug, as of April 8th, 2014.
Given that this vulnerability has existed for at least two years, an organization that has deployed servers running OpenSSL (versions 1.0.1 through 1.0.1f) during this timeframe is likely vulnerable to the Heartbleed Bug and should take immediate steps to remediate.
Although there have been no successful Heartbleed attacks documented to date, but that does not mean they have not happened. Accordingly, even if your organization is not currently vulnerable, it may have been so in the past and it should be assumed that remediation is required if you have deployed the vulnerable OpenSSL versions.
While the use of OpenSSL is widespread, the impact of Heartbleed is mitigated depending on the configuration of the systems using it.
You are not vulnerable if you are:
- not using OpenSSL (there are alternatives and many organizations use Hardware Security Modules instead of software implementation of SSL)
- using OpenSSL compiled without the heartbeat function enabled (this excludes the heartbeat function being exploited in this attack)
- using OpenSSL 1.0.0 or earlier (this bug was introduced following this release)
How to check for the Heartbleed vulnerability
If you use OpenSSL and are unsure if you are affected, a public test tool is available to quickly confirm if you have the vulnerability. Customers of Lord & Griffin IT Solutions and Trend Micro* customers with the Deep Security for Web Apps can run a full vulnerability scan on their web applications to check for the Heartbleed bug.
Wondering if you are vulnerable? Not sure what to do next? Go to www.trendmicro.com/heartbleed to find out what you need to know now. learn how Trend Micro’s proven security capabilities can help to secure your modern data center and cloud deployments. This includes application vulnerability scanning, SSL certificates, targeted attack detection, and comprehensive server security with critical capabilities like virtual patching to help you quickly address this and other potential issues.
As a IT Solutions and IT Systems leader in security, Lord & Griffin IT Solutions is here to help your Business or Organization better understand the threat of Open SSL Heartbleed and address the possibility of vulnerability, including:
- Facts about the OpenSSL vulnerability
- How to find out if you’re affected
- And what to do if you are impacted
Lord & Griffin IT Solutions is an all-inclusive IT and Web Solutions Company. We offer services in the following areas: IT Systems Management, IT Systems/Network Service, the utmost in Customer Service, Rural Outsourcing and Web Support in Jackson, MS and Greater Jackson Metro Area (Philadelphia & Choctaw, MS, Meridian, MS and East Mississippi and West Alabama) as well as and New Orleans, LA and Greater New Orleans-Metairie-Kenner Metro Area (including Baton Rouge, LA).
*Trend Micro -Trusted Lord & Griffin IT Solutions Vendor.
Contact Us –
- P.O. Box 6445, Choctaw, MS 39350
- 232 Market Street, Flowood, MS 39232 – 3339
- 201 St. Charles Avenue, Suite 2500, New Orleans , LA 70170
- Cloud Hosting
- Communication Carriers
- Computer Networking Company
- Computer Networking Consultant
- Data Center Facilities
- Data Centers
- Information Technology
- Internet Security
- IT Systems Management
- Lord & Griffin IT Solutions
- Lord & Griffin Web Solutions
- Network Administration
- Network Infrastructure
- Network Services
- Network Services Consultant
- Networking Services
- Networking Services Company
- Shared web hosting
- Small Business
- Trend Micro
- Virtual Hosting
- Web Hosting