Lazy Remediation Leaves Most Global 2000 Firms Vulnerable After Heartbleed Flaw: Report

Wednesday, April 08, 2015

Mike Lennon

306708aaf995cf6a77d3083885b60907

As we mark the one-year anniversary of disclosure of the now famous OpenSSL vulnerability (CVE-2014-0160) known as Heartbleed, security firm Venafi has released new research that shows how vulnerable Global 2000 organizations still are as a result of the flaw.

According to Venafi’s research, as of April 2015, 74% of organizations have failed to completely remediate the risks around Heartlbeed despite ongoing warnings and guidance from software makers and security industry experts. That number remains nearly unchanged from the 76 percent reported by Venafi as being vulnerable as of August 2014.

To compile its report, Venafi Labs used its cloud-based digital certificate reputation service to evaluate 1,642 Global 2000 organizations with public-facing systems vulnerable to Heartbleed.

While many Global 2000 organizations have taken basic steps to remediate Heartbleed, most have not entirely remediated the vulnerability, Venafi says. In fact, the security firm found that 85 percent these organizations' external servers remain vulnerable due to the flaw.

“From the start, it was clear that Heartbleed was not just another ‘patch-it’ event,” the report said. “It struck at the core of what creates online trust: SSL keys and certificates. If SSL keys and certificates could be compromised, websites could be spoofed for phishing attacks and encrypted communications decrypted via man-in-the-middle (MITM) tactics resulting in customer data loss and intellectual property theft.”

Venafi has discovered 580,000 hosts belonging to Global 2000 organizations that have not been completely remediated. These partially remediated hosts have been patched against Heartbleed, but the oganizations have either performed, as described by Gartner, “lazy” remediation, failing to replace the private key, or failed to revoke the old certificate, Venafi said.

Read the rest of this story on SecurityWeek.com. 

10023
Firewalls IDS/IDP Network Access Control Network->General SCADA
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.