According to new research from Venafi, apparently some 74 percent of 'Forbes Global 2000 organizations' (or the big boys of business if you prefer) have yet to properly secure their public facing servers against the Heartbleed OpenSSL threat. That's a year after the thing broke for goodness sake! Venafi found that at least 580,000 hosts belonging to this elite group of enterprises were still vulnerable as full and proper threat remediation had not been applied. They were patched, yes, but did not bother with the equally important steps of replacing private keys and revoking the old certificates. Apparently, looking at the market in general, it would seem that more than half of organizations simply have no idea how many keys or how many certificates have, or even where they are being used. If you are in the US you can be happiest, if that's the right word, as your big business boys sit just behind Germany at the top of the remediation tree with a 41 percent total. That's still pretty poor, of course, but way better than Australia on 16 percent.

Patrick Wheeler, director at Proofpoint, says “the fact that so many systems remain vulnerable to Heartbleed highlights the difficulty of basing security on patching production systems. Organizations have to balance the needs of business-critical applications with the duty to take all reasonable, industry-standard measures to protect employee and customer data. Incorporating security fixes can be all the more difficult in the case of an issue like Heartbleed, where verification of the fix is much more difficult than simply testing for a patch or a server response. The best way to address this challenge is to complement patching and effective system management with a layered approach to protect sensitive data in motion and at rest. This includes monitoring and blocking both exploits and content at the network, gateway, server and user levels, tightly integrated with threat intelligence and automated threat response capabilities.”

Meanwhile, Phil Lieberman, CEO of Lieberman Software Corporation, adds "The lack of complete or near complete remediation comes as no surprise. Because open-source based software has no standardized (and even more important) automated method of pushing repairs of defective software en masse, the lack of remediation is expected since most upgrades must be initiated by the end-customer assuming that the developer has a working update. By personal experience, we tried to update a pair of S----wall VPN/Firewalls to patch the Heartbleed vulnerability and were left with 2 bricked devices and the opportunity to spend hours arguing with an off-shore support department uninterested in resolving our problem. Given this bad experience, we are now loathe to patch any embedded system ourselves because of the risk of losing availability permanently. We replaced the bricked devices with another manufacturer that is responsible for patching their own devices by themselves. Every time I walk into our server room I see the dead S----wall devices and cringe at our stupidity buying them and in buying devices that embed open source. The other element to consider is that many organization don’t even know what devices or software they purchased that has open source with flaws (many companies don’t disclose it until too late or never). Given the lack of understanding of what is owned coupled with a lack of labour and expertise to patch them, most of the defective goods go un-remediated. There is also the issue of corporate career suicide as you explain why you bought open source (and potentially unsupported) based products and why you are loathe patching them as it may send the organization off the air permanently."

About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

They either don't understand the risks or they just don't care about protecting sensitive data. Think heartbleed is ranked #1 critical flaw for 2014 followed by shellshocker

A lot of the ignoring of these issues is due to management not wanting to deal with the costs involved. They seem to take the stance that "we aren't being hacked, so why pay the price?". The old addage of "penny wise, but pound foolish" comes to mind...

Talking to a number of consultants specialising in IT security, it seems that the 'big boys' are leading the way with those remediation stats. Look to the medium sized enterprises sector and remediation falls to around 10%. Their future could be, erm, interesting to say the least.

I agree with rubben, could be cost issue and they'd rather not deal with it until its too late, thats why #DFIR is becoming so popular (Hey I got hacked, come and fix everything as it didn't happen)

Although it's understandable to not spend money on top of what has already been, I guess it's better to do spend some rather than be left out of business, some of those organisations' web servers are quite popular and are visited tens of thousands of times daily. That really exposes a lot of customers and the company as well, i mean even a simple XXS can be catastrophic, such as redirect user to a similiar looking page with a big red text saying please download our new protect's update it has awesome features .. well you could imagine what those features are :D