According to new research from Venafi, apparently some 74 percent of 'Forbes Global 2000 organizations' (or the big boys of business if you prefer) have yet to properly secure their public facing servers against the Heartbleed OpenSSL threat. That's a year after the thing broke for goodness sake! Venafi found that at least 580,000 hosts belonging to this elite group of enterprises were still vulnerable as full and proper threat remediation had not been applied. They were patched, yes, but did not bother with the equally important steps of replacing private keys and revoking the old certificates. Apparently, looking at the market in general, it would seem that more than half of organizations simply have no idea how many keys or how many certificates have, or even where they are being used. If you are in the US you can be happiest, if that's the right word, as your big business boys sit just behind Germany at the top of the remediation tree with a 41 percent total. That's still pretty poor, of course, but way better than Australia on 16 percent.
Patrick Wheeler, director at Proofpoint, says “the fact that so many systems remain vulnerable to Heartbleed highlights the difficulty of basing security on patching production systems. Organizations have to balance the needs of business-critical applications with the duty to take all reasonable, industry-standard measures to protect employee and customer data. Incorporating security fixes can be all the more difficult in the case of an issue like Heartbleed, where verification of the fix is much more difficult than simply testing for a patch or a server response. The best way to address this challenge is to complement patching and effective system management with a layered approach to protect sensitive data in motion and at rest. This includes monitoring and blocking both exploits and content at the network, gateway, server and user levels, tightly integrated with threat intelligence and automated threat response capabilities.”
Meanwhile, Phil Lieberman, CEO of Lieberman Software Corporation, adds "The lack of complete or near complete remediation comes as no surprise. Because open-source based software has no standardized (and even more important) automated method of pushing repairs of defective software en masse, the lack of remediation is expected since most upgrades must be initiated by the end-customer assuming that the developer has a working update. By personal experience, we tried to update a pair of S----wall VPN/Firewalls to patch the Heartbleed vulnerability and were left with 2 bricked devices and the opportunity to spend hours arguing with an off-shore support department uninterested in resolving our problem. Given this bad experience, we are now loathe to patch any embedded system ourselves because of the risk of losing availability permanently. We replaced the bricked devices with another manufacturer that is responsible for patching their own devices by themselves. Every time I walk into our server room I see the dead S----wall devices and cringe at our stupidity buying them and in buying devices that embed open source. The other element to consider is that many organization don’t even know what devices or software they purchased that has open source with flaws (many companies don’t disclose it until too late or never). Given the lack of understanding of what is owned coupled with a lack of labour and expertise to patch them, most of the defective goods go un-remediated. There is also the issue of corporate career suicide as you explain why you bought open source (and potentially unsupported) based products and why you are loathe patching them as it may send the organization off the air permanently."