Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

What do business continuity managers need to know about Heartbleed?

Andrew Waite gives an overview of the Heartbleed vulnerability.

This week has been an interesting and busy one for those on both sides of the information security fence: a critical vulnerability, dubbed Heartbleed, was publicly disclosed in the widely used library OpenSSL, which forms the core of many SSL/HTTPS provisions.

What is it?

Without getting too technical, the Heartbleed flaw allows a malicious and unauthorised third party to access protected data in memory. The exact data access is random, but there have been corroborated reports that it can expose clear-text passwords, private SSL keys and other sensitive data which would negatively impact the security of your systems, users and clients.

How to determine if you’re vulnerable

The vulnerability effects any service utilising OpenSSL version 1.0.1 through to OpenSSL version 1.0.1f. If you (or your in-house sysadmin) can confirm that your SSL implementation isn’t running any of the affected versions, you’re safe from this particular weakness. Unfortunately, OpenSSL is widely used and embedded into many other appliances and application stacks.

Since the notification announcement, a number of websites have been released to enable you to enter your system name/IP address and the site will check for you. However, what a third party may do with the information once determining your system is vulnerable could be a risk in its own right…

What to do if your systems are vulnerable

Upgrade OpenSSL: a fix has already been developed and released, so implement it. Depending on your operating system and configuration this may be as simple as issuing a single command, or it could be a much more complex operation. If you are unsure, get expert advice before proceeding.

It has been suggested that you re-issue your SSL certificates on affected services. You should contact your certificate provider for further information on this area before progressing.

What to do if you’ve used a vulnerable system

There have been reports of some Internet systems, including the likes of Yahoo!, leaking user passwords as a result of the vulnerability. It is recommended that you change your passwords (and any other system where the password has been re-used, against best advice); however this will only help AFTER the flaw in the affected system is fixed.

Where possible, upgrading your authentication to utilise two factor authentication (2FA) will remove this aspect of the risk.

The author

Andrew Waite is an IT security consultant with Onyx Group.

Onyx Group is offering a dedicated vulnerability management services package covering the Heartbleed issue. Existing clients should contact their account manager, otherwise contact sales@onyx.net

•Date: 10th April 2014 • UK/World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here