The vulnerability in OpenSSL from version 1.0.1 up to and including 1.0.1f allows an attacker to extract data that includes cryptographic keys for digital certificates used to secure online transactions without being detected.
A year after the vulnerability was discovered, 74% of Forbes Global 2000 organisations’ external servers remain vulnerable to attacks that exploit Heartbleed, according to a report by security firm Venafi.
That is just a 2% improvement in the eight months since the last scan of the same set of companies.
In the UK, 67% of these organisations are still vulnerable, leaving them defenceless against reputational damage and widespread intellectual property loss.
According to Venafi researchers, most big companies have failed to take the necessary steps to remediate their servers and networks fully.
Only 23% of UK companies in the Forbes Global 2000 have taken appropriate actions for complete remediation.
Most big companies have failed to take the necessary steps to remediate their servers and networks fully
According to the report, organisations have given up on properly replacing keys and certificates either because they fail to grasp the full risk exposure this creates or they do not have the knowledge to understand how to complete remediation.
Security teams need to go beyond simply patching and must also replace the private key, re-issue a new certificate and revoke the old one, the report said.
Venafi has identified 580,000 hosts belonging to Global 2000 organisations that have not been completely remediated.
These partially remediated hosts have been patched against Heartbleed, but the organisations have either failed to replace the private key or failed to revoke the old certificate.
Failure to replace the private key allows an attacker to decrypt any SSL traffic for the affected host, and failure to revoke the old certificate enables the attacker to use the old certificate in phishing campaigns against the organisation and its customers, the report said.
“A major alarm needs to be sounded for this huge percentage of the world’s largest and most valuable businesses which are still exposed to attacks like those executed against Community Health Systems,” said Jeff Hudson, chief executive of Venafi.
The August 2014 cyber breach at the US hospital group, which exposed 4.5 million patient names, social security numbers and addresses, was the first time Heartbleed was linked to a cyber attack of that size.
Read more about crypto keys and digital certificates
- Google has warned of unauthorised digital certificates issued for several of its domains that could be used to intercept data traffic to its services.
- Malware using seemingly real digital certificates is becoming more prevalent.
- Unauthorised certificates from trusted suppliers have become a big internet security concern.
The attackers reportedly used the cryptographic keys captured by exploiting the Heatbleed vulnerability to bypass security systems.
Prior to that, attacks on the UK's parenting website Mumsnet and the Canada Revenue Agency were the biggest reported intrusions linked to exploitation of the Heartbleed bug, exposing 1.5 million user accounts and 900 social security numbers respectively.
“Given the danger that these vulnerabilities pose to their business, remediating risks and securing and protecting keys and certificates needs to be a top priority not only for the IT team alone, but for the chief executive, chief information security officer and the board of directors,” said Hudson.
Among more than 2,300 IT security professionals surveyed in the Venafi-commissioned 2015 Cost of Failed Trust report by the Ponemon Institute, 100% of UK companies polled admitted they had been targeted by at least one attack on their cryptographic keys and digital certificates in the past two years.
Overall, 60% of respondents said their organisations must do a better job responding to vulnerabilities such as Heartbleed involving keys and certificates.
According to the report, potential risk facing UK firms from attacks on keys and certificates is expected to reach at least £33m in the next two years.
The report said the research findings highlight that security professionals most fear a crypto apocalypse-like event.
Four basic steps to completing Heartbleed remediation
- Know where all keys and certificates are located.
- Generate new keys and certificates.
- Replace new keys and certificates, revoke old ones.
- Validate remediation to ensure new keys and certificates are in place and working.