Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Heartbleed still causing heartburn

markpainter ‎05-22-2014 07:34 AM - edited ‎07-06-2015 01:13 PM

I recently estimated that within three weeks of the release of the Heartbleed security vulnerability, roughly 70 percent of organizations would have it resolved. It’s a good thing I wasn’t in Vegas when I made that prediction because I’d have lost that bet.  Roughly six weeks later, over half still haven’t corrected the problem. Some organizations simply might not need to implement the fix (or at least think they don’t) because the data does not require protection.  Some might not be aware they are vulnerable. Some might no longer support that implementation. But I suspect for most of the laggards, the complexity of their implementations is slowing down the fix rate, and that it’s not a lack of desire. Here are a couple of examples that shows the true scope of implementing the fix.  And of course, they just happen to reflect critical infrastructure.


This is a very perilous time for organizations who are vulnerable as knowledge of the attack is widespread and affected sites are actively being hunted.  It’s a dangerous time for users, too.  A recent survey found that 47 percent of people who heard of Heartbleed and knew of the danger still haven’t changed passwords.  It’s counterintuitive, but this is actually an instance when laziness is not necessarily a bad thing. If the fix hasn’t been implemented, then changing your password does no good. In fact, it could do harm by revealing your new password.


There is no doubt users are eventually going to be tasked with having to protect themselves to a much larger extent than they do now.  That job becomes exceedingly harder, though, when timing needs to be part of the decision.  The waiting really is the hardest part.  And when corporations and security experts can’t agree about what users should do, it becomes that much more confusing. For my part, I changed all my passwords upon release of the vulnerability, and have been doing so again as each impacted site releases their fix information.  Put simply, we’ve got a long way to go before we are out of the woods on this one.  Stay tuned.

0 Kudos
About the Author


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference to learn from peers in every industry and hear from Big Data experts and thought leaders in an exciting, energy fille...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference and is the place to meet the world’s top information security talent, discuss new products and share information...
Read more
View all
What's New