Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Heartbleed still causing heartburn

markpainter ‎05-22-2014 07:34 AM - edited ‎07-06-2015 01:13 PM

I recently estimated that within three weeks of the release of the Heartbleed security vulnerability, roughly 70 percent of organizations would have it resolved. It’s a good thing I wasn’t in Vegas when I made that prediction because I’d have lost that bet.  Roughly six weeks later, over half still haven’t corrected the problem. Some organizations simply might not need to implement the fix (or at least think they don’t) because the data does not require protection.  Some might not be aware they are vulnerable. Some might no longer support that implementation. But I suspect for most of the laggards, the complexity of their implementations is slowing down the fix rate, and that it’s not a lack of desire. Here are a couple of examples that shows the true scope of implementing the fix.  And of course, they just happen to reflect critical infrastructure.

 

This is a very perilous time for organizations who are vulnerable as knowledge of the attack is widespread and affected sites are actively being hunted.  It’s a dangerous time for users, too.  A recent survey found that 47 percent of people who heard of Heartbleed and knew of the danger still haven’t changed passwords.  It’s counterintuitive, but this is actually an instance when laziness is not necessarily a bad thing. If the fix hasn’t been implemented, then changing your password does no good. In fact, it could do harm by revealing your new password.

 

There is no doubt users are eventually going to be tasked with having to protect themselves to a much larger extent than they do now.  That job becomes exceedingly harder, though, when timing needs to be part of the decision.  The waiting really is the hardest part.  And when corporations and security experts can’t agree about what users should do, it becomes that much more confusing. For my part, I changed all my passwords upon release of the vulnerability, and have been doing so again as each impacted site releases their fix information.  Put simply, we’ve got a long way to go before we are out of the woods on this one.  Stay tuned.

0 Kudos
About the Author

markpainter

Events
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference on August 29 - September 1, 2016 to learn from peers in every industry and hear from Big Data experts and thought lea...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference on September 13 - 16, 2016, and is the place to meet the world’s top information security talent, discuss new pr...
Read more
View all