Nayer said it is vital that the company’s technical team knows all the websites and web services the organisation has so they can check all the necessary sites. He recommends asking the IT department the following questions in addressing the issue:
- How have you determined whether each of our websites and web services have OpenSSL service enabled?
- What type of sensitive information do we have that is accessible from the internet? What type of information would have been at risk?
- Have we looked at our logs to determine if there have been any successful or unsuccessful attempts to exploit this issue? What did we find? Are we monitoring our network to look for indications of attacks?
- What steps have we taken to mitigate the issue?
- How have you confirmed that the fixes have been applied successfully?
- Have you gotten assurances from our vendors, external hosting providers and application cloud services that they have fixed any vulnerable systems?
Nayer said if the company’s website is internally hosted the organisation can run the command ‘openssl version’ on the server to find which if an affected version is being used. However, if it is hosted externally it is necessary to contact the hosting provider for more information.
If your system uses a vulnerable version of OpenSSL (1.0.1-1.0.1f) you should immediately upgrade to OpenSSL 1.0.1g. If you are unable to immediately upgrade you can recompile the version of OpenSSL you have with ‘-DOPENSSL_NO_HEARTBEATS’ set,” he advised.
It would also pay to consider if it is appropriate to revoke any Certificates which were used while the organisation ran exposed versions of OpenSSL.
“Even after a fix is applied, the private cryptographic keys your systems are relying on to protect their communications could already have been compromised and this fix won’t address that compromise,” he said.
Nayer recommends increasing monitoring for unexpected activity in your systems, and train call centre and client facing staff on how to respond to inquiries on the topic.
Additionally, Milbourne recommends changing passwords although this isn't a full-proof solution as it'll only help if the website in question has put in place required security patches.
“To be on the safe side, I recommend changing passwords at least every three months and to make sure your personal email password is different from every other password,” he said.
For more information on how the Heartbleed software flaw works see this infographic
courtesy of BAE Systems Applied Intelligence.