OpenSSL vulnerabilities could enable a remote hacker to gain access to sensitive data, including secret keys and authentication credentials, via incorrect memory handling. Some of these vulnerabilities could also cause potential leak of non-encrypted information and DTLS (Datagram Transport Layer Security) data to be decrypted.
More than 50% of the web servers on the internet utilize OpenSSL to safeguard user accounts and data. Servers can take the form of chat servers, email servers, network applications, social media servers, virtual private networks (VPNs) and open source serves such as nginx and Apache.
Problems occur when OpenSSL trusts the length field from cyber criminals while it creates a response packet. The latest Heartbleed Bug vulnerability is a reminiscent; it was detected in OpenSSL implementations using the OpenSSL/DTLS Heartbeat extension. The attacker can exploit it on a server to read a portion of the server’s memory at a time – up to 64 KB – without any traces.
With the installed SSL certificates on a host running the effected version of OpenSSL, the private keys could be potentially compromised. With no method of finding which certificates are comprised, server hosts must generate new SSL certificates.
For end users, the biggest problem is that they have to wait for website operators to take appropriate measures to patch these vulnerabilities. So even if security breakdowns like the Heartbleed bug exposes sensitive data on your computers and company devices, you can only take measures to alleviate the risk(s) as the root issue must be fixed by server operators.
While enterprises should always perform a comprehensive assessment of their digital identity, incorporating these measures can significantly mitigate the risks of OpenSSL vulnerabilities:
Network monitoring could be the difference maker to your cyber security as it can detect an adversary’s intention before any harm is caused to your system. More specifically, advanced monitoring systems enable enterprises to receive proactive insights on network-related activities, allowing for the appropriate action for neutralizing OpenSSL vulnerabilities and other threats.
Monitoring services can also protect your organization’s reputation by intercepting threats to your digital identity before the public does. Reputable services are also backed by a proactive staff following strict process for quickly communicating up-to-date information to clients.
The most recommended measure for enterprise users is to change passwords for all major web-connected services. Taking this action also updates the authorization tokens that usually get compromised in an OpenSSL breach. Password management apps like LastPass work well for generating strong passwords, and you can even generate passwords in OS X on Mac computers.
Administration should also ensure employees are not sharing passwords with people outside the company. Additionally, previously entered passwords should not be reused because if attackers gain access to one of the systems, they can exploit components running the same code.
A lot of frequently used web services let users enable a two-step authentication process that can add an additional layer of authentication by asking for a code through a smartphone application, or a text message.
Entering the password from a device other than the main system in order to gain access may not prevent all risks, but it can make the job difficult for people looking to grab your credentials. Two-factor authentication also works with enterprise social media tools such as Buffer and HootSuite.