April 24, 2014 | Leave a Comment
The Heartbleed vulnerability unequivocally demonstrates the impact a single vulnerability has on all organizations when keys and certificates are exposed. Cyber-criminals have unfettered access to the keys and certificates on vulnerable systems, without any trace. Researchers that identified the vulnerability sum up the impact simply, “any protection given by the encryption and the signatures in the X.509 certificates can be bypassed” (Heartbleed) You must assume all keys and certificates are compromised and immediately replace them to remediate. Unfortunately, most organizations cannot!
The vulnerability is not limited to webservers, it impacts any system running OpenSSL 1.0.1 – 1.0.1f. This includes mail servers, chat servers, VPN’s, network appliance, client software, VOIP phones and more. Hundreds of software applications from security vendors have already confirmed their software as being susceptible to the Heartbleed vulnerability.
Next-Generation Trust Protection for Next-Generation Threats
Venafi Trust Protection Platform provides holistic remediation from the Heartbleed vulnerability. Via TrustAuthority and TrustForce, organizations are able to quickly identify any system susceptible to the Heartbleed vulnerability, regardless if it is a publicly facing web server or on the internal network and remediate.
Venafi TrustAuthority can quickly identify systems impacted by the Heartbleed vulnerability, establish how many keys and certificates are in use, where they are used, and who is responsible for them. Once TrustAuthority defines a comprehensive inventory of all X.509 certificates, they need to be replaced.
Venafi TrustForce uses lightweight agent and agentless technologies to automate complex activities, including rekeying and recertification, for which manual processes might open vulnerabilities. With TrustForce, the remediation of keys and certificates is completely automated and secure.
The following step-by-step process outlines how organizations can automate remediation of the Heartbleed vulnerability using both TrustAuthority and TrustForce with the Vulnerability Remediation Plugin.
Using TrustAuthority, identify any server that may be susceptible to the Heartbleed vulnerability. This can be achieved by scanning both your internal and public networks.
Once vulnerable systems have been identified, patch them by upgrading to OpenSSL 1.0.1g OR recompile the OpenSSL library with the OPENSSL_NO_HEARTBEATS flag
Identify keys and certificates that need to be fixed based on knowledge of vulnerable applications.
As you review results from various search types, you can select certificates individually or in groups.
The generation of keys and X.509 certificates is automated via the Work Queue. However, prior to initiating a Work Queue, it is critical to make sure that a new private key is generated to remediate further compromise as a result of the private key being stolen via the Heartbleed vulnerability.
From within the Policy tree under a policy object or certificate object ensure that your certificate does not have the “Reuse Private key” option selected.
Step 4 – 5:
Using TrustAuthority and TrustForce together, the new private key generation, CSR, secure distribution, installation and revocation process for certificates is all performed automatically via the Work Queue. For organizations that only have TrustAuthority, the secure distribution and installation is manual.
Step 6 – 8:
Once all publicly facing servers susceptible to the Heartbleed vulnerability are remediated by patching OpenSSL and replacing the private key and certificates, steps 1 – 5 should be repeated for all internal servers impacted by the vulnerability.
Validation of the Heartbleed remediation is critical to success. For this you should validate all keys and certificates are replaced, detect anomalies and alert the organization on any related security events at least every 24 hours.
Contact Venafi to help accelerate your Heartbleed remediation.
By Gavin Hill
Director, Product Marketing and Threat Intelligence
April 23, 2014 | Leave a Comment
Here at Dropbox, keeping your stuff safe isn’t just part of our mission; it’s our top priority. As part of that, we’ve been engaging with the Cloud Security Alliance (CSA), a not-for-profit organization that promotes and provides education around cloud security best practices. Today, we’re excited to announce that we’ve officially joined as a member!
The partnership is already off to a great start — we enjoyed participating in CSA’s most recent conference, SecureCloud 2014, held in Amsterdam earlier this month. It featured keynotes by some well-respected security folks, like Neelie Kroes, Vice President of the European Commission, and Prof. Udo Helmbrecht, Executive Director of ENISA. Some of the best discussions we took part in were around the maturity of cloud security certifications, the evolution from periodic audits to continuous compliance monitoring, the harmonization of data protection legal frameworks in Europe, and the simplification of the due diligence process of cloud services.
We look forward to working with other CSA members to promote trust in cloud services and to share best practices for protecting users’ privacy and security. Stay tuned!
April 22, 2014 | Leave a Comment
Organizations—from service providers, banks, and retailers to government agencies—were recently blindsided by the Heartbleed bug, a critical vulnerability in the OpenSSL cryptographic software library, which underlies trust for secure transactions worldwide. Attackers wasted no time exploiting the vulnerability, which allows them to extract private Secure Socket Layer (SSL) keys with absolute ease. They can read any of the sensitive information that customers have entrusted to the organization’s now-compromised security. To protect their data and their customers, organizations had to respond even more quickly than attackers. They had to assess their vulnerability, determine which systems were using OpenSSL certificates, and then take the steps necessary to re-establish trust, including updating OpenSSL, replacing certificates, and generating new keys.
Unfortunately, most organizations are ill-equipped to respond to trust-based vulnerabilities and threats—especially in such an abbreviated timeframe. As noted in a study by the Ponemon Institute, most enterprises have as many as 17,000 certificates but few control and secure those certificates, making it difficult for their IT security teams to find and replace vulnerable certificates. As a Chief Information Security Officer (CISO) with over 25 years’ experience in IT security, compliance and identity management; with many of those years as an executive leader, I have spent a lot of time analyzing why companies aren’t protecting their precious cryptographic assets and how they can improve their security practices.
The oversight, I think, stems mainly from lack of awareness. Most organizations simply do not realize the extreme danger trust-based attacks pose. For many years, organizations have focused almost entirely on defense in-depth as a way of ensuring confidentiality, integrity, and availability (CIA). They rely heavily on Intrusion Detection System (IDS)/Intrusions Protection System (IPS) solutions to protect their systems and data from attacks. As effective as IDS/IPS solutions can be in mitigating attacks, many of these solutions cannot see into encrypted traffic, making it difficult, if not impossible, for them to detect attacks that exploit certificates and keys.
Many organizations also fail to understand the importance of protecting their SSH keys—leaving them open to the same type of abuse Edward Snowden used to breach security at the U.S. National Security Agency (NSA). SSH keys are a particularly easy target because SSH keys don’t expire and most enterprises don’t rotate their SSH keys. Further compounding their vulnerability, many organizations fail to track who has access to SSH keys. When administrators leave the company, they all too often take SSH keys with them, giving them ongoing privileged access to the organization’s systems.
With the sharp increase in trust-based attacks, organizations must modify their traditional CIA security models to include securing their certificates and keys. After all, certificates and keys are used to ensure confidentiality, permitting only authorized recipients to view protected data. If an attacker compromises a certificate or key, that confidentiality is no longer assured. And any IT security professional charged with ensuring availability must understand: controlling the keys and certificates on which systems rely prevents costly outages.
Organizations must take into account the critical role cryptographic assets play in ensuring confidentiality and availability because they can no longer afford to be blindsided by trust-based attacks. In my years as an IT security professional, I have assembled best practices for securing certificates and keys–practices that ensure that the trust organizations and their customers place in these vital assets is well-founded. Organizations must inventory their certificates and keys so that when a vulnerability is discovered, they can accurately assess their risk exposure. They must have policies and automated solutions for rotating keys so that they can quickly close the vulnerability. They must also be able to monitor the use of SSL and SSH keys so that they can detect suspicious behavior that flies under the radar of traditional IDS/IPS solutions.
In future blogs, I’ll give you in-depth insight into each of these practices, keep you up-to-date on the latest trust-based exploits, and help you discover the best ways to protect yourself. In addition, I will throw in some blogs on leadership, competency focus areas and ideas on staffing security roles—which I know is always a challenge!
I am looking forward to having you join me each month!
Tammy Moskites, Venafi CISO
April 17, 2014 | Leave a Comment
The Tie Between Cloud App Enterprise-Readiness Score and Heartbleed Remediation: 7 Steps You Need to Take Now
April 17, 2014 | Leave a Comment
Krishna Narayanaswamy, Netskope Chief Scientist
The Heartbleed Bug is a serious vulnerability for websites around the world. Many enterprise cloud and SaaS apps were also impacted. While most app vendors have remediated their systems, some remain vulnerable.
Netskope researchers have been scanning more than 4,500 such apps throughout the past week and maintaining a daily countdown to remediation.
One observation we have made in the course of this analysis is the connection between remediation status and enterprise-readiness in the Netskope Cloud Confidence Index (CCI). The CCI is an index and measure of cloud apps’ enterprise-readiness based on 34 objective criteria in the areas of security, auditability, and business continuity adapted from the Cloud Security Alliance. We assign each app a 0-100 score, and then group scored apps into levels: “Excellent,” “High,” “Medium,” “Low,” and “Poor.”
The Tie Between Quality and Remediation
After six days of reporting on the remediation status of the apps in the CCI, our observation is that high-scoring apps remediate their systems to a greater degree than low-scoring ones. On day one of our analysis (April 10), all of the affected apps that are rated “Excellent” had already been remediated, and only a handful of “Highs” were left to go. At that time, the lower you looked on the enterprise-readiness scale, the greater the portion of apps were vulnerable. Over the six days, apps of all enterprise-readiness levels remediated their systems, but at the end of six days, nearly all of the enterprise-ready apps have been remediated, while the non-enterprise-ready apps have not remediated to the same degree.
Looking at it another way, at day six, more than half of the enterprise cloud apps that remediated in the first six days were considered enterprise-ready (rated “High” or “Excellent” in the CCI). In contrast, 88 percent of the remaining vulnerable apps are not enterprise-ready.
Why Does This Matter?
It’s a bit of a no-brainer that higher-quality apps should remediate their systems more quickly than lower-quality ones. So why are we pointing this out? Here’s why: If organizations knew all of the apps they had running in their environments, this wouldn’t be a big deal. They could curtail usage, educate their users, and approach the vendors in question.
However, our data tell us that organizations have between 400-500 enterprise cloud apps running, only about 10 percent of which they know about. Anecdotally, the ones they know about are typically of higher quality, such as Box, Salesforce, and Okta, which are sanctioned by IT. So if vulnerable apps tend to be low on the enterprise-readiness scale, and IT doesn’t know which low-quality apps are running, then the organization can’t take measures to remediate Heartbleed, much less protect against future vulnerabilities. And that’s a problem.
What Should You Do?
To protect yourself from Heartbleed and future vulnerabilities, you should:
1. Discover all of the cloud apps running in your environment.
2. Measure the apps’ enterprise-readiness against an objective yardstick (CSA’s Cloud Controls Matrix is a great starting point, and there are also vendors, including Netskope, who perform this service free of charge).
3. Compare the discovered apps against the list of remaining vulnerable apps and take steps to curtail usage or introduce countermeasures.
4. Beyond the apps affected by Heartbleed, review all of the low-scoring apps and determine whether they’re business-critical.
5. For non-critical apps, help users migrate to more appropriate apps.
6. For critical apps, work with your app vendor to introduce enterprise capabilities and develop a plan to remediate vulnerabilities.
7. Adopt a process to continuously discover and gain visibility into the cloud apps in your environment, including the unsanctioned ones, as they change frequently.
Netskope™ is the leader in cloud app analytics and policy enforcement. Only Netskope eliminates the catch-22 between being agile and being secure and compliant by providing complete visibility, enforcing sophisticated policies, and protecting data in cloud apps. The Netskope Active PlatformTM performs deep analytics and lets decision-makers create policies in a few clicks that prevent the loss of sensitive data and optimize cloud app usage in real-time and at scale, whether IT manages the app or not. With Netskope, people get their favorite cloud apps and the business can move fast, with confidence.
2014 Netskope, Inc. All rights reserved. Netskope is a registered trademarks and Netskope Active, Netskope Discovery, Cloud Confidence Index, and SkopeSights are a trademarks of Netskope, Inc. All other trademarks are trademarks of their respective holders. 04/14 RS-19-1
April 15, 2014 | Leave a Comment
By Zulfikar Ramzan, CTO, Elastica
The entire internet security community was up in arms on Monday as a devastating new bug, Heartbleed was discovered in OpenSSL, the most widely deployed cryptographic function on the web. Google’s security team discovered the malicious bug. Since then OpenSSL has released a patch for it and issued a security advisory.
So how does Heartbleed operate? Elastica’s CTO Dr Zulfikar Ramzan explains. Click here to watch a video on Heartbleed.
Heartbleed takes advantage of a subtle, yet highly critical programming mistake in OpenSSL versions 1.01 and 1.02 beta. Systems running these vulnerable versions of OpenSSL can be easily attacked and your confidential data can be accessed.
What is Heartbeat?
Heartbeat is an extension to the TLS protocol. It allows you to keep a TLS session up and running even though no real data has gone through it in a while. It does so by sending a simple message called a Heartbeat request. This request basically helps keep a session alive between a client and a server even if there is no real activity. The Heartbeat request is sent by one computer to another with some request data that includes a payload and the size of that payload. The computer responding to a Heartbeat request will contain the same payload information.
How the Attacker Can Steal Confidential Data
The attacker will craft a special Heartbeat request with a little bit of data and information about how much data is in the request. The attacker can craft this request in a very malicious fashion. The attacker could send a payload that is very short, say just 1 byte. But instead of saying it’s just 1 byte, the attacker will lie and say it has 65,536 bytes. The code that handles the Heartbeat extension within the OpenSSL library will copy this payload that the attacker provided into its memory. As part of the response it will copy the data back out from its memory and send back a Heartbeat response to the attacker.
However, rather than checking the actual size of the payload the Heartbeat code just uses the value specified in the request. And this is a mistake. Instead of verifying if the actual size is consistent with what the requester put in, OpenSSL blindly uses the value that was included in the request. But this value could be bogus. It could be completely wrong. So what happens in this case? OpenSSL locates the starting location where it stored the payload in its memory and then copies the next 65,536 bytes as part of the response. The first byte is the actual payload that the attacker specified in his request. The remaining 65,535 bytes are the bytes that were stored in the memory of OpenSSL. And these bytes are returned to the attacker. Now suddenly the attacker sees an additional 65,535 bytes that were stored in the memory of OpenSSL, which should not have been sent to him.
What Makes the Attack Extra Potent?
Keep in mind that OpenSSL is meant to provide security for sensitive data. So the attacker has access to confidential data, passwords, or even the keys that SSL uses to encrypt and decrypt data going back and forth to you. And if an attacker has these keys he can not only decipher any further traffic, but also potentially read any past traffic that he may have recorded.
What makes this attack particularly potent is that it can be done without leaving a trace and it can be done multiple times to get different sets of data from OpenSSL’s memory. It is entirely possible that someone may have implemented this attack all along, but we just didn’t know about it!
April 15, 2014 | Leave a Comment
April 14, 2014 | Leave a Comment
By KEVIN BOCEK, VP, SECURITY STRATEGY & THREAT INTELLIGENCE, VENAFI
Attacks on digital certificates and trusted connections drive FTC to action
Recognizing that the trust established by Secure Sockets Layer (SSL) and digital certificates plays an important role in everyday life, the US Federal Trade Commission (FTC) brought charges against Fandango and Credit Karma for failing to protect this trust. Both companies failed to validate digital certificates used for SSL/Transport Layer Security (TLS) connections in their mobile applications. The FTC acknowledged that these failures allow attackers to circumvent the trust established by digital certificates and gain access to users’ confidential personal and financial information. Once this trust is compromised, attackers can redirect traffic to an untrusted site, and the users’ applications cannot detect that traffic has been diverted. Ironically, digital certificates and SSL/TLS secure connections are designed to thwart these Man-in-the-Middle (MiTM) attacks.
The FTC illustrates how a comprised or fake digital certificate can be used for MiTM attacks against unsuspecting users.
The importance of the settlement is not that businesses must deal with another compliance requirement. Instead, the FTC is reinforcing the fact that securing the trust established by digital certificates is critical. The FTC’s action underscores what others have already found:
- Microsoft concluded that “PKI is under attack.”
- In its 2013 fourth quarter threat report, McAfee reported that malware that misuses digital certificates increased 52% over the third quarter.
Protecting trust is so important that no business or government can ignore it. A single compromised certificate or application that fails to validate certificates can make all the other security controls useless.
A fake certificate purporting to be for GoDaddy’s email service could allow an attacker to masquerade as GoDaddy if applications don’t check if a certificate is trusted.
Attacks on mobile applications that fail to validate digital certificates are nothing new. In an article published earlier this year, Netcraft reported that it had found dozens of fake digital certificates deployed across the Internet. Unlike many attacks using compromised digital certificates, the fake certificates that Netcraft found probably targeted users of mobile applications—40% of which, like Fandango’s and Mobile Karma’s applications, failed to validate the trust established by legitimate digital certificates. While the FTC has started its action with Fandango and Credit Karma, significantly wider holes in SSL and digital certificate security have been reported. In February 2014, for example, Apple patched Mac OS X and iOS because both failed to validate digital certificates for SSL/TLS—an issue that could have been exploited by MiTM attacks.
With Gartner predicting that 50% of network attacks will use SSL by 2017, enterprises must protect the trust established by digital certificates. The FTC provides some basic recommendations that all mobile developers should follow. In addition, developers should evaluate security, including the validation of digital certificates, with the help of a third party. Beyond this, organizations must secure and protect the keys and certificates that establish trust for mobile applications, web browsers, and the thousands of applications behind the firewall. Although every organization depends on these applications, they create a huge surface area of attack.
In response to the rise in attacks on keys and certificates, Forrester recommends that organizations:
- Gain visibility into threats. Only about half (52%) of organizations know how many keys and certificates are in use, how those keys and certificates are used, and who is responsible for them. You can’t control what you don’t know you have.
- Enforce policy to establish norms and detect anomalies. Once an organization has gained visibility into its key and certificate inventory, it can begin to enforce policies and establish a norm. This makes detecting anomalies easier, whether they’re accidental policy violations by a well-intentioned developer or a malicious attack.
- Automate key and certificate functions to gain control and reduce risk. A typical large enterprise has thousands of keys and certificates to secure and protect. Work smarter, not harder, by automating security for processes such as key generation, certificate requests, monitoring for changes and anomalies, and other related tasks. This automation not only streamlines and centralizes these tasks, but also helps to establish the necessary controls to reduce risk, shrink the threat surface of attacks, and help the organization respond to attacks faster. Automation and control are part of establishing a norm that can be monitored for possible anomalies and attacks.
- Analyze data to gain intelligence. Analysis of data gained from securing keys and certificates will provide a wealth of information and insight that can help to identify opportunities to reduce risk. By looking at the data generated, organizations can spot patterns of potentially suspicious activity or anomalies that require further investigation. Reports may also help identify keys and certificates that may be problematic, such as those that are about to expire or are no longer needed.
In line with these recommendations from Forrester, Venafi TrustAuthority enables organizations to quickly gain visibility, fix vulnerabilities, and establish policies for keys and certificates. Venafi TrustForceautomates key and certificate functions to further eliminate the opportunity for compromise and enable organizations to enforce policies and remediate security incidents. IT security teams must start by gaining visibility into how keys and certificates are used, fixing vulnerable certificates, and enforcing policies to protect the trust upon which their business depends—from their mobile applications back to the data center.
Mad Max Here We Come: Heartbleed shows how much we blindly trust keys and certificates (and take them for granted)
April 10, 2014 | Leave a Comment
KEVIN BOCEK, VP, SECURITY STRATEGY & THREAT INTELLIGENCE, VENAFI
The race is on to respond and remediate by replacing keys and certificates in use with millions of applications because patching won’t help.
The world runs on the trust established by digital certificates and cryptographic keys. Every business, every government. It’s the way the architects of the Internet solved the problem of securing data, keeping communications private and knowing a server, device, cloud is authenticated. Because keys and certificates provide the foundation for almost everything we know in our highly digital world, if you attack the trust established by keys and certificates then all our other security defenses become at best less effective. At worst completely ineffective. It’s why Forrester Research found: “Advanced threat detection provides an important layer of protection but is not a substitute for securing keys and certificates then that can provide an attacker trusted status that evades detection.”
We’re now seeing how a single vulnerability in OpenSSL named Heartbleed, present since 2011 and in use with tens of thousands of applications that make commerce and communications work online and offline, exposes keys and certificates to attack and compromise. Yes, it exposes the keys and certificates that every business and government use to bank, purchase, and communicate with online and offline. And it doesn’t require an attacker to breach firewalls and other security defenses! The Cryptopocalypse has arrived, and it’s probably much sooner and worse than researchers at Black Hat 2013 dreamed of.
The scope of the problem is massive: just one application that uses OpenSSL, Apache, is used to run 346M public websites or about 47% of the Internet today. And the problem is even larger since this doesn’t include the tens of millions of behind-the-firewall applications, devices, appliances, and things that run Apache and use OpenSSL. And it’s just one application that relies on OpenSSL.
The consequences of this vulnerability and exposure of keys and certificates is scary. Attackers can spoof trusted websites and decrypt private communications. Accomplish this and it’s game over, cybercriminals win.
Researchers that identified the vulnerability sum up the impact simply: “Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed.” You must assume keys and certificates are compromised and immediately replace them to remediate.
While the vulnerable code has been fixed, sadly most organizations will remain vulnerable. They are unable to change out their keys and certificates — the thousands of keys and certificates in every Global 2000 enterprise and modern government. The continued exposed vulnerability means attackers can spoof legitimate websites or decrypt private communications.
But, this isn’t the first attack of keys and certificate and it won’t be the last. We’ve seen APT groupsstealing keys and certificates, most recently the Mask APT group, breached organizations not remediating to change keys and certificates, and remaining owned by the attackers. The infamous Stuxnet attacks used stolen certificates to attack Iran nuclear facilities. And as a leaked NSA memo showed, Edward Snowden used compromised keys and certificates to execute his breach of the NSA. All of this and more is why back in December 2012 Gartner concluded: “Certificates can no longer be blindly trusted.”
Now Heartbleed. The success in using compromised keys and certificates has proven there will be only more attacks and more vulnerabilities. The value of IT security is measured in how fast security teams can respond and remediate – to create new, trusted and uncompromised keys, revoke current certificates, create new trusted certificates, and get them installed and trusted before they can be misused.
It’s not, as some have understood, about how can we setup a good process to optimize procedures and best practices. Nor is it just about patching software. The researchers that exposed Heartbleed further identified the requirements to remediate: “revocation of the compromised keys and reissuing and redistributing new keys.”
Respected John Hopkins cryptographer Matthew Green explained further: “It’s a nightmare vulnerability, since it potentially leaks your long term secret key — the one that corresponds with your server certificate. Worse, there’s no way to tell if you’ve been exploited. That means the prudent thing to do now is revoke your certificate and get a new one.”
Respond & Remediate Now Before It’s Too Late
The clock is on. Our adversaries know about these vulnerabilities. Following the example set by NIST’s guidance on responding to a CA compromise, remediation for keys and certificates can be simplified as:
- Know where all keys and certificates are located
- Revoke, replace, install, and verify keys and certificates with new ones
For organizations that do not have a system to identify all keys and certificates used with SSL — whether in the datacenter or out in the cloud — Venafi can help. Venafi TrustAuthority™ can quickly be deployed, establish a comprehensive inventory of keys and certificates, where they’re used, and who is responsible for the ones that to be replaced. This is followed by the revocation and replacement with new keys and certificates from one or many trust Certificate Authorities (CAs) used by your enterprise. TrustAuthority handles these complexities for security teams around the world every day. New organizations that now must respond to Heartbleed can be up, running, and back to a secured state quickly.
For organizations that already have Venafi TrustAuthority™ (previously known as Enrolment for Server Certificate Manager), security administrators already have the inventory of keys and certificates in use that need to replaced. Your TrustAuthority policy identifies the applications that keys and certificates are used with, including Apache systems. Security administrators, working with application owners, can quickly, securely and easily generate new keys and certificates from one or more of the trusted CAs used by organization. TrustAuthority can then validate that new keys and certificates are in use.
For organizations that have placed a priority on security and are using Venafi TrustForce™ (previously known as Provisioning for Server Certificate Manager), security administrators can quickly have new keys and certificates automatically generated and installed without waiting for assistance from application and operations teams. Using the data, intelligence, and policy from TrustAuthority, TrustForce securely distributes new keys and certificates, installs them, and validates the application is back up and running with the new trusted keys and certificates. This is the automated response and remediation that security teams need to deal with increasing attacks on keys and certificates.
Mad Max Here We Come: Heartbleed shows how much we blindly trust keys and certificates
The stage is set: attackers know that we can’t secure the trust that everything digital we know depends upon — we can’t secure keys and certificates and we can’t respond and remediate when attacked. The world Gartner painted — an almost Mad Max world — of “Living in a World Without Trust” is about to become reality if we don’t take securing keys and certificates seriously, and put automated capabilities in place to respond and remediate immediately. One thing is for certain: this won’t be the last time we’re in this same position and need to respond quickly.
Contact Venafi now to get help responding and remediating to Heartbleed and be ready for attacks to come on keys and certificates.
April 10, 2014 | Leave a Comment