With the media no longer focusing on the Heartbleed vulnerability, most people think that organizations have adequately addressed the problem, and the threat has passed. Because most people don’t understand the full impact of Heartbleed, however, they don’t realize that the fallout from this one vulnerability is likely to continue, not just for weeks but possibly for months to come.
The problem is that most organizations responded to the Heartbleed vulnerability tactically, just as they would respond to any known vulnerability: they identified the systems using OpenSSL and patched them. These organizations did not understand that the Heartbleed vulnerability undermines the very trust on which every business and government relies to secure its data. It gives hackers privileges that they can use to compromise other, seemingly secure systems. Because most organizations didn’t understand the “big picture,” they failed to fully remediate the problem. They did not revoke and replace all of their digital certificates, leaving their systems vulnerable to ongoing trust-based attacks.
Unfortunately, I don’t believe the Heartbleed vulnerability is an isolated incident. Malicious attackers recognize the value of targeting digital assets, which is why trust-based attacks have significantly increased over the last several years. These malicious actors will continue to look for and target trust-based vulnerabilities, so organizations should not be wondering if another Heartbleed will occur; they should be preparing now to respond more quickly when the next event occurs.
Organizations that took a tactical approach to addressing the Heartbleed vulnerability (simply patching the systems they thought were affected) will be ill-prepared for the next trust-based crisis. Because these organizations don’t yet understand the danger of trust-based attacks, they will continue to focus on what they perceive is the greatest danger on the cyber-security landscape—Advanced Persistent Threats (APTs)—and rely solely on traditional security tools such as packet-inspection tools and Intrusion Detection System/Intrusion Protection System (IDS/IPS) solutions to protect their environment. All of which are inadequate against trust-based attacks. They will not realize that trust-based attacks are all too often the key component of APTs. Therefore, any security solution that does not detect and mitigate trust-based attacks is inadequate. Despite what some security vendors claim, detecting and remediating trust-based vulnerabilities such as Heartbleed requires more than just monitoring traffic and patching systems. Organizations must have a solution that inventories all certificates and digital keys in use on the network, detects anomalous usage, and helps administrators swiftly revoke and replace all certificates.
This is, of course, exactly what Venafi does best. In talking to our customers using Venafi TrustAuthority™ and TrustForce™, we found that these customers were able to respond quickly to Heartbleed, identifying susceptible systems, revoking and replacing all their certificates, as recommended by Gartner. When their Chief Executive Officers (CEOs), Chief Information Officers (CIOs), and even the Board of Directors asked, “What are you doing about this problem?” the Chief Information Security Officers (CISOs) at these organizations were able to say with complete confidence, “We have successfully remediated Heartbleed with Venafi. We have identified and patched all systems impacted, replaced private keys with new ones and issued new certificates.”
As more events such as the Heartbleed vulnerability occur, trust is going to become a top-of-mind issue for all CISOs. Protecting trust will quickly evolve from a nice-to-have to a must-have. Organizations are going to have to know where all the keys and certificates are in their environment, and they are going to have to have the agility to react to trust-based threats almost immediately. Organizations ignorant of the threat posed by trust-based attacks—organizations without a solution to combat these attacks—are going to struggle again and again.
However, CISOs who understand what hackers are looking for when they exploit a vulnerability like Heartbleed—those ever-so-critical keys and certificates—can rise above the struggle. When I meet with customers to discuss the challenges of trust-based attacks, I’ve often seen them experience a kind of “light bulb” moment, as they realize that they have to go beyond removing malware and beyond patching vulnerabilities. They have to restore the trust that the hackers compromised. I joined Venafi because I love being part of these “light bulb” moments. And I love being able to reply, when customers ask how they can possibly revoke and renew thousands or even tens of thousands of keys and certificates, that Venafi has a solution.
Tammy Moskites, Venafi CISO