Have You Budgeted for the Next Heartbleed?

May 15, 2014 | Leave a Comment

By Gavin Hill, Director/Product Marketing and Threat Intelligence, Venafi

Last month the Heartbleed vulnerability took the world by storm. IT groups across the globe scrambled to patch systems that were susceptible to the OpenSSL vulnerability known as Heartbleed. Y2K—the millennium bug—has been dwarfed in comparison to the impact the Heartbleed vulnerability has had on the world. Let’s face it, software has vulnerabilities and cybercriminals will take advantage of them. We can expect another “Heartbleed-like” vulnerability and should prepare—now. The question is, have you budgeted for it?

IT Security Budget

Have you considered the costs associated with responding to the Heartbleed vulnerability? I’m not talking about the financial impact from the theft of intellectual property or brand damage but the man-hours and salary costs to respond.

Before doing so, here’s a quick recap on the severity of the Heartbleed vulnerability:

  1. An attacker can steal keys and certificates without a trace.
  2. The stolen keys and certificates can then be used in trust-based attacks like phishing, man-in-the-middle (MITM), and replay attacks.
  3. The only way to remediate is to patch susceptible OpenSSL systems and replace all keys and certificates.
  4. Replacement of all keys and certificates is recommended, because you don’t know which systems—even non-OpenSSL ones—may have had keys and certificates stolen via stepping-stone attacks. You must assume all keys and certificates have been stolen!

The average large enterprise has in excess of 17,000 encryption keys and certificates. Consider the monumental task of changing all 17,000 encryption keys and certificates in an enterprise network. This task is especially burdensome, because most organizations manually manage their public key infrastructure (PKI) via spreadsheets or basic tracking software to detect expiring certificates. To replace a certificate on a system, an administrator needs to perform multiple manual steps:

  1. Generate a new key
  2. Issue a certificate signing request (CSR)
  3. Install the new key and certificate on the respective system
  4. Revoke the old certificate

The average large enterprise takes up to four hours to perform the necessary steps to replace a certificate on a single system. The median salary for a system administrator responsible for administering the PKI is U.S. $60,000. When extrapolating the cost to respond to the Heartbleed vulnerability, it costs the organization $115.00 per certificate. To replace 17,000 encryption keys and certificates it will cost your organization $1.95 million—in labor costs alone!

And 17,000 keys and certificates is a moderate estimate for the average enterprise network. At Venafi, we have customers that have replaced all of their keys and certificates within their networks and this equaled hundreds of thousands of keys and certificates per customer.


It seems that the world is still very much in a vulnerable state. Research published by Netcraft shows that 86% of public websites susceptible to compromise from the Heartbleed vulnerability have not correctly been remediated.

Last month, I published a blog detailing how any organization can use Venafi Trust Protection Platform to expedite and automate the remediation of Heartbleed and drastically reduce the response time from hours to minutes. You can read about it here.

By using Venafi TrustAuthority™, organizations can quickly identify systems impacted by the Heartbleed vulnerability and then determine how many keys and certificates are in use, where they are used, and who is responsible for them. Venafi TrustForce™ enables automated remediation of keys and certificates. This includes the installation and validation on impacted systems.

Whether you were impacted by Heartbleed or preparing to defend against the next crippling vulnerability, now is the time to implement a solution that enables your organization to quickly and efficiently replace all keys and certificates. Can you really afford not to?

Related resources:


Be the first to comment on this post!

Leave a Comment