In 2014, businesses learned about a security vulnerability that could jeopardize their internal documents and their customers’ personal and financial information. The Heartbleed bug was unique, in that it wasn’t a virus that inflicted a single, obvious attack that could be easily identified. Instead, it leaked security keys, passwords, content, historical data – all kinds of information that could open the door to hackers everywhere.
One year later, and three out of four businesses are still at risk of being harmed by the Heartbleed bug. That’s why IT departments should be working quickly to identify and remediate vulnerabilities.
Follow the steps
Erik Heidt, research director for Gartner, recommended three steps for safeguarding against Heartbleed. But he noted that some IT departments were being “lazy” and simply rotating certificates, instead of creating new ones. If hackers have access to your encrypted traffic, you need to start over – rotating certificates won’t protect you.
On June 8, cybersecurity company Venafi released the results of its 2015 RSA Conference survey. The results show that many IT professionals are lacking the knowledge needed to defend against a Heartbleed-style attack. The survey found:
- Only 8 percent of respondents would replace compromised keys and certificates, following a breach
- Only 43 percent of respondents said they were using a key management to protect keys and certificates
- 38 percent of respondents either don’t know how to detect or can’t detect compromised keys and certificates
- 64 percent of respondents said they would not be able to respond to attack on SSH keys within 24 hours
SSH keys are how virtual servers identify trusted remote computers, and they never expire. Criminals who are able to access your SSH keys could infiltrate and control your systems until such time they are detected.
Testing and training
One way to test your vulnerability is to try to hack into your own system from the outside. That’s what Finnish security company Codenomicon did last year. Codenomicon – the firm that discovered Heartbleed – found it could hack its own services externally and steal sensitive information.
Companies that want to defend against sophisticated attacks would be wise to pay for additional training for their IT security professionals. You can find plenty of training opportunities that will help your staff react quickly to a data breach.
Lifeline Data Centers has the expertise to detect hacker infiltration and act immediately to remedy it. That’s why so many businesses – including medical organizations – trust us to keep their data secure. Schedule a tour today, or give us a call to ask how we can help you.