One year ago, news broke about Heartbleed, a bug within OpenSSL, the open-source encryption standard. The headlines were dire, and advice confusing (Change your password! No, that won't work!), but eventually, the panic died down.
It turns out, however, that most businesses didn't exactly do the most thorough Heartbleed clean-up job. As of this month, most Global 2000 organizations have "failed to completely remediate Heartbleed," according to a report from Venafi Labs.
That's not to say they ignored Heartbleed; they just "failed to take all the necessary steps" to fully wipe it from systems, Venafi said.
As of August 2014, about 76 per cent of Global 2000 firms were vulnerable to Heartbleed, and little progress has been made since then. As of April 2015, it's only down to 74 per cent, "leaving almost 3 in every 4 of these companies open to breach," Venafi said.
At issue are SSL keys and certificates that signal a website or system is safe. "If SSL keys and certificates could be comprised, websites would be spoofed for phishing attacks and encrypted communications decrypted via man-in-the-middle tactics resulting in customer data loss and intellectual property theft."
In August, one of the biggest hospital operators in the US, Community Health System, fell victim to a breach that Venafi said was carried out by exploiting Heartbleed and unprotected keys.
In the wake of Heartbleed, experts warned that all SSL keys and certificates needed to be replaced. But that didn't happen. "Organisations have either given up on properly replacing keys and certificates, mostly likely not grasping the full risk exposure this creates, or do not have the knowledge to understand how to complete remediation," Venafi said.
Venafi said it found 580,000 hosts that were patched against Heartbleed but did not replace private keys or revoke old certificates. About 92,000 (or 15 percent) took the necessary steps to wipe out Heartbleed.
Complicating matters is that the average Global 2000 organization has about 24,000 keys and certificates, and 54 percent don't even know where all of them are located, Venafi said.
Broken down by country, Australia is the most vulnerable; only 16 percent of companies there are fully remediated. About 59 percent of Global 2000 companies in the U.S. are vulnerable.
What can be done? Venafi recommended that companies locate all keys and certificates, revoke them, and generate new ones, which must be tested to make sure they work.
