The Internet – and every company that uses it – is currently facing one of the most serious security flaws in its history.
Think that’s hyperbole? Here’s what renowned security expert Bruce Schneier, not know for over stating things, recently said about the bug: “’Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”
Here’s what we currently know – from the website dedicated to providing information on the vulnerability:
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.”
Scary stuff and potentially devastating for any company, or website, that is using one of the more than half million servers that are potentially affected.
By hijacking access credentials of legitimate users or the private keys of assets, Heartbleed enables attackers to gain remote access to servers and assets running vulnerable versions of OpenSSL.
Heartbleed is a nuclear reminder of why access credentials to sensitive assets should never be divulged to a user. Companies need to isolate, control and monitor privileged access to all enterprise assets. Additionally, limitations on access should be enforced, such as dual-control which requires additional approval for remote connection. This makes it even more difficult for an attacker to abuse hijacked user credentials.