It seems like forever ago that we learnt of the Heartbleed Bug, a serious vulnerability found in the backbone of network privacy – OpenSSL. The news came in a zero-day perfect storm – a public vulnerability and exploit without any means to fix it. We lacked preparation, not knowing where OpenSSL was and how to fit it. Countless software manufacturers took what seems to be an eternity to assess their implementations, advise customers of their vulnerability, and develop patches to close the loophole.
The “zero-day” took weeks. Many grew tired of the cycles of discovery, planning, and deployment. The response took its toll – leaving the job undone.
The majority – it appears – stopped when systems had been patched. A key missing step was dealing with their encryption keys – the information disclosure risk that started it all.
According to Venafi, the public-facing systems of 74 percent of Global 2000 remain vulnerable, running on old PKI certificates and keys. Let’s stop the bleeding and get the job done!
References:
Leave a Reply