It has been one month since the Heartbleed vulnerability in OpenSSL became widely
known and we wanted to take a final look back at the bug and distill a few cloud
security lessons we can all take forward. Out of the 3,571 cloud services in use at
enterprises, 1,173 were affected by the vulnerability. While most cloud providers
patched their services within 48 hours, Heartbleed struck at the core of web security.
Through a simple exploit, it allowed an unsophisticated attacker to access passwords
and encryption keys with minimal effort. That means that if an attacker captured and
stored encrypted traffic during the last 2 years, those files could potentially now be
decrypted.
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Assessing the damage and lessons learned
1. 1 Month After Heartbleed Assessing the Damage and Lessons
Learned
It has been one month since the Heartbleed vulnerability in OpenSSL became widely
known and we wanted to take a final look back at the bug and distill a few cloud
security lessons we can all take forward. Out of the 3,571 cloud services in use at
enterprises, 1,173 were affected by the vulnerability. While most cloud providers
patched their services within 48 hours, Heartbleed struck at the core of web security.
Through a simple exploit, it allowed an unsophisticated attacker to access passwords
and encryption keys with minimal effort. That means that if an attacker captured and
stored encrypted traffic during the last 2 years, those files could potentially now be
decrypted.
Across 250 companies, Skyhigh found that 100% of them used at least one service
vulnerable to Heartbleed. Skyhigh customers were immediately notified of which
services they used that were impacted, including which users had uploaded data to
those services. We’ve anonymized data across our customers in order to report on the
scope of Heartbleed and the amount of sensitive data that was exposed:
The average company used 279 services vulnerable to Heartbleed, and these
services spanned all major SaaS Security categories
Companies uploaded, on average, 579.9 GB of data to these services
One company had uploaded over 33.9 TB of data to affected services
Heartbleed was patched relatively quickly, with most cloud providers fixing their
services within 48 hours. Despite the rapid response, companies have to assume that
all the data uploaded to these services could still be compromised. The volume of that
data is staggering. A finance executive we spoke with in the aftermath of Heartbleed
said he received emails from 13 cloud services that week notifying him they had been
affected. The problem isn’t limited to finance. The companies impacted by the use of
Heartbleed-vulnerable cloud services span industries including manufacturing, media
and entertainment, insurance, energy, and healthcare. When you look at the volume of
data that was affected, it can be challenging to understand what the impact was.
In response, companies storing data in affected services have taken steps to remediate
the damage. Skyhigh customers can view Heartbleed-vulnerable services in the
2. Global Registry by going to the Discover menu and following these steps:
Click “Global Registry” in the Discover menu
Open “Service Risk” by clicking the up arrow to the left of that section
Scroll down to the Security category and view “Susceptible to Heartbleed”
One positive result of Heartbleed is the renewed focus on underfunded but critical
open source Internet infrastructure. The Linux Foundation recently raised $3.9 million
from cloud heavyweights including Amazon Web Services, Cisco, Dell, Facebook,
Google, IBM, Microsoft, Rackspace, and VMware to fund open source projects
including OpenSSL. That will help expand the team (currently only one full time
developer) so that this critical piece of infrastructure can be maintained and secured.
One thing experts can agree on is that there are more vulnerabilities as serious as
Heartbleed in the wild, yet to be discovered and publicized. Due to their nature,
companies can only react once they become aware of their exposure. Skyhigh is
offering a free Heartbleed Audit, detailing all services in use that were or are still
vulnerable to Heartbleed. Email us at heartbleedaudit@skyhighnetworks.com for
more information. Since 100% of companies were impacted in some way, Skyhigh
has also developed a guide with steps IT Security teams can take to remediate the
damage from Heartbleed.