Story image

Heartbleed ahead for enterprises?

16 Jun 2014

Palo Alto Networks is warning that the full effects of the Heartbleed vulnerability may not yet have been felt, despite many believing Heartbleed is behind us.

And the company is warning that while the visible impact of Heartbleed has been on web applications such as Google, Dropbox, Facebook, Yahoo!, online banking and other vulnerable targets on the web – which have now been updated – it's enterprises which are now at risk.

Gavin Coulthard, Palo Alto Networks manager systems engineering Australia/New Zealand, says the web impact already seen was 'only the tip of the iceberg'.

“The Heartbleed vulnerability puts the tools that were once reserved for truly advanced cyber criminals into the hands of the average attacker, notably the ability to breach organisations and move laterally within them.”

A recent Palo Alto Networks Application Usage and Threat Report reveals that in Asia Pacific, 32% of applications are capable of using SSL. The top 10 sub-categories in the enterprise that can use SSL include file-sharing, instant messaging, social networking, photo-video, internet conferencing, remote access, internet-utility, management, email and general business.

“Most enterprises of even moderate size do not have a good handle on what services they are running internally using SSL encryption, much less those that the end-users have brought into the network,” says Coulthard. “More importantly, they don't inspect applications for malicious activity.

“SSL use is a much bigger problem that it was even a year ago, because if organisations don't know how many applications running on the network use SSL, they also don't know how many of those applications use OpenSSL, which may directly or indirectly expose the organisation,” he adds.

“Proofs-of-concept that take advantage of Heartbleed are no doubt in the works.

“It is only a matter of time before an automated internal scanner is developed that finds vulnerable services on the local network and exploits them with a single click. The challenges that presents to organisations is significant. For example, once you know how many internal applications may be using OpenSSL, how difficult will it be to update them? If it is a business-critical application, the effort is not small.”

Coulthard says organisations must determine which applications are capable of using SSL – both business applications and those in use by employees – then determine which of them use OpenSSL.

“The primary risk to end user-introduced applications using OpenSSL is the endpoint. The secondary risk is what is on that endpoint machine in terms of company data. Knowing which applications are using SSL, who is using them, and what network resources the person has access to will let organisations gauge and then minimise their exposure.”

Check Point announces integration with Microsoft Azure
The integration of Check Point’s advanced policy enforcement capabilities with Microsoft AIP’s file classification and protection features enables enterprises to keep their business data and IP secure, irrespective of how it is shared. 
Blockchain: New Zealand needs to get up to speed
"The technology can traverse every business domain and can have far reaching impacts on society as we know it."
Why AI will be procurement’s greatest ally
"AI can help identify emerging suppliers, technologies and products in specific categories."
Five key ways an IT professional can keep their body and mind healthy
Sitting in the same place facing an artificially lit screen for 6-8 hours a day can have a negative impact on your overall health if you don’t offset it with diet and exercise.
Are AI assistants teaching girls to be servants?
Have you ever interacted with a virtual assistant that has a female-based voice or look, and wondered whether there are implicitly harmful gender biases built into its code?
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Commission warns Spark for misleading in-contract customers
The warning follows an investigation into representations Spark made on its website and in emails in August and September 2018.
Optic Security Group celebrates Axis accolade
Auckland-based business security systems provider Fortlock has picked up an award at Axis Communications’ annual Oceania Axis Partner Summit 2019.