Story image

Heartbleed bug: Businesses must act now...

14 Apr 2014

To avoid severe impacts on enterprise servers, businesses must take action against the ‘Heartbleed’ bug, which is likely to be the single greatest vulnerability in history, according to Palo Alto Networks.

“Enterprise servers running enabled versions of OpenSSL could be severely impacted and in a worst-case scenario could expose end-user communication over SSL encryption," says Gavin Coulthard, Manager Systems Engineering of Australia/New Zealand, Palo Networks.

“The news around the vulnerability is focused on the web perspective and how it affects https enabled websites. However, this is just the tip of the iceberg.

"What's important is that any vulnerable SSL enabled service on a machine compromises the entire machine and its private keys.

“Large organisations cannot possibly know all of their public facing services. More than half of those will be SSL enabled.

"The only reliable way to ensure that none of them are exploitable is to deploy an enterprise-level firewall in front of them - such as a Palo Alto Networks next-generation firewall.”

Palo Alto Networks takes a fundamentally different approach to identify and work to prevent threats like ‘Heartbleed’ from infiltrating enterprises.

“Many security vendors are required to create an enormous amount of pattern-based signatures, in a constant battle to identify the tell-tale signs of exploitation," Coulthard adds.

"Palo Alto Network’s security platform natively decodes all traffic at the application layer, regardless of the port and protocol used, including SSL/TLS tunnels.

“Instead of struggling to match a multitude of signatures against known patterns, we are able to quickly decompose the protocol (SSL in this case) to detect anomalies in ways that cannot be done with typical network security devices limited by regular expression technology.”

Palo Alto Networks recommends that all enterprises update their web servers to the latest patched version of OpenSSL available as of April 7 and immediately replace SSL private keys after the patch is in place.

Vendors and partners should also help their clients identify vulnerable systems and notify them immediately.

What the future of fibre looks like in NZ
The Commerce Commission has released its emerging views paper on the rules, requirements and processes which will underpin the new regulatory regime for New Zealand’s fibre networks.
Gen Z confidence in the economy is on the decline
Businesses need to work hard to improve their reputations.
Why NZ businesses have less than two years to adopt digital before disruption hits
Research found that digital disruption is already impacting two-thirds of New Zealand organisations.
Dell EMC launches interactive AI Experience Zones
The AI Experience Zones are designed to educate visitors about how to start, identify, and implement an AI project.
What NZ can learn from the Baltimore cyberattack
“Businesses must control physical access to their computers and secure their networks."
Infratil seeks clearance to acquire up to 50% stake in Vodafone NZ
The commission will give clearance to a proposed merger if they are satisfied that the merger is unlikely to have the effect of substantially lessening competition in a market.
Hands-on review: MiniTool Power Data Recovery Software
I came across a wee gem of advice when researching the world of data recovery. As soon as you get that sinking feeling and realise you’ve lost a file, stop using your computer.
Deepfakes the 'next wave of concern' - but can law really stomp it out?
Enforcing the existing law will be difficult enough, and it is not clear that any new law would be able to do better. Overseas attempts to draft law for deepfakes have been seriously criticised.