Heartbleed points to bigger SSL problems

Palo Alto Networks

Tuesday, 17 June, 2014

While the Heartbleed threat appears to have come and gone, the vulnerability has pointed to bigger industry-wide problems with SSL security.

“For security professionals and organisations this is only the tip of the iceberg,” says Palo Alto Networks Manager Systems Engineering Australia/New Zealand Gavin Coulthard. “The Heartbleed vulnerability puts the tools that were once reserved for truly advanced cybercriminals into the hands of the average attacker; notably, the ability to breach organisations and move laterally within them.

“Most enterprises of even moderate size do not have a good handle on what services they are running internally using SSL encryption, much less those that the end users have brought into the network,” Coulthard adds. “More importantly, they don’t inspect applications for malicious activity.”

The Palo Alto Networks Application Usage and Threat Report has assessed the relationship between advanced cyberthreats and the applications running on enterprise networks worldwide.

In APAC, the survey revealed that 32% of applications are capable of using SSL. The top 10 subcategories in the enterprise that can use SSL include file-sharing, instant messaging, social networking, photo-video, internet conferencing, remote access, internet utility, management, email and general business.

“SSL use is a much bigger problem than it was even a year ago, because if organisations don’t know how many applications running on the network use SSL, they also don’t know how many of those applications use OpenSSL, which may directly or indirectly expose the organisation,” says Coulthard.

“Proofs of concept that take advantage of Heartbleed are no doubt in the works. It is only a matter of time before an automated internal scanner is developed that finds vulnerable services on the local network and exploits them with a single click,” he adds.

“The challenges that presents to organisations is significant. For example, once you know how many internal applications may be using OpenSSL, how difficult will it be to update them? If it is a business-critical application, the effort is not small.”

Coulthard says organisations must determine which applications are capable of using SSL - both the business applications and those in use by employees - and then determine which of them use OpenSSL.

The primary risk to end user-introduced applications using OpenSSL is the endpoint. The secondary risk is what is on that endpoint machine in terms of company data.

“Knowing which applications are using SSL, who is using them, and what network resources the person has access to will let organisations gauge and then minimise their exposure,” says Coulthard.

Image courtesy Codenomicon.