In just a matter of 24 hours, Heartbleed has become the most important topic among cyber security professionals. There’s been a ton of information published around Heartbleed so far and many people, both inside and outside of the technology industry, are searching for answers. As an MSP, there’s a very good chance that our clients will approach you (if they haven’t already) about what they can do to stay safe. Here’s some information to hopefully help you stay ahead of the curve.
What is it?
On April 7, 2014 information was released about a new vulnerability (CVE-2014-0160) in OpenSSL, the cryptography library that powers the vast majority of private communication across the Internet. This library is important for maintaining privacy between servers and clients, and confirming that Internet servers are who they say they are. This vulnerability, known as Heartbleed, may allow an attacker to steal the keys that protect communication, user passwords, even the system memory of a vulnerable server. This represents a major risk to large portions of private traffic on the Internet.
How does it work?
Technically speaking, the bug lies in the OpenSSL’s TLS/DTLS (transport layer security protocols) heartbeat extension (heartbleed.com).
A “heartbeat” occurs when a computer on one end of an SSL connection sends a message to verify a machine at the other end is online/active – and research released earlier this week demonstrated that it’s possible to send a phony and malicious heartbeat that can expose secure and encrypted information from a vulnerable receiver.
Is the problem fixed?
Yes and no. An updated version of OpenSSL (1.0.1g) was released this week to patch the problem, and businesses are now in the process of updating websites and servers that may have been exposed. Unfortunately, the bug is relatively easy to exploit and is virtually untraceable – making it very difficult to identify what information (if any) has been compromised.
Since the news first broke, a number of online tools have emerged that can determine whether a server may have been vulnerable to exposure (http://filippo.io/Heartbleed/, http://possible.lv/tools/hb/) – but there’s no way to know with certainty if any information has been leaked.
There’s also been quite a bit of buzz surrounding password updates – a logical first step in remedying any potential data and privacy breach. Before doing so, however, it’s essential to first confirm that a given organization or website has done their part in updating OpenSSL; if not, any new passwords may be just as susceptible to attack as your old ones.
How are MSPs affected?
Because OpenSSL is leveraged by roughly two-thirds of all web servers, the potential for exposure is very widespread – and it’s critical that service providers not only identify and patch any software, systems and appliances that may be affected, but also communicate with clients to ensure they understand both the nature of the bug as well as what they can do to ensure security. Here are a few steps you can take to bring users up to speed:
- Proactively notify your clients – don’t wait for worried clients to bombard you with emails and phone calls demanding to know if their data has been compromised; take a proactive approach and let them know you’re aware of the problem and are working actively to patch any potential vulnerabilities as quickly as possible. This shows that you’re in control of the situation and are taking an active approach to protect your clients. Just be ready to answer questions.
- Provide immediate security recommendations and best practices – once you’ve ensured all necessary OpenSSL updates have been made, tell your clients what steps they (and their users) can take to be protected. For instance, recommend implementing a two-factor authentication process (i.e. a combination of both a traditional password and a personalized security question) or at a minimum tell their employees to update their passwords. It’s always best to provide your clients with actual steps to take in order to protect themselves, rather than just say “you may be in trouble!”
- Provide clients with additional resources to learn more – It’s important to provide your clients with the information that they need to know. However, you should also provide them with additional resources in case they want to learn more. As their MSP, you are responsible for educating your clients, not just alerting them. You don’t need to write your own security articles, but you should direct them towards relevant links so they can learn more if interested.
- Be transparent – when it comes to managed services, trust is everything. If you think an attack may have been used against any of your systems, let your users know as quickly as possible – and keep them informed of all updates and corrections as you make them. It’s better to be open and communicative towards a potential issue than try to cover up a flaw and have it hurt you in the long run.
Your clients rely on you as their trusted advisor when it comes to securing their IT systems. Make sure you’re proactive in notifying them and being open in your communication. Ultimately, your clients want to make sure they’re protected, and it’s your job to make them feel secure.
Here are some additional resources you can check out about Heartbleed:
- Techcrunch.com video: http://techcrunch.com/2014/04/08/what-is-heartbleed-the-video/
- Troy Hunt’s blog post: http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html
For more information about Heartbleed and how it relates to Continuum, you can click here.