HP Enterprise Security Products handles Heartbleed

You know when you get your own icon, you've arrived. With an estimated 66 percent of websites impacted and reports of exploitation rolling in, Heartbleed has transcended the world of Internet security and become part of the public consciousness. Having to change all your passwords can do that. Heartbleed is unique in its combination of

criticality, ease of exploit, and pervasiveness, and deserves its infamy. 

 

Heartbleed is a litmus test for those of us in the security industry. How long before your products can check for

Heartbleed susceptibility? Are your own products vulnerable? How are you responding to your customers? I am very

pleased to see that HP Enterprise Security Products has responded in a way that shows we understand the seriousness of this vulnerability and its potential impact. Each of our key groups has put forth a solution or method of detection that will let organizations know where they stand. To wit:

 

Fortify : 

Fortify on Demand Heartbleed Update

 

HPSR Software security content update - Heartbleed bug detection

 

TippingPoint:

Heartbleed protection with HP TippingPoint

 

HP ArcSight:

Heartbleed does not kill you. Just yet!

 

HP Security Research:

Heartbleed causes heartache

 

One thing I'm not going to do is bash our competitors who A) can't check for this vulnerability or B) have vulnerable

products. For one thing, they know who they are. For another, I would much rather tout our capabilities than talk

about what somebody else can't do. HP has over 5,000 dedicated security professionals for a reason.

 

There's still lots of things in play with Heartbleed. Here's a few:

 

Open Source - use at your own risk:

Open Source software is catch as catch can in terms of security, even something as widely implemented as OpenSSLIt's one of the reasons Fortify on Demand offers free scans of open source components.

 

Time to fix: 

Since the ultimate fix requires an upgrade and the issue is critical, it will be interesting to see how long it takes

organizations to resolve the problem. I would put the over/under on the percentage of organizations who have this

resolved within 3 weeks at 70 percent. At 6 weeks, i'd put that at 85 percent. The last 15 percent are going to take awhile because A) organizations might not be aware they are impacted B) for them, the fix isn't currently convenient to apply  C) some implementations of OpenSSL don't protect things that require protection or support for that implementation has stopped altogether, and the timeliness of upgrade is simply not a matter of concern.

 

Loss of access:

Considering how long it had been in existence (two years), I am convinced that hackers all over the world lost a significant and favorite method of data retrieval when the update was released.  Certain government agencies definitely took this as bittersweet news.  

 

Who knew?

It appears from the change your passwords now page that some organizations received early warnings about the vulnerability. To quote Facebook: "We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed." Which begs the question...were they told, or did they discover it themselves?  I would tend to think the former applies here. Personally, I'm all for forewarning any site that boasts over 1 billion users.

  

Users have more responsibility than ever:

Welcome to global change your password week. This is one of the great upcoming challenges - how to get users more conscious of security.   Granted, there is nothing a user could have done to prevent theft of their information. But they are still responsible to change their passwords, and to stay cognizant of potential threats, and to stop clicking everything in sight (or on a site, even).  Education needs to be a key area of future security efforts as users still remain the number one reason networks are infiltrated. I expect big industry changes on this front in the next five years if for no reason other than necessity.  

 

Heartbleed's biggest weakness is also one of its biggest strengths:

The data it steals is random. While you can't target what you want, an attacker might actually find something of

greater value buried in the data.  It's one of the things that make this so dangerous.

 

SImply.The.Best.Vulnerability.Explanation.Ever  

 

heartbleed_explanation.png

 

 from http://xkcd.com/1354/

 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.