The Heartbleed Bug: what is it and how to protect yourself

The Heartbleed bug was one of the most major IT security threats to have emerged in recent times and it caught many large organisations and companies, not to mention consumers, off guard. Described as ‘the biggest internet security threat the world has ever seen’ the Heartbleed virus allowed hackers to snatch credit card numbers, bank details, passwords and other valuable data. However, it is almost impossible for companies or site owners to check whether information has been stolen, so there are fears that hackers will hold onto the information before exploiting it.

Huge websites including Mumsnet fell prey to the bug, and online shoppers were warned to change their passwords to reduce the risk of becoming victims. Mumsnet urged all of its 1.2 million users to change their passwords, but the security of its users who use the same password for sites such as banking and shopping is under threat.

The Heartbleed bug is a vulnerability in the OpenSSL certificate software which is used mainly to protect banking and credit card details. The weakness leaves the software vulnerable and lets anyone on the web read the memory of systems protected by the software. Under normal circumstances the SSL/TLS encryption is secure - SSL/TLS provides communication security and privacy over the Internet for many different applications, but Heartbleed open up a computer's memory for anyone to read - meaning that secret keys used to encrypt traffic, the names and passwords of the users and the content are all up for grabs, allowing hackers to steal data from service providers and users and impersonate both online.

Although a massive breach of internet security, there are a number of things you can do tighten up your site following Heartbleed. License management company License Dashboard advise the following:

• Make sure that you understand the risks of the Heartbleed bug. If your website server contains sensitive information then you need to update to at least OpenSSL version 1.0.1g to try to combat any breaches in security.
• Stay on top of your software. Software asset management can help you to gain an overall visibility of which versions of programmes you are running - meaning that at a glance you can see where you have potential weak links (where software is running on an old version). The latest versions of software stand the best chance of being robust enough to withstand attacks. If you are unsure which machines in your business may be at risk, a SAM programme can pinpoint exactly which machines have an older version of software and could save you money on upgrades by ensuring you only purchase the correct number of upgrades needed.
• Know which sites you use or run are affected - this means that you will be aware of which sites you need to change passwords on or update Open SSL.
• Inform your customers to change their passwords - but only after you have fixed the fixed the flaw in the security systems.
• Advise your customers to avoid using the same password on a number of different sites. Ask them to make their passwords complex password by using a mixture of upper and lowercase letters combined with numbers and to change them regularly.
• Offer an additional authentication service to visitors, such as a letters from a memorable word or text message authorisation.
• Implement checks for vulnerability in Open SSL and build this into your vulnerability management program. This can be done by using a number of scanning products and scripts.
• Review your network flow data and IDS logs. Since the flaws in OpenSSL have been present since March 2012, you may want to monitor incoming SSL sessions for odd activity.
• Review your emergency response plans and make sure that you are prepared for any emergency patching. Make sure you keep the site users up to date with what you have repaired and what is still at risk.
• Use time-sensitive two-factor authentication, as the information stolen will be useless by the time hackers want to use it. Reassure your customers by letting them know about this.
• Watch out for where you decide to place your trust in the future. Heartbleed broke down the security of the internet as a whole, and this may not be the last bug that has the ability to do this. Be on your guard when implementing IT security systems - there are always people looking for way to break down and disarm these systems, so keep yourself up to date with software developments, news and tests for new systems.

Heartbleed may have been a disaster and caused many problems in the IT world for both businesses and consumers, but there are a few lessons to be learnt from this experience. If your site has been affected then it provides the perfect excuse to upgrade site security and ensure that the secret keys on the site are the working at the height of their security strength.