2014 was viewed by many as ‘the year of the data breach,’ with high-profile data theft incidents making global news headlines on an almost daily basis. Potentially the biggest of all the security stories was the revelation that decades-old code was leaving consumers and businesses vulnerable to attack by cybercriminals – beginning with the announcement of Heartbleed on April 7th 2014.
In the last 12 months the threat landscape expanded into the network infrastructure itself, with a multitude of hidden vulnerabilities revealed deep within the code base of age-old popular protocols like Bash, OpenSSL, SSLv3.
The likes of Shellshock, Heartbleed and Poodle highlighted the brittle nature of infrastructure standards and pushed businesses into action to deploy rapid risk assessment and apply mitigation methods to prevent exploitation and data theft.
The first major indication of the fragility in existing infrastructures came exactly one year ago with the OpenSSL Heartbleed vulnerability (CVE-2014-0160). Heartbleed exposed the memory of systems using vulnerable versions of OpenSSL. Vendors rushed to provide patches and encouraged users of the open source toolkit to upgrade their versions of OpenSSL and/or the software using those libraries.
Five months later, in September 2014, IT teams already reeling from Heartbleed had to face up to the even bigger challenge of mitigating Bash Shellshock (CVE-2014-6271). The 25-year-old vulnerability allowed for remote execution of arbitrary commands via crafted environment variables. Within days of the public announcement, proof-of-concept code was widely published and attackers were dropping malware onto vulnerable servers.
A few weeks later the SSLv3 Poodle (CVE-2014-3566) weakness surfaced, posing a serious data theft risk to secure communications using the SSL standard. This also highlighted widespread use of older standards, even while newer and more secure standard options were available.
These major vulnerabilities – not to mention OpenSSLMan-in-the Middle, Ghost and many others – diminished trust in established infrastructure standards. Vulnerable systems directly exposed certificates, private keys, Personally Identifiable Information (PII) and more – while malware introduced through these vulnerabilities could pose even greater risks.
This has greatly impacted upon IT resources, as running scripts and applying patches are rarely sufficient when dealing with infrastructure vulnerabilities. Devoid of appropriate response plans, mission-critical systems could be offline for extended periods of time, thus negatively impacting organisations’ productivity.
But these vulnerabilities are far from behind us, and are still very much a real and active threat. Only last week we were reminded they remain active with the news of ‘Bar Mitzvah’, an attack on SSL/TLS protocols that exploits the use of the RC4 cipher with weak keys for that cipher. The vulnerability affects only the first hundred bytes of a very small fraction of connections that happen to use weak keys, but allows significant compromise of user security. For example, it allows attackers to intercept password information which could then be used for long-term exploitation.
This is a call to action for businesses, it is imperative that they stay vigilant to the threat these vulnerabilities pose. The impact is greater for businesses that are unprepared or ill-equipped to quickly respond to and assess the possible damage from the vulnerability, and then quickly apply mitigation. However, negative impacts can be managed with a clear communication protocol to set the minds of customers, employees, the board and investors at ease.
Businesses must ensure they conduct regular reviews of their mission-critical systems using legacy technologies for potential risk and upgrade opportunities. It’s also vital to have an established process for assessing potential risk and the scope the risk could pose to the organisation.
Security professionals must also ensure they stay up to date with streams of threat intelligence and conversations that will reveal newly discovered potential vulnerabilities, by subscribing to security news feeds, reading blogs and networking with peers at any opportunity.