PwC Cyber Intelligence Briefing: Demystifying 'Heartbleed'

What's the issue?

Secure Sockets Layer or SSL encryption has been at the core of internet security for almost two decades. More importantly, organizations and individuals have come to rely on it to protect sensitive information and privacy. It’s perhaps the most widely implemented security protocol in almost every facet of IT and information-based communications ranging from computing devices, cell phones, tablets all the way to Point of Sales (PoS) terminals and other devices.

Simply put, SSL provides a protocol for establishing an encrypted tunnel between devices and systems, allowing for secure transmission of data. It requires both systems to establish trust through information exchange before building the encrypted tunnel. The strength and integrity of the encrypted session relies on protecting the private encryption key that’s used in this process.

In order to maintain a secure SSL tunnel, systems send each other a regular signal or ‘heartbeat.’ ‘Heartbleed’ is the name of the flaw in an earlier version of the Open source SSL (OpenSSL) variant of this protocol which exposes information without encryption. OpenSSL is considered to be one of the most widely adopted variants of the SSL protocol. It is available free of charge and maintained in the public arena, significantly reducing associated operational costs.

A fix or a ‘patch’ for this vulnerability was released on the day ‘Heartbleed’ first surfaced. Research, however, has shown that this flaw in OpenSSL existed for up to two years prior to the fix without any acknowledgement.

What’s ‘Heartbleed’ and what does it do?

‘Heartbleed’ allows an attacker to potentially extract data that would otherwise have been encrypted from the server that hosts it.

Key considerations:

  • Exposed data may include usernames and passwords, credit card details, intellectual property, personal information of your users, customers and systems
  • ‘Heartbleed’ leaves very little forensic evidence, making it extremely difficult to know if any information has been compromised
  • This vulnerability may have in some cases already allowed attackers to gain access to the private encryption key(s) and to potentially decipher encrypted communications on an ongoing basis unless this key(s) is changed

How may it impact you?

If your organization uses OpenSSL, you may have lost sensitive information or your private encryption key(s). This may have widespread implications including immediate and ongoing financial, legal, regulatory and reputational consequences for you, your customers and your supply chain.

As a precautionary measure, the Canada Revenue Agency (CRA) shut down public access to many of the online services to protect the information that could have been affected.

The Office of the Superintendent of Financial Institutions (OSFI) has stepped in to make sure the country’s financial service organizations are dealing with potential associated risks.

What can you do?

Tactical

  • Engage your information security, IT and risk resources to determine the extent to which your organization and your supply chain make use of OpenSSL
  • Ensure ‘patches’ have been applied to stop the bleeding
  • Assess the potential for encryption private key(s) to be compromised and the need to change them
  • Consider industry best practices for users to regularly change their usernames and passwords
  • Refresh your incident management and continuity plan to help manage any potential impacts

Strategic

  • Bolster your cyber security capability by employing an in-depth defence strategy for multiple layers of controls and monitoring
  • Enhance your IT function’s change management processes to ensure timely ‘patches’ are applied to all IT systems
  • Develop risk intelligence by making use of processes and information sources to provide early warning of current and future vulnerabilities
  • Review third party risk management processes and determine if additional measures are required in your supply chain to ensure that good practices are applied consistently

For a deeper conversation contact Patrick MacGloin, Director, Risk Assurance Services.