At this point, you’ve heard of the Heartbleed Bug. It has received a lot of attention, and rightfully so since it affects 17% of the world’s secure websites.
The emphasis on patching Heartbleed vulnerabilities and protecting data from this specific bug, though, detracts from the larger issue. The fact that your site is “safe” from Heartbleed doesn’t mean your data itself is safe. The same problems that make you vulnerable to this bug make you vulnerable to others. It’s important to take precautions to prepare for future vulnerabilities.
So here’s an overview of what Heartbleed is, what you need to do about it, and the steps you should take moving forward.
The Basics of Heartbleed
The Heartbleed bug is a vulnerability created by faulty code in OpenSSL software. The bug allows someone to steal information that would, without the bug, be protected by SSL/TLS encryption. Essentially, it makes what should be secure websites insecure because anyone is able to read the memory of the affected systems and access "secure" information.
Why is Heartbleed Such a Issue?
Because Heartbleed is based in an open source dev platform, people will implement it more often than one they’d have to pay for. It’s one of the biggest platforms on the internet today. What everyone really needs to be aware of is that even if your site isn’t affected, it doesn’t mean you aren’t vulnerable.
Say, for example, John goes to an affected site like Gmail and signs in using his password, CatsRule. Then he decides to check his bank account and logs into that account with the same password, and then another account. All it takes is one of those sites to be affected by Heartbleed and someone can access all of those accounts.
Since so many people use the same passwords across many different accounts and sites, even if your company’s website is secure and not vulnerable to the bug you could be at risk.
How to Know if You're Affected and What to Do
Anyone using our services should know that we've taken steps to verify that our infrastructure is free of the bug. However, even though your systems may be safe, you could still potentially be affected. Because the OpenSSL platform is so widely used, it’s likely that you have encountered it at some point and you should check a list of popular affected sites.
If you use any one of those services you should change your password there and anywhere else you use the same password. Ideally, you should avoid using the same password across accounts. It wouldn't hurt to have everyone using your site change their passwords just in case. We don’t know where the breach originated from that would allow someone to gain access to an account.
You need to evaluate your infrastructure, routers, switches, appliance, and firewalls, because a lot of devices have been developed and evolved over the opensource product line and can be exposed. If you’re not regularly updating your firmware or software then you can be exposed without knowing it. The best thing to do is ask your equipment and service providers if they’ve been affected.
In addition to the list of sites mentioned earlier, you can also test specific sites for Heartbleed.
The Bigger Security Problem
Even if you're safe from this bug, there are certain practices that everyone should incorporate if they’re concerned about security.
Bugs will always be found, viruses will always occur. This is not the first or last time. Avoiding this particular bug does not mean your accounts are protected if you aren't taking precautions. What are you doing to take responsibility for your own security and safety in the meantime? Sure, you can scramble to make sure you're secure after a security breach is announced, but the more effective answer is to have strict security policies beforehand.
To increase your overall security, follow these password best practices:
- Always use strong passwords
- If you must write the password down, store it in a safe place and destroy it when you no longer need it
- Never share passwords with anyone
- Use different passwords for all user accounts
- Change passwords immediately if they've been compromised
- Be careful where you save passwords on computers
You should also define a password policy for your company:
- Enforce password history so you don't repeat used passwords
- Set minimum and maximum password ages so they expire after 30-90 days
- Set minimum password lengths of seven characters or more
- Create complexity requirements so they must be alphanumeric and not common names, dates, or phrases
- Include verification protocols
- Have a level of encryption to store passwords in the database
Following these best practices will help protect you and your company from future security issues.
For additional security tips, read this blog we posted on eCommerce security.
Do you have any other questions about Heartbleed? Let us know in the comments or contact us at email@example.com.