Heartbleed Bug: CISOs Take ActionHow Security Leaders in India Are Mitigating Risks
For example, Sunil Soni, CISO at Punjab National Bank, based in New Delhi, says the first step his institution took was to gather detailed information on the exploit as well as its potential impact. "The information was also shared with asset owners with guidelines and instructions for identification of the bug in their systems," he says.
A review determined that one service provider's system was using a version of OpenSSL that was vulnerable to the Heartbleed bug, and remedial action was taken to ensure the system was secured, Soni says.
Cox and Kings Group, a global luxury travel agency, discovered that several of its organization's older intranet applications were using a vulnerable release of OpenSSL, says Dhananjay Rokde, the agency's global head of information security. "We also checked our off-the-shelf applications and our pre-packaged third-party API integrated applications for the [compromised] OpenSSL versions, but we were in the green on that front," he adds.
Rokde launched an extensive analysis to review the organization's systems. "We contacted our security vendors [for enterprise assets and endpoints] for signatures and quickly reached out to application vendors for patches," he says. "We also ensured that our perimeter appliances and intrusion prevention systems have the latest release of signatures and Web application firewalls have enabled virtual patching for the Heartbleed bug."
Meanwhile, at Prime Focus Technologies, a media technology company based in Mumbai, an analysis quickly determined none of its organization's systems were compromised by the Heartbleed bug, says Shrikrishna Dikshit, senior manager of information security. But vulnerability assessments and penetration testing are ongoing.
Open Letter to CISOs
Rokde drafted a letter to other CISOs and information security analysts offering his insights about the Heartbleed bug.
"I feel that this vulnerability has more roar than teeth," he writes. "Although it is a genuine exploit and the concern surrounding it is legitimate, the noise surrounding it exceeds the actual impact, threat landscape and the effort required to fix it."
But the Heartbleed bug is unique, Rokde says, because it has the capability to leave large amounts of private keys and other secrets exposed on the Internet. "Considering the long exposure, ease of exploitation and attacks leaving no trace, this exposure should be taken seriously," he adds.
Rokde says the Heartbleed bug offers an important lesson for the security industry. "Like all other vulnerabilities, it teaches us that the smallest flaw left undetected for some time can mature into a lethal time bomb. Constant vigilance is impossible - but required. That's also the Catch 22 of my profession."
Mitigation in the U.S.
CISOs in the U.S. have also taken steps to mitigate the Heartbleed vulnerability (see: CISOs Respond to Heartbleed). For instance, Elayne Starkey, CSO for the State of Delaware, says her department responded by learning about the exploit, testing public-facing websites for vulnerabilities and applying patches and replacing certificates.
Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as Web, e-mail, instant messaging and some virtual private networks (see: Heartbleed Bug: What You Need to Know).