Despite first being disclosed in April of 2014, it seems that many of the top global organisations are still exposed to the Heartbleed vulnerability. In reports from threat intelligence agencies and the University of Maryland, estimates of susceptibility among the top 2000 global organisations ranges between 70 and 85%.
While it’s believed many of these organisations might have done some work to patch their systems, evidently their efforts have not been sufficient. The research speculates that hundreds of firewalled applications could remain open to Heartbleed until certificates expire over the coming years, adding that little data exists to determine the state of remediation of those systems.
The exposure means attackers could steal passwords, session cookies, private cryptographic keys and more.
Australia is the least-repaired nation, with 84% of studied companies still exposed, according to one report. The UK came in fourth spot at 67%, losing to the US at 59%. Germany come out on top, with 58% still being vulnerable.
So what do companies need to do?
First of all, companies should check if they’re vulnerable to Heartbleed. This can be done using a free trial of Acunetix’ web application scanner. Network scans should also be carried out, many of these organisations are likely to remain susceptible as they’ve failed to fully patch all areas of their servers. If Heartbleed is flagged by these scans then the following steps need to be taken:
1. Patch the OpenSSL vulnerability
2. Generate new keys
3. Issue and install new certificates
4. Revoke old certificates