The Smart Way To Keep Your Customers Heartbleed Free
By Jay McCall
Originally posted on Ingram Micro CloudTalk Blog.
Each year thousands of new viruses and malware are released into the wild causing havoc ranging from adware pop-ups to devastating data breaches. Some malware becomes so infectious and infamous that it even takes on a new name — and even gets its own logo and website — such as the recent widespread cyber threat known as the “Heartbleed” bug. To date, Heartbleed has affected thousands of websites leaving companies in fear of data theft. The widespread bug is a flaw in OpenSSL, an open-source cryptography library that’s widely used to implement the Internet’s Transport Layer Security (TSL) and Secure Socket Layer (SSL) protocols. The OpenSSL web encryption library is used in a myriad of email servers, PC’s, and firewalls leaving unsuspecting sources vulnerable for a web attack.
So, how big of a deal is the Heartbleed bug? The Electronic Frontier Foundation (EFF) and Ars Technica labeled it “catastrophic.” Forbes cybersecurity columnist Joseph Steinberg suggested that Heartbleed may be the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.
Dodi Glenn, senior director of security intelligence and research labs at ThreatTrack Security describes how the Heartbleed bug works and why it’s such a significant threat. “Once an attacker discovers a vulnerable OpenSSL application, they can sniff out secure information, such as passwords and credit card numbers, by retrieving private keys to decrypt the server’s encrypted traffic. If a server administrator is running 1.0.1 or 1.0.2-beta of OpenSSL, they should upgrade as soon as possible. If a company has been running with one of the vulnerable versions of OpenSSL, they should assume that their certificates and keys have been compromised, and they should begin the process of replacing these keys and certificates, particularly if the server in question contained sensitive data. Also, companies running the vulnerable versions of OpenSSL should advise their customers to change their passwords.”
“In addition to compromising user IDs and passwords, a hacker can potentially use the private keys mentioned above to ‘impersonate’ a server and have unsuspecting users login and conduct business without realizing they are not on the real site, giving the hacker access to a wide range of personal and financial data,” says Michael Diamant, manager, technical IT services delivery, Ingram Micro. “One of the biggest challenges with stopping the Heartbleed bug is that, unlike many malware programs that cause noticeable slowdowns in computing performance or pop-up messages, this bug can go undetected for a long period of time with no signs of a data breach.”
An IM Web Application Vulnerability Assessment Stops the Heartbleed Bug
As a trusted business advisor, your clients count on you to protect them from malicious malware like the Heartbleed bug. It’s with this thought in mind that Ingram Micro Professional Services developed the IM Web Application Vulnerability Assessment. With this service, Ingram Micro assumes the role of an external hacker and attempts to exploit potential weaknesses within a web application’s source code. Following the assessment, an Ingram Micro security expert and the channel partner work together to address any holes discovered during the assessment and recommend the appropriate remediation measures to protect customers against current and future web threats, thereby improving your customers’ overall web security. Partners who use this service receive an assessment report detailing any security vulnerability findings as well as a recommended resolution plan, which the partners can then review with their customers.
Ingram Micro’s engineers, service office personnel, and national traveling team are available to meet with you and your customers to discuss your professional service needs. Please call (800) 456-8000 ext. 67247, 66686 or 66492, or email email@example.com. Learn more at www.ingrammicro.com/professionalservices and order services at www.ingrammicrolink.com.