How to defend against the OpenSSL Heartbleed flaw

10.04.2014
CSOs need to take a number of steps as soon as possible to protect their organizations against the OpenSSL vulnerability that has shaken the tech industry, experts say.

[Vendors and administrators scramble to patch OpenSSL vulnerability]

The flaw, dubbed Heartbleed, makes it possible for an attacker to read a Web server's memory, which typically includes the private key that the protocol uses to encrypt traffic between the server and a browser.

The vulnerability, introduced into OpenSSL in 2011, affects all versions of the open-source implementation of the Secure Socket Layer (SSL) and TransportTransport Layer SecuritySecurity (TLS) protocols. OpenSSL is widely used in Web servers, such as the popular open-source Apache, and in cloud services. Alles zu Security auf CIO.de Top-Firmen der Branche Transport

"CSOs should assume that they've been compromised," W. Hord Tipton, executive director of the International Information Systems Security Certification Consortium, or (ISC)2, said.

Among the first chores facing CSOs is identifying and prioritizing affected systems within the organization, patching those deemed most critical immediately, experts said. Of course, those systems open to the public Internet carry the greatest risk.

Zur Startseite