How to defend against the OpenSSL Heartbleed flaw

10.04.2014

CSOs should also increase monitoring for account takeover, fraud and abuse of systems. "We're definitely at a heightened state (of security)," Coates said.

To mitigate damage from future protocol-related vulnerabilities, experts recommend the use of perfect forward secrecy, a property for key-agreement protocols between a browser and server. PFS prevents a compromised private key from being used to decrypt pass communications.

Besides the affected systems within the organization, CSOs also have to evaluate the risk posed by Web sites that employees access everyday as part of their jobs. The first step is to create a catalog of these sites and contact the operators to find out where they stand in patching the OpenSSL flaw.

In some cases, CSOs could find it necessary to have employees not use the affected sites until they are patched.

"For the most sensitive systems, CSOs should consider having their personnel and executives take a one- or two-day hiatus, if they know when the relevant sites will be patched, new digital certificates re-issued, and new authentication credentials put into place," said Joram Borenstein, vice president of marketing at NICE Actimize, which specializes in security for the financial industry.

Zur Startseite