ad placeholder

Posted on April 8, 2015 by staff

Heartbleed Still a Risk for Most Large Firms

Heartbleed Still a Risk for Most Large Firms

A study has shown most UK businesses are still at risk from the Heartbleed vulnerability.

The vulnerability in OpenSSL from version 1.01 up to and including 1.01f allows attackers to extract data that includes cryptographic keys for digital certificates used to secure online transactions without being detected.

According to a report by security firm Venafi, a year after the vulnerability was discovered, 74% of Forbes Global 2000 organisations’ external servers remain vulnerable to attacks that exploit Heartbleed.

In the UK, 67% of these organisations are still vulnerable, leaving them defenceless against reputational damage and widespread intellectual property loss.

According to researchers at Venafi, most big companies have failed to take the necessary steps to remediate the servers and networks fully, and only 23% of UK companies in the Forbes Global 2000 have taken appropriate actions for complete remediation.

According to the report, organisations have given up on properly replacing keys and certificates, either because they fail to grasp the full risk exposure this creates or because they do not have the knowledge to understand complete remediation.

The report believes companies need to go beyond simply patching and must also replace the private key, re-issue a new certificate and revoke the old one.

Jeff Hudson chief executive of Venafi said: “A major alarm needs to be sounded for this huge percentage of the world’s largest and most valuable businesses which are still exposed to attacks like those executed against Community Health Systems.”

The first time Heartbleed was linked to a cyber attack of that size was in August 2014 when a cyber breach at the US Hospital Group, which exposed 4.5 million patient names, and social security numbers and addresses.

Among those polled in the Venafi-commissioned report, 100% of companies admitted they had been a target of at least one attack on their cryptographic keys and digital certificates in the past two years.