Report from Venafi reveals three-quarters have yet to fix the problem.
The lives of cybersecurity professionals are dominated by minor bugs, patches and viruses, quietly dispatched without much fuss. Yet every so often a flaw emerges so potent that it captures the attention of even the technophobic.
The Heartbleed OpenSSL bug, one-year-old this month, is just such a flaw. When it came to light in April 2014 it shook the web to its core, forcing even goliaths like Facebook, Google and Wikipedia to issue patches and advise their users to change their passwords.
Researchers at the time found that the two-year-old bug allowed hackers to request more information from a server than they should be allowed, potentially leaking sensitive data and exposing victims to further attacks.
Since then cybersecurity has had to endure other bugs such as Shellshock and Poodle which have encouraged similar doom-laden headlines. But Heartbleed remains the standard by which other bugs are compared – and a year on it is still a problem. Have we learnt nothing?
"Most people thought [Heartbleed] was just a patch event," says Kevin Bocek, VP of security strategy and threat intelligence at the security vendor Venafi. Figures from his firm show that three-quarters of the Forbes Global 2,000 companies with public-facing systems are still vulnerable to the bug even today.
Whilst many people applied the patch at their companies, many did not go through the necessary replacement of SSL certificates and private keys. This was necessary because the previous ones could not be trusted, thus undermining the core purpose of the technology.
Such laxity has led to real world problems, most notably with the attack on US health provider Community Health Systems in which the data of 4.5 million patients was stolen. Among the information taken were names, addresses and social security numbers – raising the potential risk of identity fraud.
"The way organisations have gone about fighting it has been incomplete," Bocek says."I think organisations are good at patching. Understanding complex factors and responding we’re not as good at, and we’re not as good at talking about it."
Whilst companies in general have been bad at fixing Heartbleed, they have not been equally bad, according. Data from his Venafi’s survey revealed that countries such as the UK, US and Germany were far better at remediating Heartbleed than Australia and France.
The security VP puts this down to different industries having different perceptions of the threat, and different countries’ economies being based on different industries. For example the UK, in which financial industry looms large, has a different outlook than the likes of Australia, whose economy is more focused on natural resources.
The assumption is that if you do not work in a data heavy industry such as finance or retail you are safe. But Bocek argues that such a view is complacent, and many of his peers would agree with him.
Though mining may not seem a big target, hackers are becoming interested in doing more than stealing data. A recent report from the Organization of American States, an industrial trade body covering the Americas, showed than half of the group’s members were facing destructive attacks on data and equipment.
"I don’t believe anyone in cybersecurity is complacent, but I do think it’s a challenge when you’re having to deal with the days incidents and having to deal with the long-term threats," Bocek says. He adds that the difference between those that cope and those that cannot is organisation.
As for overall lessons from Heartbleed? "I think in the near-term we have got to get our act together," Bocek says. "But long-term we have to get away from the ‘one-step and we’re done’ mentality."