84% of Aussie firms still vulnerable to Heartbleed

Australian organisations are lagging behind the rest of the world in addressing the Heartbleed security vulnerability, one year after its discovery, security company Venafi has said.

Around 84% of the Australian companies in the Global 2000 list with public-facing systems using OpenSSL have not fully protected themselves against Heartbleed-related attacks, according to new research from the company.

This means that Australian companies are “by far the most behind” in patching the flaw. Globally, 74% of organisations remained vulnerable, which represents only a two percentage point improvement from 2014.

Likewise, 85% of Global 2000 public-facing servers remain vulnerable a year after Heartbleed’s public disclosure.

“Even though that’s a 16% improvement over 2014, it is still very poor performance, leaving the door open to cybercriminals,” Venafi Director of Product Marketing and Threat Intelligence Gavin Hill said in a blog post.

Surprisingly, many of the remediation steps that were taken were merely secondary benefits as the result of certificate expirations rather than specific action to address the vulnerability, Hill said.

“Although it is a good practice to keep short key and certificate rotation cycles, organisations should be replacing all keys and certificates... To fully contain and remediate Heartbleed, SSL keys and certificates needed to be replaced.”

According to Hill, probable reasons for why so many organisations are still susceptible to Heartbleed include companies giving up on trying to fully remediate such a large vulnerability, as well as not understanding the gravity of the threat or its potential impact.

To fully remediate Heartbleed, organisations need to patch the OpenSSL vulnerability, generate new keys, issue and install new certificates and revoke old certificates.

The Heartbleed vulnerability was discovered in April last year in OpenSSL, the commonly used web encryption software. It involves exploiting bugs in the library to steal information normally protected by the encryption.

Image courtesy of EFF Photos under CC