By now you have read plenty of stories on Heartbleed and the impact it can have on your data security; we don’t need to reiterate that here. (Although if you do need a refresher, please read the overview from Brian Chen at the New York Times) Our expert security architects recommend the following so you can be confident that Heartbleed does not impact your systems.
1. Know what you are up against – Cross-reference your system inventory against an up-to-date and reliable source such as CERT. Any applications running OpenSSL are vulnerable.
2. Address the perimeter first– First focus your efforts on securing perimeter and DMZ devices. This is the quickest way to reduce your risk.
3. Establish a baseline understanding – Any systems that have been impacted must be tested. You want to look for changes that you did not perform yourself or authorize. Does anything look amiss? Now is also a good opportunity to perform a sanity check or “true-up.” You want to ensure all perimeter facing IP addresses are secure and meeting requirements and standards.
You can use these free online tools to check your site;
a. http://tif.mcafee.com/heartbleedtest
b. http://rehmann.co/projects/heartbeat/
c. https://reverseheartbleed.com/
To take a more in-depth look you might conduct a vulnerability scan with tools like:
d. Nmap - http://nmap.org/nsedoc/scripts/ssl-heartbleed.html (our favorite)
e. Nessus - http://www.tenable.com/heart-bleed
f. Qualys - https://community.qualys.com/docs/DOC-4739
4. Upgrade and Patch - Upgrade and patch your systems and appliances to the recommended code level that resolves the vulnerability. It is important to have a contingency plan because upgrading firmware & code levels on some appliances can be tricky, especially if you are moving ahead several versions. Be sure to review release notes, back-up existing configs, and have a copy of your current running code versions available in case you need to roll-back. You should run a scan once you have completed these upgrades and patches to make sure they worked as intended.
5. Rotate and Reset - Rotate your certificates first, then reset your passwords on all affected devices.
