Heartbleed Bug: CISOs Take Action

How Security Leaders in India Are Mitigating Risks
Heartbleed Bug: CISOs Take Action
Dhananjay Rokde

CISOs in all sectors in India are taking steps to mitigate the risks posed by the Heartbleed bug, which exposes a vulnerability in OpenSSL.

See Also: 10 Incredible Ways You Can Be Hacked Through Email & How To Stop The Bad Guys

For example, Sunil Soni, CISO at Punjab National Bank, based in New Delhi, says the first step his institution took was to gather detailed information on the exploit as well as its potential impact. "The information was also shared with asset owners with guidelines and instructions for identification of the bug in their systems," he says.

A review determined that one service provider's system was using a version of OpenSSL that was vulnerable to the Heartbleed bug, and remedial action was taken to ensure the system was secured, Soni says.

Vulnerabilities Discovered

Cox and Kings Group, a global luxury travel agency, discovered that several of its organization's older intranet applications were using a vulnerable release of OpenSSL, says Dhananjay Rokde, the agency's global head of information security. "We also checked our off-the-shelf applications and our pre-packaged third-party API integrated applications for the [compromised] OpenSSL versions, but we were in the green on that front," he adds.

Rokde launched an extensive analysis to review the organization's systems. "We contacted our security vendors [for enterprise assets and endpoints] for signatures and quickly reached out to application vendors for patches," he says. "We also ensured that our perimeter appliances and intrusion prevention systems have the latest release of signatures and Web application firewalls have enabled virtual patching for the Heartbleed bug."

Meanwhile, at Prime Focus Technologies, a media technology company based in Mumbai, an analysis quickly determined none of its organization's systems were compromised by the Heartbleed bug, says Shrikrishna Dikshit, senior manager of information security. But vulnerability assessments and penetration testing are ongoing.

Open Letter to CISOs

Rokde drafted a letter to other CISOs and information security analysts offering his insights about the Heartbleed bug.

"I feel that this vulnerability has more roar than teeth," he writes. "Although it is a genuine exploit and the concern surrounding it is legitimate, the noise surrounding it exceeds the actual impact, threat landscape and the effort required to fix it."

But the Heartbleed bug is unique, Rokde says, because it has the capability to leave large amounts of private keys and other secrets exposed on the Internet. "Considering the long exposure, ease of exploitation and attacks leaving no trace, this exposure should be taken seriously," he adds.

Rokde says the Heartbleed bug offers an important lesson for the security industry. "Like all other vulnerabilities, it teaches us that the smallest flaw left undetected for some time can mature into a lethal time bomb. Constant vigilance is impossible - but required. That's also the Catch 22 of my profession."

Mitigation in the U.S.

CISOs in the U.S. have also taken steps to mitigate the Heartbleed vulnerability (see: CISOs Respond to Heartbleed). For instance, Elayne Starkey, CSO for the State of Delaware, says her department responded by learning about the exploit, testing public-facing websites for vulnerabilities and applying patches and replacing certificates.

Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as Web, e-mail, instant messaging and some virtual private networks (see: Heartbleed Bug: What You Need to Know).


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.