Memo to credit unions that thought they were safe from the Heartbleed vulnerability because they don't use OpenSSL: Think again, say experts.
Ron Martin, Jr., network telecom and security manager at Virginia Credit Union in North Chesterfield, Va., said CUs need to look at "all the angles."
"It goes past your website that is served out to the public," Martin said, adding, "The Target breach came through a vendor connection, so don't put anyone on a pedestal."
And though most credit unions have checked their websites to make sure they're not using a type of server security software that's vulnerable to hackers, Heartbleed could be lurking in other parts of credit unions' IT infrastructures.
Network devices, servers not serving websites, mobile apps and mobile devices all could be vulnerable. Cisco and Juniper, for instance, have both acknowledged that some of their network equipment use the versions of OpenSSL in question.
"Everyone is thinking of Heartbleed in the context of websites," said Chris Novak, global managing principal of the risk team at Verizon. "While that is probably the most obvious place, it's also the place most people are remediating. You've got firewalls, routers, switches, and VPN endpoints that a lot of organizations are forgetting about."
Martin advises credit unions to start with their Internet-facing servers, then check systems that interface with third-party vendors.
Then take a look at internal systems by scanning them specifically for the Heartbleed vulnerability. If the CU does not have a vulnerability scanner in house, Martin recommends hiring a security company to perform the scan. "There are tools that are widely used for scanning the environment for vulnerabilities, and those should have a plug-in that specifically checks for Heartbleed."
Next on the list, according to Martin, is any site visited for business, such as cloud services. As a medium-sized credit union with for $2.5 billion in assets, Virginia CU monitors what its people are connecting to. Martin said the sites that require a log in are the ones that need to be looked at most closely. If there is no log in, any information gained is public anyway.
"The danger level from Heartbleed varies widely — for some it is no big deal, for others it is a very big problem," Martin added.
Ed Welsh, director of information security at $1.8 billion CommunityAmerica CU, Lenexa, Kansas, said after credit unions protect publicly exposed systems first, as those have the highest risk of compromise, they "should not be shy" about asking their service providers about exposure to the bug and remediation activities.
"These services can range from employee benefits processors to secure web hosting providers," Welsh said. "It is critical that important services be confirmed as protected."
According to Welsh, ongoing diligence through a solid security program is the best medicine for vulnerabilities such as Heartbleed. While it is a high impact bug, Welsh said CUs cannot overreact and must maintain a risk-to-business balance.
"Measure the risk and react accordingly," he advised. "CommunityAmerica did not find any publicly exposed instances of the bug in our external environment and our third-party providers have confirmed that we are not exposed through their systems. After clearing those high-risk areas, we turned to our internal systems and through previously established security processes were able to implement regular checks with periodic system scans. That way any new instances will get caught and corrected."
Heartbleed is touching many areas, mainly due to the open nature of OpenSSL, Welsh explained. He said external offers of remediation will be plentiful, but he advised CUs to look to their established programs and treat this as any other high-risk event.
"The package has been repaired, but it still has to be identified and installed, and with embedded systems that might be difficult," he noted. "If someone has a home Wi-Fi router, their vendor would have to give them an update."
David Glod, VP information security for $3.8 billion Mountain America CU, West Jordan, Utah, told Credit Union Journal his institution discovered websites being hosted outside its servers were vulnerable to Heartbleed. Also, some utilities such as telephone systems do automatic software updates, and those use OpenSSL. Fortunately, the risk of data theft there is low, he said.
"Another issue is Android is vulnerable, so we have to decide how to treat members that use Android," Glod said. "If a vendor is vulnerable, I am working with our departments that are connected with those vendors. They need to take three steps: one, make sure the vendor has patched. Two, reissue our certificate. Three, change passwords. Passwords have to be changed after the vendors have updated."
Glod noted the vulnerability has been out in the wild for two years. He said one company looked through its logs for the affected time period and did not see any evidence of exploitation, but others have shown vulnerability by hijacking secure sessions through tokens.
"Heartbleed is going to be out there for a while," said Glod. "In my opinion, there still will be people who have not upgraded two years from now, and hackers will be exploiting them. Right now, responsible companies are upgrading, or are waiting for vendors to make patches. Firewalls may take a while to fix. There will be a lot of work, finding the problems and then patch and then change passwords. There are a lot of steps that have to be done in succession."
Virginia CU's Martin said simply because a website where credit unions conduct business shows as "clean" now, that does not mean it was not vulnerable a couple weeks ago. He said CUs need to look for a recently reissued SSL certificate, as that may be a sign they need to go back and change passwords for that site.
"Even for sites that show up as not vulnerable, it still is a good idea to change passwords," he said.
Another Side: 'Reverse Heartbleed'
A related issue is "Reverse Heartbleed." Martin said a hacker can create a vulnerable website with the sole purpose of directing people to it so the device connecting to the vulnerable website is hacked. A common method for directing people to malicious sites is to create a phishing campaign.
He said one version of Android's operating system, commonly known as "Jelly Bean," has been identified as vulnerable to Reverse Heartbleed, affecting some 50 million phones.
"It is up to the vendors how quickly they get out and patch," said Martin. "Credit unions need to have a good patching program in place, and reach out to vendors. Ask for a statement on where the vendor stands as far as due diligence, what has been identified and what has been done.
Other recommendations from Martin: Read trusted technical publications for new information, and put the CU's fraud department on high alert.