When the Heartbleed bug first came to light, security expert Bruce Schneier accurately asserted, “On a scale of 1 to 10, this is an 11.” For years, it was thought that the OpenSSL encryption denoted by the “s” in HTTPS was keeping sensitive information safe from prying eyes and the malicious intents of cyber criminals. Heartbleed blew that false sense of security out the door, and quickly.
The implications for consumers and enterprises alike were frightening at best and potentially catastrophic at worst. Fingers were pointed, security tokens and certificates were revoked and renewed, and once again, experts wasted no time analyzing how such a wide-scale vulnerability was possible to begin with and escaped detection for so long.
However, if there is an overarching lesson to be taken away from this security nightmare, it's this: There is no one technology that can be relied upon to comprehensively protect sensitive data, corporate networks or private communications.
Why was OpenSSL so popular?
Secure sockets layer (SSL) and transport layer security (TLS) are widely used protocols that secure a wide range of communications across the Internet, from instant messaging to remote access, and Heartbleed is a vulnerability specific to an open source implementation of these protocols aptly called OpenSSL. The bug gets its name from the nature of its attack, which involves piggybacking on an OpenSSL feature known as heartbeat that enables the client and server to check each other's availability. By exploiting this susceptibility, cyber criminals can potentially compromise users' cryptographic SSL keys, making what should be encrypted communications appear in plain text. But the obvious question here is – why is OpenSSL such a popular form of encryption to begin with?
Because it's open source, enterprises do not need to focus as many resources on the development and maintenance of SSL encryption. Consequently, there's very little overhead associated with an OpenSSL implementation – an enticing feature for budget-constrained IT departments. Further, up to this point, it was widely regarded as a quality product that delivered good security. It even had its own certifications from the government.
But as Target learned the hard way this past holiday season, the bigger you are, the bigger target you become. And that can be dangerous.
The Implications
According to Dark Reading's Mathew J. Schwartz, researchers at Mandiant revealed that they spotted a successful VPN-targeting attack that began on April 8th, just one day after OpenSSL issued a public security advisory.
“The attacker repeatedly sent malformed heartbeat requests to the HTTPS Web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,” said Mandiant technical director Christopher Glyer.
Using an active session token, the attacker was able to successfully convince the VPN concentrator that they were legitimately authenticated. And, once the attackers had infiltrated the network, they attempted to escalate their privileges within the victim's organization.
It's evident from the ongoing aftermath of Heartbleed that relying on a single security technology, be it OpenSSL or another, is not an efficient mobile security plan.
Why one size does not fit all
It used to be that enterprises would fall victim to vendor lock-in, and had no choice but to use certain security components provided by that vendor. For example, the common way to provide a VPN solution is to use a firewall as a VPN gateway. The problem in this instance is that it's the same appliance, which means if the appliance has a security issue, both the firewall and the VPN will be affected. However, if enterprises are using a different vendor for the VPN and firewall, that inherently adds another layer of security because remote access to the corporate network must be authorized by two components rather than one.
An enterprise's employees are connecting to the corporate network from a wide range of devices, locations and connection mediums, and complementary technologies can play a role here, too, to keep networks secure. Some organizations are leveraging a hybrid VPN which enables either SSL or IPsec connections to networks, depending on the situation. For example, many hotel Wi-Fi networks can be finicky when users attempt to establish an IPsec connection. Recognizing this, a hybrid VPN can utilize SSL to connect. With the two protocols working together, employees are able to connect from anywhere via a secure network connection. And as another example of defense in depth, forward-looking VPN vendors are taking remote access security a step further by creating solutions that combine the two methods to provide a second layer of encryption for all network communications.
Even so, a hybrid VPN is not a standalone security solution. A defense in depth framework will also include important network and security components such as robust anti-malware and anti-virus solutions, a firewall and intrusion prevention systems (IPS). Combining best-of-breed security solutions from a variety of vendors adds multiple layers of network defense.
Could such a framework have mitigated the threat of Heartbleed? Perhaps. What we do know beyond a reasonable doubt is that using a defense in depth strategy makes it substantially more difficult for cyber criminals to obtain sensitive information, which will keep users and data protected, no matter the threat.