The Heartbleed vulnerability is causing heartburn to IT and security teams as they struggle to patch systems, identify what was vulnerable, harden their systems against active attack.
The Heartbleed vulnerability shows the need for organizations to have a robust security strategy for rapid reaction to vulnerabilities and threats.
In this webcast we discussed:
- The Heartbleed vulnerability in detail, how it occurred with examples of how it can be used against your organization
- How you can identify your business exposure and what systems are vulnerable
- How Tripwire’s solutions work together to help you close the detection, remediation and prevention gaps around Heartbleed
The recording of the webcast that accompanies this slide deck is available here:
http://www.tripwire.com/register/heartbleed-outpatient-care-steps-for-secure-recovery/
24. Where is OpenSSL on Your Network?
Critical Security
Control 1&2:
Inventory of
Authorized and
Unauthorized
Hardware and
Software
25. Where is OpenSSL on Your Network?
Perimeter
Networks
• Web Servers
• Email
Servers
• FTP Servers
Critical Security
Control 1&2:
Inventory of
Authorized and
Unauthorized
Hardware and
Software
26. Where is OpenSSL on Your Network?
Perimeter
Networks
• Web Servers
• Email
Servers
• FTP Servers
Datacenter
• Databases
• Application
Servers
Critical Security
Control 1&2:
Inventory of
Authorized and
Unauthorized
Hardware and
Software
27. Where is OpenSSL on Your Network?
Perimeter
Networks
• Web Servers
• Email
Servers
• FTP Servers
Datacenter
• Databases
• Application
Servers
Internal
Network
• Operating
Systems
• VPN Clients
Critical Security
Control 1&2:
Inventory of
Authorized and
Unauthorized
Hardware and
Software
Hello my name is Ken Westin and today I will be presenting with my colleagues Ed Smith and Katherine Brocklehurst on a topic of rather historical proportions to the security and IT industry. The Heartbleed Open SSL vulnerability.
Here is our agenda for today. Just so you know we have calibrated our talk to cover the spectrum of audience attending today, we have existing Tripwire customers familiar with vulnerabilities and security, as well as business leaders, consumers and other non-technical folks who are not familiar with Heartbleed.
To start I think it would be good to explain what Heartbleed is. Heartbleed is a vulnerability that affects Open SSL, a popular free open source software package used to secure online communications.Roughly two thirds of websites on the Internet have been effected as well as other devices and technologies including OpenVPNThere are currently a number of active exploits targeting this vulnerability proliferating and freely available onlineGiven the nature of this vulnerability, your network may already be compromised without you knowing about it
To help explain the Heartbleedvulnerabilty I would like to use a great comic from XKCD.com which illustrates it very well. When an SSL connection is made, a check-in by the client is initiated with a server to see if it is still listening, this is referred to as a heartbeat.
The bug in OpenSSL occurs in a particular condition where the server is tricked into sending more information back than just the heartbeat, revealing a block of data in the server’s memory. A hacker can easily deploy an exploit that continually downloads streams of data from the vulnerable system. The data can include not only sensitive user information such as usernames, passwords, social security and credit card numbers, but also private server keys and credentials, leading to further compromise of the system and your network.
Usually when we deal with a system compromise it follows a more sophisticated path, in what Lockheed Martin has termed the Cyber Kill ChainAn attacker first conducts reconnaissance of their target gathering information about the organization and network, before they actually begin exploitation, command and control and exfilatration of sensitive data.
Here is a screenshot showing the results of a common Heartbleed exploit that I have initiated against a sandbox system I have setup for testing. The data on the far right column shows data that is read out of memory, this information can include sensitive information, essentially anything on the server itself, At this point we could assume that anything on this server could be compromised, particularly if private server keys or login credentials are exposed
- With Heartbleed the process of requiring an attacker to follow a complex sequence of steps, from exploitation, avoiding detection and exiltration becomes uneccessary.In fact many of the reconnaisance or tools used to test for the vulnerability is an the exploit itself, using compromised data returned as an indicator of vulnerability. To make matters worse, as the data extracted is in memory, there is no evidence left behind, no logs, no indicators that information has been exfiltrated What makes this even more dangerous the simplicity of executing the exploit and how widespread it now is, anyone with limitied amount of technical skill can find and utilize these exploits.
We could go through and identify many of the popular websites and services that were affected by the Heartbleed exploit. However…
It might be easier to identify who hasn’t. Many of us have received emails from websites and services we use, asking us to reset our passwords. The important thing to remember here is that these services and websites were not negligent, many had top of the line security tools deployed, followed best practices and are yet still affected by the vulnerability simply due, ironically enough, to selecting a common tool to help secure their systems. . The vulnerability itself is the product of simple human error and not malicious intent. When the vulnerability was announced and the patch was made available, many services acted quickly. However for many it was not a simple task, in some cases even the slightest delay resulted in user and crticial network data being compromised. Even now many sites and services still remain vulnerable.
Many times you have heard the phrase in security, “it’s not a matter of if you have been breached, but when”. I would like to add to that, it is also important to identify how long you have been exposed, or simply being able to detect if you have been breached in the first place. The enterprise threat gap is a model that helps us illustrate the amount of time that passes through three critical phases. The detection gap indicates the amount of time it takes to discover an actual compromise and identify it’s scope. The remediation gap indicates the time between that detection and the amount of time it takes to limit the damage. Then we have the preventive gap which is the measure of time it takes to avoid repeated or similar attacks. This process allows you to answer three key questions to the business:Have we been breached?How bad is it?Can we avoid this happening again?
When it comes to the detectiongap, Tripwire Log Center provides decreased “Mean-Time-To-Resolution” of security incidents, shortening the time to detect and act on events. Today we released powerful correlation rules that maps to known Heartbleed intrusion detection signatures, to alert on exploit attempts in real-time, as well as provide in depth security analytics and reporting on historical patterns and anomolies related to these exploit attempts.
I would like to illustrate how these rules work in more detail. For example, if an exploit attempt is made against a network…
The intrusion detection system can now identify the attack signature and pass this information to Tripwire Log Center
Tripwire Log Center can then initiate various actions, from sending alerts, opening a help desk ticket, to initiating scripts which may kick off remediation processes. In addition reports can be quickly generated for sharing across the organization for more in depth analysis of exploit patterns.
To take this a step further, given the widespread availability and use of Heartbleed exploits for active exploitation as well as simply testing if systems are vulnerable, the number of intrusion detection alerts can become quite noisy, making it difficult for organizations to identify real threats. By leveraging the tight integration that Tripwire Log Center has with Tripwire’s Vulnerability Management solution IP360, we are able to correlate these exploit attempts with vulnerability information on that host. If an active exploit hits the host we can see if that host is running a vulnerable version of OpenSSL, if it has already been patched or is not vulnerable the exploit attempt may be reported on, but may not trigger an alert. However, if the exploit hits the system and it is vulnerable we would want to trigger an alert, or initiate other actions. To better understand how Tripwire IP360 identifies vulnerabilities related to Heartbleed and OpenSSL I am going to hand the presenation over to Ed Smith. Thank You
Thanks Ken.Tripwire IP360 automates vulnerability management and reporting using your business context and leveraging your existing security controls, so you can know what’s on your network, and protect your organization from threats like the Heartbleed bug. And speaking of the heartbleed “bug”...
First, let’s take a look at the so called Heartbleed bug. It’s not actually “A” bug…
Heartbleed is actually a species of bugs in the popular OpenSSL cryptographic library that is used in a variety of applications from webservers, to email servers, applications, VPN clients, or potentially anywhere secure communications are required.This is not just one vulnerability on a few servers, Heartbleed is a variety of vulnerabilies that potentially live wherever SSL is used.
This means that Heartbleed it’s a vulnerability that affects more than just the webservers on your network perimeter
Heartbleed exists wherever there are vulnerable versions of OpenSSL, which may include servers on your internal networks that hackers could use to leverage for an attack, moving laterally through the network
If you haven’t done so already, the Council on Cybersecurity recommends taking inventory of all authorized and unauthorized software. Once you have this list, you can identify what applications are installed on what devices, which will help you track down the vulnerably quickly. Ideally you will have fast access to this information in a searchable database to quickly find affected servers.
There’s a lot of focus right now on Heartbleed’s impact on web servers running on perimeter networks. Heartbleed may also live in your datacenter and internal networks. Just because your public website isn’t vulnerable, that doesn’t mean that a vulnerable version of OpenSSL inside your network.
There’s a lot of focus right now on Heartbleed’s impact on web servers running on perimeter networks. Heartbleed may also live in your datacenter and internal networks. Just because your public website isn’t vulnerable, that doesn’t mean that a vulnerable version of OpenSSL inside your network.
There’s a lot of focus right now on Heartbleed’s impact on web servers running on perimeter networks. Heartbleed may also live in your datacenter and internal networks. Just because your public website isn’t vulnerable, that doesn’t mean that a vulnerable version of OpenSSL inside your network.
There’s a lot of focus right now on Heartbleed’s impact on web servers running on perimeter networks. Heartbleed may also live in your datacenter and internal networks. Just because your public website isn’t vulnerable, that doesn’t mean that a vulnerable version of OpenSSL inside your network.
For customers, Tripwire PureCloud is an add-on to Tripwire IP360 vulnerability management can scan perimeter networks. You can also use free online tools like https://filippo.io/Heartbleed/ to test your perimeter servers (or just do a web search for “Heartbleed test”)There’s are a variert of free and paid tools out there that do this, but that’s notHowever, this is just the first step in reducing the protection gap. You also need to find Heartbleed where it’s hiding on the internal corporate network
In responding to a threat like Heartbleed, it’s important to scan internal networks and not just the network perimeter for vulnerable assets hackers could leverage in an attack.As mentioned, this bug can live wherever SSL is used, which means that it’s not sufficient to just scan your public facing network, you need to scan inside the walls of your business.And maybe your partners too, especially if they’re connecting to your internal network.
Vulnerabilities like Heartbleed that affect network services can be detected by remote checks. A remote check is basic scan that checks software that is running and available on the local network. However, Heartbleed can affect software that is not currently running when the scan is run, or it can affect software that isn’t exposed to the network and could be leveraged by a Hacker during an attack.
Which is why local checks are necessary for a deeper scan into the system, to find Heartbleed even if the vulnerable application isn’t running, or if the vulnerable application is not exposed to the public network. Local checks use administrative credentials to scan deep into the system and look for instances of Heartbleed that are not visible from the network.
Some of the test sites and vulnerabilityout there are great at scanning one machine at a time…Automated Scanning Offers Continuous PreventionOf course, in larger networks, you’re going to want to automate this process instead of manually scanning each machine, one by one.In larger networks, you’re going to want to continually scan for vulnerabilities like Heartbleed so you can reduce the prevention gap by responding quickly to vulnerability disclosures like Heartbleed.Automation can also help close the prevention gap by automatically prioritizing results based on business context to help you focus on reducing risk for your most critical assets.
I know we have a lot of Tripwire IP360 customers joining us today. Last Wednesday we released Heartbleed coverage, barely a day after the new broke.Simply update to the latest ASPL release and run your scans as usual. For those of you who aren’t already a Tripwire IP360 customer,If you’re not a Tripwire Vulnerability Management customer, we have a free tool for you to use to find Heartbleed on your internal networks.Tripwire SecureScan includes Heartbleed detection to prioritize and respond to OpenSSL risks in your environment, including the same checks that Tripwire IP360 offers.Let me quickly walk you through how to use SecureScan to find Heartbleed on your internal networks…
After signing up for an account, setup your scan
While Tripwire IP360 is an on premise solution, Tripwire SecureScan is cloud-based.Tripwire SecureScan doesn’t use hardware, no software, just a Secure Connector we setup though your browser
After setting up the Secure Connection through your browser, you can enable the broadest checks for Heartbleed and other vulnerabilites using remote checks.To enable remote checks, enter your administrative credentials into Tripwire SecureScan to allow the scans to not only scan services available exposed to the network, but also vulnerable software that may or may not be running, and may or may not be running at the time of the scanning.
Tripwire SecureScan allows you to scan up to 100 IPs, four times a month.You can run a scan right away, or schedule recurring scans so that when the next Heartbleed-like vulnerabilty is disclosed you’re already ahread of the game on closing the prevention gap.
Your scheduled scans will run at the time you’ve requested, or you can click the Run button to trigger a
The scan will run. Keep the computer turned on that is running the scan, but there’s no need to keep your browser open and you can use your computer as normal
You can view your results in the dashboard, or download results as a PDF report
After the scan completes and you download your report you will receive a prioritized list of vulnerabilities on your network. Not just Heartbleed, but other vulnerabilities as well.Now, if you’re just interested in Heartbleed results, Tripwire SecureScan will notify you of them, and this table shows Heartbleed results you may find in your report.Your report will also include additional information and recommendations on patching and remediating Heartbleed
Again, just as I mentioned at the begging of the presentation, Heartbleed is a species of bugs—and everything on this page is a breed of Heartbleed bug
If you find Heartbleed, obviously you’ll want to update OpenSLL or contact your vendor for a fix if dealing with an embedded version of open SSL.Also remember that if Heartbleed is found that the certificates could be changed as a precaution. If you think someone might have stolen your house keys, you’ll want to change your locks.
To recap:Take inventory of devices and applications affected by the threat. Ideally you’ll already have inventory that you can search.Just because you ran a free tool on the internet to check your website, don’t forget about the other machines in your perimeter and internal networks that use SSL.And make sure that you’re scanning for vulnerabilites both in sevices exposed to the network, as well as software and operating systems.
Tripwire IP360 automates vulnerability management and reporting using your business context and leveraging your existing security controls.If you want to know more, visit our website and request a demo.
However, this is just the first step in closing the deck. After following these steps, you are not necessarily safe.What’s changedTripwire Enterprise tells you what changed.
Tripwire Enterprise tells you what changed.
Thanks Ed – so during remediation you need to be able to answer not only the question of how bad is it, but based on that scope, what must be done to correct or in some cases only limit the damage. In the case of Heartbleed, the worst-case scenario is what some individuals as well as businesses will want to plan for. Because of the way Heartbleed uses
Heartbleed exists wherever there are vulnerable versions of OpenSSL, which may include servers on your internal networks that hackers could use to leverage for an attack, moving laterally through the network
Let’s say you’ve been able to get ahead in this arms race. You’ve scanned, you’ve applied patches, you checked with your partners, and you know at this point what’s vulnerable, what’s not. Actually there may be more for you to think about – you still may have a threat gap. Think of it this way, if you just detected that you may have been compromised by Heartbleed or even the next vulnerability to surface, you now remediation should involve tracking changes….. Because, if you happen to have been compromised, The risk is this – do you know for sure that you haven’t already been compromised? This is where the integrity of your systems, databases, Summarization – full stopwatch – so we discussed each of these, and boom all of these products
Let’s say you’ve been able to get ahead in this arms race. You’ve scanned, you’ve applied patches, you checked with your partners, and you know at this point what’s vulnerable, what’s not. Actually there may be more for you to think about – you still may have a threat gap. Think of it this way, if you just detected that you may have been compromised by Heartbleed or even the next vulnerability to surface, you now remediation should involve tracking changes….. Because, if you happen to have been compromised, The risk is this – do you know for sure that you haven’t already been compromised? This is where the integrity of your systems, databases, Summarization – full stopwatch – so we discussed each of these, and boom all of these products
So in conclusion, not every vulnerability or hacker exploit takes
So in conclusion, not every vulnerability or hacker exploit takes