The Heartbleed Bug One Year Later: Still Wreaking Havoc?

A year after the Heartbleed Bug, which revealed vulnerabilities in a popular open-source encryption protocol, the threat is still lingering, researchers and solution providers said.

"It's still very real," said Dave Frymier, vice president and chief information security officer at Blue Bell, Pa.-based Unisys. "Vulnerable versions of the affected software are bundled into a variety of products in sometimes obscure ways. Many organizations still don't realize they have potential problems."

According to researchers at Gartner, for companies to be fully protected from the Heartbleed Bug they need to both patch the vulnerability and replace SSL keys and certificates.

[Related: Heartbleed: OpenSSL Vulnerability News And Analysis]

While more than 99 percent of organizations have applied the necessary patches, according to Venafi Labs Vice President, Security Strategy and Threat Intelligence Kevin Bocek, a study released Tuesday by the company found that the majority of Fortune 2000 companies haven't changed SSL keys and certificates, meaning they are still vulnerable to the Heartbleed Bug.

Venafi Labs' scans of approximately 92,000 Fortune 2000 environments found that 74 percent have not taken the full remediation steps for external servers, including changing SSL keys and certificates. Only 15 percent had fully remediated the Heartbleed vulnerability in 2015, the study found.

"The thing about Heartbleed ... we've got to fix this. We're only going to have more complex vulnerabilities. As we look and work with our customers and keep them protected, it's not simple checkboxes anymore. Those days are really over," Bocek said.

"I think that [Heartbleed] is becoming an opportunity, in particular, in the channel like it hasn't been before. This is really coming front and center. This is an opportunity in cybersecurity that's not going to go away because we're going to have to use more and more encryption," Venafi Labs' Bocek said.

Wade Dickens, systems analyst II at Fort Lauderdale, Fla.-based solution provider JDL Technologies, said in an email that the company has worked with leading security firms to help monitor threats for customers. He said JDL Technologies is vigilant about implementing the latest security updates for its customers, but it can be a challenge to get them on the same page.

"Although it's last year's news, Heartbleed is still a very real threat, mainly because it's so hard to get companies to patch their OpenSSL. And, patching isn't enough if you have mission-critical data. In that case, you need to regenerate your private keys. Maintaining encryption key integrity is vital," Dickens said.

On the other hand, Arthur Hedge, president at Morristown, N.J.-based Castle Ventures, said while there may still be applications using old versions of SSL he hasn’t seen many customers being impacted by Heartbleed. "It's a really difficult thing to compromise. There's a lot of other things I would worry about before I worry about Heartbleed," Hedge said, citing CryptoLocker, email phishing and malware attacks.

Unisys' Frymier said the company has handled the issues internally but is still working with customers to tackle all of the nuances involved. The challenge with taking Heartbleed security a step beyond patches to updating keys and certificates, for many organizations, Frymier said, is that it requires a high level of expertise from the company's internal IT department or chosen solution provider.

"Most organizations have patched the problems they have identified, but the rest remain. Hopefully, companies realize they need to change the certificates; much depends on the sophistication of the staff providing security or IT services to these organizations to realize this," Frymier said.

PUBLISHED APRIL 8, 2015