In-depth

Why has the Heartbleed threat window been left wide open?

Six months have passed since news of Heartbleed first emerged, but enterprises don't seem to appreciate the threat it poses still persists

The Heartbleed bug is yesterday's news and no longer something we need to worry about, right? Wrong.

The problem is too many people think this way, which has led to the situation where many enterprises still have machines that are unprotected from the flaw.

Security outfit Venafi probed the Forbes Global 2000 list of companies 10 days ago and discovered more than half - across banking, health and retail sectors - still had devices that were vulnerable. In fact, 1,219 out of the 2,000 companies, and 448,000 potentially vulnerable servers, were detected.

Last week IBM said it sees some 7,000 attempts to exploit Heartbleed every day on the systems it monitors.

We, the media, stand accused here. We live in an online world where the attention span of the collective masses is so minuscule that most of the people who started reading this story have not got this far.

News is only news in the moment that it breaks for most media outlets. A few tech publications, such as IT Pro, can see beyond the moment and offer more in-depth analysis and insight into important IT-related issues. However, even we have gone pretty cold on Heartbleed.

Yet the threat persists, the threat window remains wide open and the stink that's blowing in really isn't very palatable, if you ask me.

The biggest threat to information security is complacency, history has shown us that over and over again. The Heartbleed vulnerability itself is evidence of this; a programming error in OpenSSL created by a coder who thought he was fixing something and compounded by complacency in the peer review process, which enabled it to go live.

Now enterprises are being complacent, and compounding the original error again by assuming the threat window has been closed because the media has stopped talking about an old exploit.

It's time to start the security conversation again, and time to walk the walk once the talking is done. By this I mean you need to check that encryption keys and certificates have been changed. It's not enough to just apply a patch and think the job's a good 'un.

In a world where the stats suggest 75 per cent of targeted networks are compromised on average within minutes, yet it takes 17 per cent of companies 'many months' to remediate known threats (and more than a year for four per cent), something has to change.

That something is the rate of remediation decay. After an initial post-disclosure spike it tends to (long) tail off very quickly.

I've already berated my own industry for playing a part in this, now it's time to step up and take some responsibility yourselves.

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

NSA releases guidance on voice and video communications security
Voice over Internet Protocol (VoIP)

NSA releases guidance on voice and video communications security

18 Jun 2021
Ransomware criminals look to other hackers to provide them with network access
ransomware

Ransomware criminals look to other hackers to provide them with network access

17 Jun 2021
CVS Health data breach leaves a billion records exposed
data protection

CVS Health data breach leaves a billion records exposed

16 Jun 2021
Four in five ransomware victims suffer repeat attacks
ransomware

Four in five ransomware victims suffer repeat attacks

16 Jun 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
Q&A: Enabling transformation
Sponsored

Q&A: Enabling transformation

10 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021