1 Month After Heartbleed Assessing the Damage and Lessons Learned

Posted by skyhighnetworks on May 20th, 2014

It has been one month since the Heartbleed vulnerability in OpenSSL became widely known and we wanted to take a final look back at the bug and distill a few cloud security lessons we can all take forward. Out of the 3,571 cloud services in use at enterprises, 1,173 were affected by the vulnerability. While most cloud providers patched their services within 48 hours, Heartbleed struck at the core of web security. Through a simple exploit, it allowed an unsophisticated attacker to access passwords and encryption keys with minimal effort. That means that if an attacker captured and stored encrypted traffic during the last 2 years, those files could potentially now be decrypted.

Across 250 companies, Skyhigh found that 100% of them used at least one service vulnerable to Heartbleed. Skyhigh customers were immediately notified of which services they used that were impacted, including which users had uploaded data to those services. We’ve anonymized data across our customers in order to report on the scope of Heartbleed and the amount of sensitive data that was exposed:

The average company used 279 services vulnerable to Heartbleed, and these services spanned all major SaaS Security categories

1. Companies uploaded, on average, 579.9 GB of data to these services
2. One company had uploaded over 33.9 TB of data to affected services

Heartbleed was patched relatively quickly, with most cloud providers fixing their services within 48 hours. Despite the rapid response, companies have to assume that all the data uploaded to these services could still be compromised. The volume of that data is staggering. A finance executive we spoke with in the aftermath of Heartbleed said he received emails from 13 cloud services that week notifying him they had been affected. The problem isn’t limited to finance. The companies impacted by the use of Heartbleed-vulnerable cloud services span industries including manufacturing, media and entertainment, insurance, energy, and healthcare. When you look at the volume of data that was affected, it can be challenging to understand what the impact was.

In response, companies storing data in affected services have taken steps to remediate the damage. Skyhigh customers can view Heartbleed-vulnerable services in the Global Registry by going to the Discover menu and following these steps:

1. Click “Global Registry” in the Discover menu
2. Open “Service Risk” by clicking the up arrow to the left of that section
3. Scroll down to the Security category and view “Susceptible to Heartbleed”

One positive result of Heartbleed is the renewed focus on underfunded but critical open source Internet infrastructure. The Linux Foundation recently raised $3.9 million from cloud heavyweights including Amazon Web Services, Cisco, Dell, Facebook, Google, IBM, Microsoft, Rackspace, and VMware to fund open source projects including OpenSSL. That will help expand the team (currently only one full time developer) so that this critical piece of infrastructure can be maintained and secured.

One thing experts can agree on is that there are more vulnerabilities as serious as Heartbleed in the wild, yet to be discovered and publicized. Due to their nature, companies can only react once they become aware of their exposure. Skyhigh is offering a free Heartbleed Audit, detailing all services in use that were or are still vulnerable to Heartbleed. Email us at heartbleedaudit@skyhighnetworks.com for more information. Since 100% of companies were impacted in some way, Skyhigh has also developed a guide with steps IT Security teams can take to remediate the damage from Heartbleed.

Author :
Skyhigh Networks, the Cloud Security Services company, enables companies to embrace Cloud Security Services with appropriate levels of security, compliance, and governance while lowering overall risk and cost. With customers in financial services, healthcare, high technology, media, manufacturing, and legal verticals, the company was a finalist for the RSA Conference 2013 Most Innovative Company award and was recently named a "Cool Vendor" by Gartner, Inc. Headquartered in Cupertino, Calif., Skyhigh Networks is led by an experienced team and is venture-backed by Greylock Partners and Sequoia Capital. For more information, visit us at http://www.skyhighnetworks.com/saas-security/ or follow us on Twitter@skyhighnetworks.