Net-Ctrl are aware and monitoring the Heartbleed SSL vulnerability that has been publicised heavily over the past few days. For Net-Ctrl we have to look at the incident on many levels:
- Are any of our own services and systems compromised?
- Are any of products and solutions we offer vulnerable?
- If they are, how are they protecting against it?
- How can we check whether our customers are vulnerable?
- How it affects each one of us individually?
As a starting point, Net-Ctrl contacted all of our technology partners to see if any of their systems may be vulnerable to the Heartbleed situation. This allowed us to check through our customer database to see who may have been affected by the vulnerability and act on it.
One of our vendors, Palo Alto Networks, has not only issued a statement of how Heartbleed affects their service in relation to their firewalls, but also released vulnerability patches in order to help protect their customer’s networks against the problem. More details of how to get this can be obtained on their website.
We have had many customers contacting us about their systems, wanting reassurance and direction to see if they need to do anything, many of them were not vulnerable. We have had a few cases where customer’s products were vulnerable, and we have pro-actively provided a solution in order to make their network safe and secure once again.
Dealing with the Heartbleed Vulnerability
Dealing with the Heartbleed vulnerability through patches and updates is the first step in securing your systems. The second step is to replace your existing encryption keys. This is crucial, as it may be that the vulnerability has already been exploited on your system and your encryption keys used to carry out your SSL connection may have already been obtained. Therefore the data being exchanged on your network is still just as vulnerable post patching.
Soon after the vulnerability announcement at least one of our SSL certificate providers made statements about the infection and have offered to re-issue SSL certificates at no charge, which allows people to replace their compromised keys with fresh ones.
Change your password, but do it the right way
Currently in the media there is a lot of ‘change your password’ scenarios going-on. From an end user point-of-view, this is only worth doing if the platform you’re using that was vulnerable, has now been patched and has also had the keys replaced. Otherwise you’re just changing a password on a system that is still compromised.
Even for systems that were not vulnerable, the issue is that whilst people shouldn’t use the same passwords to access multiple systems, if they do, they need to think about all the secure sites that they access with the same credentials. It could be that the details have been collected from a different vulnerable system. So the user needs to check before changing their passwords that all their systems are no longer vulnerable, which in our mind is going to take some time.
You are able visit https://www.ssllabs.com/ssltest/ to check whether a particular server is vulnerable. It is worth running all your sites through this tool, please be aware it is currently experiencing a lot of traffic.
Here is our Heartbleed action plan:
- Check whether any of your solutions are vulnerable, to do so contact your reseller, or visit the technology partner websites and use the SSL labs site to check servers.
- Apply upgrades and patches where required.
- Contact your SSL certificate provider about getting new encryption keys, a lot of providers are offering this ‘free of charge’ in light of the events.
- Replace your encryption keys.
- Once you’re happy that all of your systems are protected, change all your passwords.
- Sit back and relax knowing that your network is now safe and secure once again.
If you have any concerns or questions over the Heartbleed vulnerability please email me at firstname.lastname@example.org and I will get back to you as soon as I can.