We are just living through the worst online security catastrophe in long time and we will feel the impact of this problem for months to come. OpenSSL library which is used by many websites has a fault. This library is not only used on websites, it is also used by many vendors who provide security products to secure communications. In short, there is a good chance your network security vendor is also using this library in the products you trust to secure your network. For example, on email, TLS, which is used to tunnel emails between two gateways, may be vulnerable. Although the attacker may have to be a bit more sophisticated than a standard web attack, a door is open.
As a CISO, you should pull your security inventory and look for anything that supports TLS/SSL to make sure it is not vulnerable or patched quickly, especially if it is connected to the internet. Be careful, don’t assume that because it is an appliance that there is no risk.
This is not the first time we have seen a security gap in a product, but when it affects the core technology users trust to protect their information, the impact is larger. This open door has been open for two years, this means there has been plenty of time for people who knew about it to take advantage of it. I am thinking people with real means… It has also been public for two days, which make me think of people with really bad intentions - and little means. Some organizations have taken the right approach, which is to shut down their public systems until they can patch them. This is probably required for systems that contain private information (in healthcare, government, and retail, for instance), while others have left them open... hoping no one takes advantage of the hole in the mean time: A very risky strategy.
If you do discover that your system is vulnerable, you will need to patch it. Then, there is a chance important security information from your system may be compromised. The vulnerability allows an attacker to read memory from your system. With a little luck, they could read anything. This starts with user passwords that happen to cross memory while you had the vulnerability. It also includes your private keys and certificates. So once your system is patched, you will need to notify your users to change their passwords. You will also need to change your certificates. I know how painful it is to deal with certificate authority. But the scariest part is that if someone stole your certs, they are still valid, and they will be able to posture as you until they expires. There is some thinking to be done from an application architecture perspective to reassure yourself and your users that there is no middle man attack.
Just to reassure you. Netmail is not using any version of the OpenSSL library that has the vulnerability. At least, that is one thing you won’t have to think about while we all struggle to fix the newly-found security gaps that hit OpenSSL.