IT organizations in the healthcare industry are being asked to make increasingly complex and subtle decisions. IT everywhere is being asked to do more and be responsible for more. Enabling the business to meaningfully engage IT, and creating a way that provides the businesses with the right information to make decisions is key to the perceived and actual success of an IT department. The road to engaging all parts of the business is difficult, but it has also been shown to be a hallmark of successful organizations.
A two year old vulnerability in OpenSSL–the default cryptographic library used in many software applications (including web servers, operating systems, email, and instant-messaging clients)–has been discovered. This vulnerability could make it possible for external parties to mine server memory for data including private encryption keys, passwords, and other credentials.
If you are hosting a web server using a vulnerable version of OpenSSL (including most variants of Linux), it is recommended that you:
* Patch the OpenSSL vulnerability
* Revoke and re-issue TLS certificates
* Change any credentials that could have been compromised
* Enable Perfect Forward Secrecy (PFS) if possible
As always, it is highly recommended that all software be kept up-to-date to the latest patch version, if possible.
Redspin will continue to analyze this attack vector and, if possible, will identify specific methods to block. You can test the stance of your externally-facing web servers at: http://filippo.io/Heartbleed/ (NOTE: The site is quite busy and may be susceptible to False Negatives due to server load.)
Further details on the vulnerability may be found at: heartbleed.com