In April, 2014, CVE-2014-0160 was released, better known as the Heartbleed bug. Heartbleed is devastating – it can reveal sensitive information not just of the user, but anything on the machine. In practice it has been used to export private keys for TLS/SSL certificates. These stolen private keys can then be used to impersonate a legitimate website for the purposes of stealing credentials, performing phishing attacks, and other malicious activity. It is hard to understate the potential damage that Heartbleed could create.
When Heartbleed was first released, Robert Graham scanned 28 million machines across the Internet, and found over 615,000 of them were vulnerable to Heartbleed. As soon as the vulnerability was disclosed, web hosting providers, commercial software vendors, and even IoT device providers rushed to create, publish, and deploy fixes. At the time, my team worked to patch our own systems, and help our customers identify and patch their own systems as well.
Now, in February 2017, it has been nearly three years after the disclosure and general availability of patches. And yet nearly 200,000 systems are still vulnerable.
The security professional in me is completely disheartened by this. Barring all else, the number one thing that can be done to protect systems and avoid breaches is to keep systems up to date. The 2014 Verizon DBIR revealed that 99.9% of vulnerabilities were exploited more than one year after the corresponding CVE was published.
Here we have perhaps the best example yet of a wide-ranging vulnerability, with serious consequences, that remains unpatched on an enormous number of systems.
Can you afford to be this slow?
Some would say yes, we can remain complacent. The rise of digital technology will add over one trillion USD to the global economy by 2020. As businesses move rapidly to create and deploy new technologies, and make more of their business digital, the older, outdated, and insecure items will be replaced with newer ones. The money made by businesses moving faster is greater and more tangible than the potential risks of security vulnerabilities that are only exploited by eastern european teenagers and nation-states.
Of course, if the new technologies we deploy are just as insecure, then what?
Can you afford to be that fast?
Not if you continue to ignore security.