Skip a heartbeat: OpenSSL Heartbleed Vulnerability & Prediction of Exploitation by Mehak Bashir - HTML preview

PLEASE NOTE: This is an HTML preview only and some elements such as links or page numbers may be incorrect.
Download the book in PDF, ePub, Kindle for a complete version.

CHAPTER 6

CONCLUSION AND RECOMMENDATIONS

 

6.1 Conclusions

All Heartbleed-vulnerable systems should immediately upgrade to OpenSSL 1.0.1g. If we are not sure whether an application we want to access is Heartbleed vulnerable or not – we should try any one of the Heartbleed detector tools. No action required, if application that we are using, is not vulnerable. But if the application is vulnerable, wait for it to be patched with OpenSSL 1.0.1g. Once the patch is applied, all the users of such applications should follow the application's release documents from the service providers. Typically, steps to follow once the patch is applied are:

  • changing our password
  • generating private keys again
  • certificate revocation and replacement

An important step is to restart the services that are using OpenSSL (like HTTPS, SMTP etc.). Before accessing any SSL/TLS application such as HTTPS, check to see if the application is vulnerable. Do not access or login to any affected sites. Ensure all such vendors or enterprises related to your business have applied this security patch. Keep your eyes open on such news of security vulnerabilities.

The Heartbleed bug has shaken the Internet community on its dependency on the open source software. Even though OpenSSL is a very popular library, it was not properly scrutinized. One reason might be because of lack of resources and funds. The organizations and developers using open source software should contribute back to these open source communities in terms of donations, reviewing the code, testing and designing. Amazon, Facebook, Google have recently come forward to donate funds to improve open-source security systems [6].

Naive Bayes Classification enables us to prioritize vulnerabilities for remediation. The type of vulnerabilities which are classified as highly exploitable by the proposed methodology ,can be easily exploited with minimum efforts by the hackers, therefore the particular vulnerability needs headlong attention and should be remediated & fixed as early as possible, to prevent the exploitation of any kind.

6.2 Recommendations

To obtain the fix in your application simply upgrade to OpenSSL 1.0.1g.

If upgrading is not practical, we can rebuild our current version of OpenSSL from source without

TLS Heartbeat support by adding the following compile switch:

-DOPENSSL_NO_HEARTBEATS

This switch ensures that the defected code never gets executed.

An effective vulnerability assessment and remediation program must be able to prevent the exploitation of vulnerabilities by detecting and remediating vulnerabilities in covered devices in a timely fashion. Proactively managing vulnerabilities on covered devices will reduce or eliminate the potential for exploitation and save on the resources otherwise needed to respond to incidents after exploitation has occurred. Information Security and Policy (ISP) provides a centrally managed campus service that campus units can use to comply with this requirement [2].

img19.jpg

Reference [10]