Heartbleed ‘top of food chain’ for healthcare industry, says CISO
April 14, 2014 in Medical Technology
A lot of folks in the healthcare industry may be using vendor-supplied solutions embedded with OpenStack in off-the-shelf applications, Lerner pointed out.
“And it took the vulnerability assessment, 10 people and scanning developers a while, meaning a little bit longer than I think most folks would have liked to have gotten out ready to test patches.”
That brought Lerner to his next point: testing. You can’t just go and apply patches without tests, he said, due to potential hooks through the applications and databases under the apps and front ends that can potentially be affected when changes are made to embedded code. “Because of the size of typical enterprise of user community, the test process and the threat vetting process as when can we run it through open scanners or our own scanners,” Lerner continued, “made things a little bit more difficult just because its time consuming.”
He then cautioned against those websites out there where you enter your code into a scanner, then it gives vulnerability recommendations based on the code entered. Overall, he’s not a “huge fan” due to the risk. “Usually, that’s done in clear text, not into the tool that folks might think that they could easily mitigate with,” he said. “In large enterprises, there’s typically lots of homegrown, especially if you look at verticals over all because people tend to be creative in maybe their legacy applications.”
The app owners, in general, know what’s underneath the app, said Lerner, as they’re typically writing the code, or at least maintaining it. “Making changes to the application to support a critical vulnerability or exploit may be more difficult in some cases,” he said, “because they don’t want to break any of the clients’ icon activity.”
Johnson, too, said the client software piece is particularly difficult. “There is currently no easy was to scan for this flaw in the myriad of programs using the OpenSSL libraries,” he said. And the patching process for client programs is no walk in the park, “but that is the answer,” Johnson added.
Though, for some companies, patches haven’t yet been made.
Intel, for example, has not released a patch for Heartbleed, eliciting frustrating responses from industry officials. McAfee, an Intel-owned company posted a statement to their website on the incident. “We understand this is a difficult time for businesses as they scramble to update multiple products from multiple vendors in the coming weeks. The McAfee products that use affected versions of OpenSSL are vulnerable and need to be updated.”
Earlier this week, it was discovered that a German software developer Robin Seggelmann was responsible for accidentally creating Heartbleed.
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he told The Sydney Morning Herald. “In one of the new features, unfortunately, I missed validating a variable containing a length.”
Upon submitting the code, a reviewer also failed to notice the mistake, Seggelmann pointed out.
The effects from the Heartbleed bug are percolating virtually every industry nationwide.