So I'm jumping in with some facts, a few opinions, and some action steps that you be taking now.
First we'll look at the consumer/user side of things. Then the organization side. Finally, I'll talk a bit more about what this is and what this isn't.
If you use the Internet and enter any personal or financial information on any website, then you might be effected by this issue. To find out, follow these steps:
- Check with your providers - your bank, your shopping sites - to see if they have fixed the problem (or never had it in the first place). You can check their website or blog for info. Some providers are notifying customers (my bank did that).
- Test the site to see if it's affected. There are a number of tools available including these:
- LastPass - https://lastpass.com/heartbleed/
- GitHub - http://filippo.io/Heartbleed/
- ssl Labs - https://www.ssllabs.com/ssltest/
- Once you know or verify that the site has been fixed, then you should change your password for that site.
Next, if you have responsibility for security or servers at your organization, here's what you need to do:
- Inventory - you need to figure out where all your web servers are or how you are serving web content. There are a number of aspects to consider:
- web servers in your data center - this should be the easiest. Microsoft IIS is typically not effected.
- web servers not in your data center - check under people's desks! This is also a great opportunity to figure out what "other" systems might be serving web content.
- hosted/SaaS solutions - check with your cloud partners for there vulnerabilities - always a good idea!
- other front ends - proxies, ssl-accelerators, ssl vpn's, load balancers, jumpstations
- and don't forget about embedded devices with web administrative interfaces
- Figure out what's vulnerable - that's anything that uses Open_SSL 1.01 through 1.01f
- Fix it!
- upgrade to 1.01g! (or recompile without the heartbeat option)
- revoke your existing certs and keys
- issue new certs and keys
- Tell people you fixed it! - your customer and users need to know when they can follow the consumer instructions above.
Hopefully are taking care of both your personal account and your company's sites.
And... for you xkcd fans out there:
No comments:
Post a Comment