Feel free to peruse our blog or search for posts based on a specific term.

April 25, 2014

Tips for Responding to the Heartbleed Open SSL Bug

If you accept Payment Card Information (PCI) on your website, an attacker using the Heartbleed Open Secure Sockets Layer (SSL) Bug can capture this information directly.  Additionally, SSL Virtual Private Network (VPN) attackers can use this bug to obtain information sent over the VPN connection.

Tips for Responding:

  • Almost all vulnerability scanners have updated their plugins to check for this issue. Scan all your public facing IP addresses that expose an HTTPS service (websites, SSL VPNs, remote logins, etc.) using your currently updated vulnerability scanner.
  • Patch your systems immediately.  All vendors are releasing patches. Contact your load balancer, VPN, network device, or server vendor for the fix.
  • If a third-party manages your servers, require them to confirm what actions they have taken.
  • Affected users should upgrade to OpenSSL 1.0.1g.
  • All Web Application Firewalls and Intrusion Prevention Systems have released signatures for this issue. Update your signatures immediately and ensure they are in Block mode. Expect a performance impact to blocking the heartbeat requests of TLS, but you may be willing to accept the impact given the exposure that exists until you apply the patch.

The vulnerability leaves no trace of exploitation, so if you even suspect that you may have been compromised take the following steps to recover your security:

1.   Patch your systems immediately

2.   Change your SSL certificate

3.   Issue a warning to all customers and ask them to change their passwords immediately

4.   Change all system passwords on the affected server (The vulnerability also compromises in-memory passwords)

If you have any further questions concerning the Heartbleed Open SSL Bug, PCI Data Security Standards, or  CBIZ Security and Advisory Services, contact Brenda Brigman at bbrigman@cbiz.com or (901) 685.5575.

blog comments powered by Disqus


Phoenix tax Accounting affordable care act Alex Elliott anna howell Audit audit and assurance Award Awards awards and recognition BEPS Best Places to Work Betty Isler Bill Tapp BizJournals biztips bizwomen Blog Brad Hale brenda brigman bryan koch CBIZ CBIZ Kansas City CBIZ KC CBIZ MHM CBIZ MHM Memphis CBIZ MHM Tampa Bay cbiz security and advisory services CBIZ Women's Advantage CBIZBlog CBIZKC CBIZMHM CFO CFO & Controller Conference cfo conference CFO of the Year CFO of the year awards Charity Community Involvement Conference Construction Controller Conversation With country club plaza Craig Gilman cwa Dave Enick DOL EBP EBP Audits Ed Rataj Employee Benefit Plan Audits Employee Benefits employee engagement EmployeeBenefits entrepreneur EntreprenurialServicesGroup ESG Eustis Corrigan events ExecutiveAdvantageSeries Food Drive healthcare HR Human Resources Innovation International Tax Jenny Matasic Josh Finfrock Joyce Farris Kansas City KansasCity karen cassella KC CFO Breakfast Series KC Events KCEvents Linda Lauer Lloyd Grissinger Local Managing Director Manufacturing Mark Baricos MBJ Megan Murdock memphis Memphis Business Journal Memphis Daily News memphis super women in business mentoring monday mergers and acquisitions moira house Networking NFP Not-for-profit Paul Dunham pci compliance Phoenix promotions real estate Revenue Recognition SALT Service Social Committee sonya daniels Sponsorships Start Up Start Ups State and Local Tax steve dunavant Success Super Women in Business Tampa Bay Tampa Bay Business Journal tangible property regulations Tax Tax Incentives tax reform The Daily News Top Workplaces Tracey McDonald transaction advisory services Transfer Pricing UMB Bank University of Memphis Volunteer workplace award