How to Protect Your Business from the Effects of the “Heartbleed” Bug

Over the last few weeks, the “Heartbleed” bug has caused anxiety for people and businesses. Having existed for the last two years and being discovered just recently, one can only imagine the extent of the damage it has caused. And to make things worse, experts believe that such an incident can happen again in the future.

Eric Basu, a contributor for Forbes.com, explained that the software that runs the Internet and the systems on the Internet contain bugs, whether they are created deliberately or accidentally. Because of this, bugs like Heartbleed will continue to exist, so it is very likely that similar online security breaches will occur “every so often.” As such, it is best to be prepared and have a contingency plan in place to prevent such incidents from having a massive impact on your business.

To protect your business from the effects of the Heartbleed bug, you must first understand the root of the problem. Contrary to earlier reports, Heartbleed is not a virus or a malware exploit. It is a security error that affects websites that run on software called OpenSSL. And just recently, it was reported that the bug is affecting not just websites, but also networking equipment such as routers, switches, and firewalls.

What are the risks?

What is so devastating about this security bug is that it allows an attacker to a particular server to gain access to sensitive data—passwords, usernames, private information, and encryption keys—with minimal risk of being detected. And for a business website, such an attack could result in massive problems because customers’ information could be stolen and compromised.

If your customers’ information has been stolen, Basu explained that you can face “significant liability” from lawsuits and fines. You might lose customers and potential revenues, as well, because customersmight feel unsafe doing online transactions with you. And what is worse is that if the attacker was able to steal your site’s encryption keys, it could pretend to be you and continue to steal customer data even after you have patched the bug.

Fortunately, there are ways to protect your business from the after effects of the Heartbleed bug. Sadik Al-Abdulla, director of security solutions at CDW, offers some advice on what IT workers and businesses should do to mitigate the impact of the Heartbleed bug.

1.    Identify vulnerable systems.

Sadik Al-Abdulla said it isn’t easy to pinpoint exactly which systems are affected. But the “technically precise” answer is that if your website or server runs on versions of OpenSSL 1.0.1 through 1.0.1f, then its security might have been compromised.

He said you should conduct an asset management and software inventory as it will give you a pretty good idea on which system is affected. “Internet-facing services are certainly the most critical to check first. In the long run, once you’re past the immediately critical issues, you will need to include this in your annual vulnerability assessment. Top priority is Internet-facing SSL/TLS; including web servers, SSL VPNs, and some VPN tunnels,” Sadik added.

2.    Patch

The next step is to patch the affected services to remove the vulnerability. Sadik said this will usually involve applying a vendor-supplied patch or software/firmware release. For servers that run on directly managed OpenSSL, you may have to upgrade or migrate your system to a more recent version.

3.    Revoke certificates and then reissue to rekey.

Sadik explained that any SSL certificate present on an affected system might have lost its private key. As such, you will need to rebuild your defences. Start by reissuing any certificate that might have lost its private key. Then, change the locks and issue new keys to thwart potential attacks in the future.

4.    Change passwords

Take the opportunity to change all of your passwords. If you’re using the same password across multiple websites or servers, it is advisable that you use different and unique passwords for each site. This applies to your personal life, as well. Mashable.com has published a list of popular websites that might have been affected by Heartbleed. If you and your staff are using any of the websites mentioned in the article, you have to change your passwords immediately.

Take note, however, that before you deploy these strategies, it is important to create a backup of your system or create a disaster recovery plan. Ricky Ribeiro wrote on Biztechmagazine.com that implementing such fixes might affect other things in your IT environment, which could create an even bigger problem. As such, it is important to take precautionary measures to prevent potential data loss and to ensure that your website will remain accessible to your customers once the Heartbleed fixes have been implemented.

How we can help

Problems such as the Heartbleed Bug, demonstrate the many advantages of dealing with a security focused internet service provider like Seccom Global.  It takes time to implement many of the strategies that have been mentioned above, time in which you may be further compromised.  Because of the way in which its SecureWAN internetservice has been designed, we are able to very quickly protect all customers who use this service through the implementation of its Intrusion Prevention Service – IPS, implemented in the cloud.

Along with the above Seccom Global,with a minimum of fuss, was able to update all customers that use the SecureLAN (managed firewall) service from our Security Operations Centre – SOC, meaning that these customers were protected within a few hours of the vulnerability becoming known.

Customers using Seccom Globals SecureDR disaster recovery solution had an easy mechanism to allow them to seamlessly apply any required server updates and patches, while customers that have Seccom Global support have access to senior engineers 24 x 7 with the expertise to assist with any security related questions.

What exactly is Heartbleed, and what do you need to do to stay secure?

You’ve seen or heard the word Heartbleed being thrown around over the last 48 hours, and you may be thinking the reaction to the OpenSSL vulnerability is exaggerated. Unfortunately, it’s not. Heartbleed, is indeed, a catastrophic bug affecting half a million sites and services across the internet, and is a major problem. Security expert Bruce Schneier says “‘catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”

It has the potential to be one of the biggest, most widespread vulnerabilities of the modern web, and because the problem is very technical – it’s difficult for regular web users to understand what it does, what services have been affected and what could be affected.

So what is Heartbleed?

Encryption is used across the web to ensure the information you send from one computer to another computer or server is protected and secure. Think of it as a secret language between two people. These two people are the only ones that know the language, and to everyone else, it sounds like gibberish.

The language works as a set of encryption keys and both you and the web app or server you are talking to, have a copy of the keys on your machines. It follows without a doubt, that those keys must be kept secure and this is where SSL comes in. The Internet has a set of protocols referred to as Secure Sockets Layer (SSL) and it’s successor Transport Layer Security (TLS) that handle security across a major part of the modern web.

The most common set of implementation of SSL/TLS is a set of open-source tools known as OpenSSL.From apps to web services, to email clients to printers, 66% of the web relies on OpenSSL. Even if you don’t ever see OpenSSL, chances are you interact with it several times a day.

Heartbleed is a flaw in OpenSSL versions 1.0.1 through 1.0.1f allowing an attacker to access to the memory of the systems running these versions of OpenSSL software compromising the encryption keys. Heartbleed allows securely sent information to be read and copied, meaning that usernames and passwords, credit card information, as well as any other confidential data sent over OpenSSL could be easily read by cyber criminals without your knowledge.

How does it affect you and what do you need to do now?

There’s a good chance that one of the services you use is affected, but the degree to which it is affected will vary. For example Gmail, Facebook, LastPass and Box have all been affected to a certain degree, showing the spectrum of services Heartbleed has impacted.

Here is another list of services that may have been affected; however, changing your passwords is only advisable after the sites or services have fixed the Heartbleed bug. Changing your passwords will only put the new password at risk of being intercepted by Heartbleed.

Once a site has fixed the Heartbleed bug, picking a secure new password for each service is crucial. Use a complex password that is memorable and unique to each service or site.

Invest in additional security where confidential data is involved. Seccom Global has applied signatures to our IPS profile in the cloud designed to protect all our SecureWAN customers. The SecureWAN solution is an enterprise grade ISP that utilises specialized security functionality in our pops to eliminate 100% of known threats, providing you with internet and interoffice connectivity void of Viruses, Trojans and Malware.

In such cases of internet vulnerability such as that brought on by Heartbleed, the benefits of secure filtered internet solutions are clear, and if you are a business or an individual that primarily functions on the web, SecureWAN or similar services are worth looking into.

Does Your Company Comply with the New Privacy Laws?

If your company handles personal information or generates at least $3 million in annual revenue, then you should know that the government has intensified its campaign to protect people’s privacy and ensure that personal information is handled in an “open and transparent way” by concerned organisations and business entities.

The Privacy Act of 1988 has been around for many years. However, the Office of the Australian Information Commissioner has just recently announced that an amendment to the privacy act has been made. On March 12, the Australian Privacy Principles (APPs) replaced the National Privacy Principles and Information Privacy Principles. The latest changes relate to how APP entities handle, use, and store personal information and engage in direct marketing.

But if you’re just a small business owner, how do you determine if the new privacy laws apply to you?

Personal information is basically what identifies, or could potentially identify, an individual. This information may include a person’s name, addresses, date of birth, and bank account details. So even if you’re just a small business owner and you’re not earning at least $3 million annually, the new privacy rules still apply to you if you collect and then provide such personal details to a third party for a benefit, service, or advantage. This practice is basically called “trading in personal information.”

If you trade in personal information to generate sales, for direct marketing, or for any other purpose, then you will have to ensure that your company complies with the new privacy rules. Otherwise, you could face legal action and pay up to $1.7 million in fines, depending on the size of your business and how it operates.

Complying with the New Australian Privacy Principles

There are certain steps to ensure that your business adheres to the new APPs. Discussed below are some of them:

  1. Determine how your business manages personal information. To determine if your business is APP-compliant, the first thing you need to do is conduct a quick audit. Review your business procedures so you can have a clear idea on how your company deals with and stores all the information you collect from your customers or prospects.
  2. Establish a compliance system.Notify your staff about the new APPs and discuss with them their provisions and stipulations. Then, use the results of your auditing to set up or revise existing procedures to ensure that everyone in your company who handles customers’ personal information comply with the privacy law changes.
  3. Provide a privacy notice. As mentioned earlier, the objective of the new APPs is to ensure that personal information is managed in an open and transparent manner. As such, before you collect personal information from everyone, make sure you provide them with details about your organisation or business, including your name and contact information. You should also explain why you are collecting information and to whom the information will be disclosed in case you’re disclosing them to a third party.
  4. Revamp your privacy policy. The APPs call for an up-to-date privacy policy that addresses specific topics. Therefore, you should create or update any existing privacy policy and ensure that it includes the following information:
    • What personal information you collect.
    • How you collect, store, manage, or use personal information.
    • Your purpose for collecting personal information.
    • How an individual may access the said information.
    • How you ensure the security of the collected information.
    • How an individual may send complaints in case there’s a breach of the APPs. Meanwhile, if you’re planning to send personal information to overseas recipients, you need to disclose that in your privacy policy. And if practicable, make sure the privacy policy also identifies the countries in which the said recipients are located.
  5. Offer a way for people to manage their personal data. You need to give individuals the right to access their personal information and correct outdated or incorrect details. In case you’re using the personal information you have collected for direct marketing, you should give each person a way to opt out or unsubscribe. And finally, before you use any personal information, see to it that it was given with the concerned individual’s consent.
  6. Secure the data you have collected. Malicious attacks resulting in a leak of data can place your business in a precarious situation. You and your company could still be held legally responsible even if it’s not entirely your fault that if others obtain unauthorised access to the personal information you have gathered. Therefore, your business should have security measures in place to ensure the safety of personal data. You should install anti-virus and anti-malware software, as well as set-up firewalls among other things.Enlisting the services of managed security services providers, or MSSPs, is also highly recommended.

As you may know, it is difficult for an organisation to track and address all potential threats and vulnerabilities. And if you’re just a simple business owner, you probably don’t know what the best security practices are or what attack patterns or intruder tools hackers are using.  An MSSP is often able to obtain advance warning of new vulnerabilities and gain early access to information. This allows it to develop countermeasures and provide you with the best advice to prevent attacks on your system and the consequent leakage of important data.

An MSSP can enhance the security of your data because of the facilities it offers. Most service providers have special security operations centres with advanced infrastructure that are more than capable of protecting your customers’ personal information from hackers. As such, their services are worth looking in to.

As an end note, complying with the APPs is not that difficult. So if you don’t want to face legal actions and pay fines, familiarise yourself with the new privacy laws,as well as protect and ensure that you handle personal information safely and carefully.

The Importance of Cloud-Based Disaster Recovery Planning for Businesses

Natural, economic, and other types of disasters can strike anytime or anywhere, and they can affect businesses of all sizes. And once they happen, it may be too late to go back to the drawing board and identify the steps that should be taken to mitigate the impact of such unfortunate events. This is one of the major reasons why planning for disaster recovery is a vital aspect of running a business.

As the saying goes, “if you fail to plan, you plan to fail.” Without a disaster recovery plan, it is very likely that business owners would be at a loss on what to do to get back on their feet and recover in the event of a disaster, man-made or otherwise. While it is true that you cannot plan in advance for every possible situation that can harm your business, some problems are more likely to occur than others. But if you have a contingency plan for these problems, it can prepare you for the worst-case scenario if something indeed goes wrong.

As part of a disaster recovery plan, it is quite common for companies to create backups of their company data and save these backups in different locations that are floors, blocks, cities or even oceans apart. While this has clear benefits, there are lots of costs associated as well as the concern that in some cases, especially when the backups are in the same city or state, all locations may be affected by natural disasters such as floods, earthquakes and so on.

This scenario can be avoided by simply making your disaster recovery plan cloud-based. In this day and age where every accounting system you use, every document, every business contact, and every file you own can just be a click away, one cannot easily ignore the practicality of setting up a cloud-based business contingency plan.

When it comes to disaster recovery, obtaining cloud solutions is an affordable and valuable option as it makes data storage and application use much safer. Because it allows you to store backups off-site, you and your employees can still recover crucial data when your local servers go down. And if you need to access your business contingency plan, your current location won’t even matter. It is because the cloud is structured in a way that makes it possible for you to access stored data anywhere, provided that you have the right login information.

Cloud-based disaster recovery can do more than just protect valuable data. It also makes it possible to continue business operations, even if your physical building has been submerged in floodwater or your computers have been infected with a virus. This is because cloud solutions can provide you with the virtual infrastructure your business should be using in this age of technology, thus, allowing you to focus on getting your company rebuilt quickly if disaster strikes and enabling you to continue to manage operations from any remote location.

Finally, obtaining cloud solutions for disaster recovery simplifies the process of planning and preparing for any kind of catastrophe that can disrupt your business. At the same time, it ensures business continuity and provides you with better security and reliability than what most businesses can afford for themselves.