This article is more than 1 year old
Most top corporates still Heartbleeding over the internet
Australia crowned global head-in-sand champion
A depressing 76 percent of the top 2000 global organisations have public facing systems still exposed to Heartbleed, researchers say.
The exposure means attackers could nab passwords, login cookies, private cryptographic keys and more using the vulnerability first disclosed 12 months ago.
Australia is the least-repaired nation, with 84 percent of studied companies still exposed, according to the Venafi report (pdf). The UK came in fourth spot at 67 percent beating the US at 59 percent.
The USA and Germany topped remediation efforts but 40 percent of the top organisations have not fully scrubbed out Heartbleed.
Venafi threat intelligence head Gavin Hill says only two percent of those top 2000 vulnerable organisations have made effort to fully patch Heartbleed since last year, and had done so only to address expiring certificates.
"It would seem based on the trend of replacing keys only for impending certificate expirations that organizations have either given up on trying to fully remediate this massive vulnerability or simply don’t grasp the gravity of the situation," Hill says.
"I believe that there are two additional reasons for such poor Heartbleed remediation -- [lazy remediation and] that organisations simply don’t see the impact yet."
The research speculates that hundreds of firewalled applications could remain open to Heartbleed until certificates expire over the coming years, adding that little data exists to determine the state of remediation of those systems.
"However, remediation is likely no better than that for public-facing systems and may be worse," it foretells. "It is common for systems operating behind the firewall to have certificate expirations set for three, four, five years or much longer."
Separate University of Maryland research puts the Heartbleed exposure in the top corporate echelons at around 85 percent, firming up Venafi's claimed corporate slackness.
Hill cites Intel and Gartner findings that attacks against corporations using hijacked VPNs is on the rise. The latter crystal ball corp predicts half of all network attacks will use SSL / TLS by 2017.
Venafi tells system administrators to knock out Heartbleed by:
- Patching the OpenSSL vulnerability
- Generating new keys
- Issuing and installing new certificates
- Revoking old certificates