The week after the Heartbleed bug was discovered on April 7, Errata Security research discovered 600,000 vulnerable Internet feeds. One month later, there were still 300,000.
With that many vulnerabilities found unmitigated in a reasonable time, one might ask: How did vendors and IT handle a Heartbleed fix and what can be done to better secure corporate applications?
For unified communications (UC) platforms, swift action had to be taken to close security holes opened by the Heartbleed bug. Unmitigated risk from exposed Internet feeds can harm devices and UC tools that just get overlooked.
A quick Heartbleed fix: How vendors patched the bug
Cisco was quick to react to the bug with a list of continuously updated products that should not be overlooked. Vulnerable products included Cisco Agent for OpenFlow, Cisco AnyConnect Secure Mobility Client for iOS, Cisco Desktop Collaboration Experience DX650, and Cisco Edge 340 Digital Media Player, to name a few.
The greatest security risks companies face is connecting their essential business infrastructures and applications -- including UC platforms -- to raw, unsecured Internet feeds.
Corero Network Security, CEO
Dr. Robert Brammer, chief strategy officer for Acton, Massachusetts-based Brainloop Inc., explained that Cisco's list includes versions of their Unified Communications Manager, telepresence servers and IP phones. He also pointed out that Juniper and some other companies have released patches to some of their networking and communications products to address the Heartbleed vulnerabilities.
Brammer believes the problem is better understood by looking at the direct -- as well as indirect -- effects of the vulnerability.
"Specific instances like the vulnerabilities of these [Cisco] products are direct effects of the software error in this version of OpenSSL," Brammer said. "The creators of OpenSSL provided a corrected version on April 7, the day they announced the flaw. Patching these products individually is routine. However, there are many of them, so the scale of the problem is a challenge."
According to Brammer, indirect effects may be more serious.
"Since OpenSSL is a library, this error is more serious than many other network and server software errors," he added. "Any software that links statically to this version of OpenSSL will inherit these vulnerabilities. Moreover, it is possible that a server that suffered a Heartbleed exploit contained sensitive information like passwords or encryption keys. If that information could be used to access a UC platform, then such a platform could be penetrated even if it were not directly affected by the Heartbleed vulnerability. Exposing a private key to a messaging server could cause many significant problems through fraudulent or corrupted messages."
To secure UC, secure the Internet feed
For UC, there's a bigger message: Wherever there is an unsecured Internet feed without implemented security measures, there is risk.
"UC platforms and their associated devices, such as IP phones, are fundamentally no more or less vulnerable than other IT platforms," said Ashley Stephenson, CEO of Corero Network Security in Hudson, Massachusetts. "However, they are often utilized in distributed deployments, making remediation more challenging. UC platforms, like any other modern IT infrastructure component, benefit from service-side protection against the cyberthreats carried by raw Internet feeds. Connecting UC equipment to secured Internet access greatly reduces the security risk and can provide 'air cover' against exploits, such as Heartbleed, while systems are patched or upgraded."
More on the Heartbleed fix and secure UC
What should enterprises do about the Heartbleed security bug?
Striving for secure UC
Stephenson said almost all UC platforms use SSL for secure connections and therefore, not surprisingly, some of them were exposed by their integration of open source SSL technologies such as OpenSSL. "This is not the first, nor will it be the last, vulnerability in UC platform technology," she said. "For this reason, it makes sense to adopt a defense-in-depth approach and deploy UC infrastructure solutions with secured Internet access to reduce the future risk."
As Stephenson pointed out, the greatest security risks companies face is connecting their essential business infrastructures and applications -- including UC platforms -- to raw, unsecured Internet feeds. Network and security managers need to be aware of what their Internet service providers can and cannot do with respect to providing secured Internet feeds to their customers. Cloud service providers have an opportunity to ramp up their Internet security, and cloud customers are showing increasing interest in such security as it prevents malicious threats such as Heartbleed, amplification DDoS attacks and more. UC technologies would benefit from this additional level of security.
"What is clear is that software and information security must be part of a broader governance, risk and compliance (GRC) program," said Dr. Brammer. "The GRC processes must include implementation of secure software practices and detailed knowledge of dependencies on outside products -- either commercial or open source."
About the author:
Jim Romeo (www.JimRomeo.net) is a freelance writer based in Chesapeake, Virginia.