Study: 97% of major companies still vulnerable to Heartbleed

Thought the Heartbleed bug was old news? Think again. 

Security firm Venafi recently scanned 1,600 of Global 2000 organizations’ external servers. Particularly, researchers were looking to see how well these companies reacted to the Heartbleed bug that made headlines earlier this year.

What they found was disappointing:

  • 97% of companies were still partially vulnerable to Heartbleed, and
  • less than 1% of companies had done nothing at all to mediate the threat – they hadn’t patched OpenSSL.

Heartbleed vulnerabilities persist

The study authors explained what they meant by saying that an organization was “partially vulnerable”:

Simply patching the Heartbleed vulnerability is not sufficient. It is also required to replace the private key, re-issue the certificate, and revoke the old certificate … However, they have either performed ‘lazy’ remediation failing to replace the private key, or failed to revoke the old certificate.

According to the study’s authors, these half measures could result in attackers decrypting SSL traffic for infected hosts or hackers being able to use the old certificate in phishing attempts.

Attack cycle trends

The attention span of users is pretty short. While many heard of Heartbleed when it was still making national news, very few probably went through the trouble of changing passwords. Getting them to care about it now is going to be even tougher, as they’ll assume if nothing has happened so far, they must be in the clear.

However, Venafi’s report also coincides with other major cyberattack news: The theft of more thanone billion usernames and password combinations by Russian hackers. Again, look for some users to change passwords as a result, most to shrug it off as “just one of those things.”

IT doesn’t get that same leeway. Protecting your systems requires constant vigilance.

Make sure that you don’t treat any threat as truly neutralized until every possible security measure has been taken care of.

If nothing else, it spares you the potentially embarrassing situation where you tell stakeholders a threat has been taken care of, then have to back off those claims down the line.