It has been one month since the Heartbleed vulnerability in OpenSSL became widely known and we wanted to take a final look back at the bug and distill a few cloud security lessons we can all take forward. Out of the 3,571 cloud services in use at enterprises, 1,173 were affected by the vulnerability. While most cloud providers patched their services within 48 hours, Heartbleed struck at the core of web security. Through a simple exploit, it allowed an unsophisticated attacker to access passwords and encryption keys with minimal effort. That means that if an attacker captured and stored encrypted traffic during the last 2 years, those files could potentially now be decrypted.
Across 250 companies, Skyhigh found that 100% of them used at least one service vulnerable to Heartbleed. Skyhigh customers were immediately notified of which services they used that were impacted, including which users had uploaded data to those services. We’ve anonymized data across our customers in order to report on the scope of Heartbleed and the amount of sensitive data that was exposed:
- The average company used 279 services vulnerable to Heartbleed, and these services spanned all major SaaS categories
- Companies uploaded, on average, 579.9 GB of data to these services
- One company had uploaded over 33.9 TB of data to affected services
Heartbleed was patched relatively quickly, with most cloud providers fixing their services within 48 hours. Despite the rapid response, companies have to assume that all the data uploaded to these services could still be compromised. The volume of that data is staggering. A finance executive we spoke with in the aftermath of Heartbleed said he received emails from 13 cloud services that week notifying him they had been affected. The problem isn’t limited to finance. The companies impacted by the use of Heartbleed-vulnerable cloud services span industries including manufacturing, media and entertainment, insurance, energy, and healthcare. When you look at the volume of data that was affected, it can be challenging to understand what the impact was. Here are a couple of ways to look at it:
One positive result of Heartbleed is the renewed focus on underfunded but critical open source Internet infrastructure. The Linux Foundation recently raised $3.9 million from cloud heavyweights including Amazon Web Services, Cisco, Dell, Facebook, Google, IBM, Microsoft, Rackspace, and VMware to fund open source projects including OpenSSL. That will help expand the team (currently only one full time developer) so that this critical piece of infrastructure can be maintained and secured.
One thing experts can agree on is that there are more vulnerabilities as serious as Heartbleed in the wild, yet to be discovered and publicized. Due to their nature, companies can only react once they become aware of their exposure. Skyhigh is offering a free Heartbleed Audit, detailing all services in use that were or are still vulnerable to Heartbleed. Email us at firstname.lastname@example.org for more information. Since 100% of companies were impacted in some way, Skyhigh has also developed a guide with steps IT Security teams can take to remediate the damage from Heartbleed.