Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Guest View: Best practices to mitigate future incidents like the Heartbleed bug

Mani Gopalaratnam, Global Head of Innovation, Xchanging | April 23, 2014
Recently, Singaporeans were made aware of 'Heartbleed', a major encryption flaw that affects OpenSSL web servers.

However, the challenge businesses face is that the bug masks itself as a heartbeat in a transparent form. This makes it near impossible to trace whether any information from memory has been compromised.

To mitigate this issue, it is important for businesses to deploy effective tools that can help keep track of patches and bugs across systems. Here are some crucial tools businesses can take into consideration:

  • Creating a standard operating environment (SOE) which helps to standardise all applications and tools that are in use
  • Using a configuration management database (CMDB) which assesses all servers, network elements and collects configuration specific information and includes them into a single database

     - If a problem comes up, the CMDB runs a report and highlights compromised areas, allowing businesses to identify specific issues and apply appropriate measures

  • Implementing an IT Infrastructure Library (ITIL), which is the global enterprise standard on how IT should be structured

     -    Part of ITIL is a patch management process, which ensures the SOE is healthy, functionally capable and secure. An added benefit is its ability to keep track of functional and security patches that can identify and quickly deploy patches for the system if any part is compromised

Some Windows or iOS updates are in fact patches for functional or security issues, which many people may not be aware of. An automated management system that installs software updates regularly is a good step towards creating a more secure IT environment.

What companies can do if they want to continue using OpenSSL

Businesses can choose to use wild card certificates with one encryption key for each subdomain, or generate a single encryption key for all subdomains. In general, using a separate key for each subdomain would be the recommended approach. However, depending on how confidential or sensitive the systems and data are, it may be more cost effective to use a wild card certificate.

While businesses can still choose to use OpenSSL, it is also their responsibility to ensure that all security gaps associated with OpenSSL and other free tools or platforms are actively monitored and addressed.

 

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.