The majority of Global 2000 organizations are still vulnerable to Heartbleed, a critical bug discovered in widely used versions of the OpenSSL library that was disclosed one year ago.
After evaluating 1,642 Global 2000 organizations, Venafi Labs researchers found that – as of April 2015 – 74 percent had not completed Heartbleed remediation across all public-facing servers. In August 2014, that number was at 76 percent, the research showed.
Kevin Bocek, VP of security strategy and threat intelligence at Venafi, told SCMagazine.com in a Monday email correspondence that he hoped the findings would remind organizations that they are vulnerable, and have to take the potentially complex steps required to address the issue.
“Organizations have not completed remediation as described by Gartner and other experts,” Bocek said. “They have patched, but they have not replaced the keys and certificates that were assumed compromised. Organizations that are re-issuing certificates are not generating new keys.”
Breaking it down to Heartbleed remediation by country, 42 percent of Global 2000 organizations in Germany have completely remediated Heartbleed, and 41 percent have done the same in the United States. In Australia, only 16 percent of Global 2000 organizations have fully remediated Heartbleed.
“Most interesting is how remediation varies by country,” Bocek said. “Germany and the U.S. are “ahead” of others, but still not getting [to] over 50 percent of organizations remediating Heartbleed. Unfortunately, countries like Australia and France are far behind.”
Widely disclosed in April 2014, the Heartbleed vulnerability became notorious for putting websites, emails, direct messages and other communications utilizing SSL/TLS encryption at risk.
“With compromised data like keys and certificates, encrypted data could be decrypted or website spoofed,” Bocek said. “In countries such as China with networks built for surveillance and man-in-the-middle attacks, these keys could be easily used.”