Specific recommendations



Similar documents
Protecting Your Organisation from Targeted Cyber Intrusion

Malicious cyber activity is on the increase at risk. This may involve the loss of critical data and consumer confidence, as well as profits

Multi-factor authentication

Service Manager and the Heartbleed Vulnerability (CVE )

Additional Security Considerations and Controls for Virtual Private Networks

Cyber Essentials Scheme

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

PCI DSS Requirements - Security Controls and Processes

A Rackspace White Paper Spring 2010

Implementation Vulnerabilities in SSL/TLS

Is Your SSL Website and Mobile App Really Secure?

Information Security Threats and Strategies. Ted Ericson Product Marketing - ASI

CYBER CRIME & SECURITY SURVEY REPORT 2012_

White Paper Secure Reverse Proxy Server and Web Application Firewall

A practical guide to IT security

Guideline on Auditing and Log Management

Central Agency for Information Technology

Malicious Mitigation Strategy Guide

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

Windows Remote Access

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

A Decision Maker s Guide to Securing an IT Infrastructure

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Targeted attacks: Tools and techniques

Achieving PCI Compliance Using F5 Products

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

A Case for Managed Security

Critical Security Controls

Cisco Advanced Services for Network Security

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Using Remote Desktop Clients

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

IBX Business Network Platform Information Security Controls Document Classification [Public]

VOICE OVER IP SECURITY

The Benefits of SSL Content Inspection ABSTRACT

Topics in Network Security

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

New Zealand National Cyber Security Centre

The Education Fellowship Finance Centralisation IT Security Strategy

How to complete the Secure Internet Site Declaration (SISD) form

How To Protect A Web Application From Attack From A Trusted Environment

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

BYOD Guidance: BlackBerry Secure Work Space

74% 96 Action Items. Compliance

WEB ATTACKS AND COUNTERMEASURES

Global Partner Management Notice

Compliance Guide: ASD ISM OVERVIEW

Standard CIP Cyber Security Systems Security Management

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

Network/Cyber Security

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Payment Card Industry Data Security Standard

THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005

New Systems and Services Security Guidance

Introduction to Endpoint Security

CS5008: Internet Computing

Protecting Criminal Justice Information: Achieving CJIS Compliance on Mobile Devices

E-SECURITY REVIEW 2008 DISCUSSION PAPER FOR PUBLIC CONSULTATION

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Small businesses: What you need to know about cyber security

Newcastle University Information Security Procedures Version 3

STRONGER ONLINE SECURITY

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Media Shuttle s Defense-in- Depth Security Strategy

THE AUSTRALIAN SIGNALS DIRECTORATE (ASD) STRATEGIES TO MITIGATE TARGETED CYBER INTRUSIONS

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Payment Card Industry Self-Assessment Questionnaire

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Effective Log Management

EA-ISP-012-Network Management Policy

Data Access Request Service

AAF boost. AAF boost 2014 report for AAF EXAMPLE ORGANISATION

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

SonicWALL PCI 1.1 Implementation Guide

How To Manage Web Content Management System (Wcm)

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Hong Kong Baptist University

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Transcription:

Background OpenSSL is an open source project which provides a Secure Socket Layer (SSL) V2/V3 and Transport Layer Security (TLS) V1 implementation along with a general purpose cryptographic library. It is widely deployed and utilised. Details Researchers from Google security and Codenomicon have recently discovered a vulnerability in OpenSSL s Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols. Details of this vulnerability were publicly released on 8 April 2014 and numerous proof of concept code samples for exploiting the vulnerability followed. The range of services which may be impacted by proof of concept code is also increasing. The vulnerability lies in the implementation of the Heartbeat extension (RFC6520)[1] known as Heartbleed. By sending specially crafted heartbeat requests a malicious actor can obtain up to 64KB segments stored in memory on the affected device. While each request is limited to 64KB it is possible to use repeated requests to retrieve more 64KB segments. The versions of OpenSSL affected are 1.0.1 up to 1.0.1f and 1.0.2-beta1 and the vulnerability has been assigned CVE-2014-0160[2]. OpenSSL have released version 1.0.1g which addresses this vulnerability. Proof of concept code exists which can exploit this vulnerability from a malicious client. Proof of concept code also exists where a malicious server can exploit this vulnerability against a vulnerable client. Compromised hosts may show little or no evidence in logs of compromise. Signatures have been released for multiple IDS/IPS systems which may identify Heartbleed traffic. A wide range of services and appliances could potentially use the vulnerable OpenSSL version. This vulnerability is not limited to web servers or https services. For example, proof of concept code exists for StartTLS (used to protect email server communications). Lists of vulnerable products are available such as [3, 4]. These should not be considered to be comprehensive and users should liaise with their vendors to ensure that they are

aware of impact to deployed products. The range of products that could potentially be affected includes network appliances and other infrastructure equipment. When assessing the potential impact of this event, users need to consider their own circumstances. SSL/TLS termination points will have an effect on the potential information which may have been or could be exposed as a result of this vulnerability. This will also impact on what external stakeholders might be impacted and users will need to carefully consider what they may need to communicate to external parties. While there is presently no reliable indicator of compromise signatures of potential attack traffic are emerging. Where users have historic network traffic captures available they may wish to consider the use of available signatures to process historic traffic. This may give some indication of previous compromise. The situation regarding this vulnerability is very fluid with its exact scope and the products affected still being assessed. Users are advised to closely monitor vendor information and be prepared to act to reduce their vulnerability.

Specific recommendations CERT Australia suggests users consider the following specific mitigations to protect against this cyber security risk: Where possible, users should update OpenSSL to version 1.0.1g as soon as possible. Where an upgrade is not possible, it may be possible to instead recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag. Any software that uses OpenSSL would also need to be restarted. For web services, users could consider the use of a reverse proxy service or similar service to act as an SSL end point between vulnerable servers and the internet. Once the OpenSSL implementation has been made safe users should consider generating new keys, obtaining new certificates and revoking previous certificates and keys. Passwords used to access the affected service should be reset only after previous steps have been completed. Cached cookies and session identifiers should be purged from browsers. It may not be immediately clear whether a particular system uses a vulnerable version of the software and users should review systems to obtain visibility on the use of OpenSSL as a third party component in other systems. Many vendors are moving to patch vulnerable systems. Users should liaise with vendors to apply patches where available. Detection signatures are becoming available for IDS/IPS systems. Users check with their particular vendor and should consider use of these where possible.

General recommendations CERT Australia suggests users consider the following general mitigations to protect against this and other cyber security risks: Take measures to minimise network exposure for all control system devices. Critical devices should not be directly exposed to the internet. Locate control system networks and remote devices behind firewalls and isolate them from the business network. When remote access is required, use secure methods such as Virtual Private Networks (VPNs) with two factor authentication. Monitor intrusion detection and/or prevention systems, user logs and server logs for suspicious behaviour. Use defence-in-depth methods in system design to restrict and control access to individual products and control networks. Use application white-listing to only allow specifically authorised applications to operate on networks. This mitigation helps prevent malicious software or unauthorised applications from executing. Ensure applications and operating systems are kept up-to-date with the latest software patches. Ensure users are restricted from, or are administratively prohibited from installing unauthorised software and browsing the internet with administrator privileges. Remove, disable, or rename any default system accounts wherever possible. Implement account lockout policies to reduce the risk from brute forcing attempts. Enforce strong passphrase policies to reduce the risk from brute forcing attempts. Monitor the creation of administrator level accounts by third-party vendors. Ensure computer systems are running antivirus software with the latest antivirus signatures. For other mitigation please refer to the Strategies to mitigate targeted electronic intrusions publication. [5] Links [1] http://www.rfc-editor.org/rfc/rfc6520.txt [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160 [3] http://www.kb.cert.org/vuls/byvendor?searchview&query=field+reference=7209 51&SearchOrder=4 [4] https://www.cert.fi/en/reports/2014/vulnerability788210.html [5] https://www.cert.gov.au/faq

Feedback CERT Australia (the CERT) welcomes any feedback you may have with regard to this publication and/or the services we provide info@cert.gov.au or 1300 172 499. Note: information sent to the above email address will be in the clear and not secure. Secure communication channels for sensitive information are available on request. Report an incident Reporting cyber incidents allows us to form a more accurate view of cyber security threats and make sure that businesses receive the right help and advice. All information provided to us is held in the strictest confidence. Secure communication channels for sensitive information are available on request. Business partners who suspect they have been the victim of cyber crime are encouraged to report it to the Australian Federal Police. Cyber crime involves the unauthorised access to or impairment of computer systems and is likely to constitute an offence under the Commonwealth s Criminal Code Act 1995 and/or state and territory criminal laws. About us The CERT is the national computer emergency response team. We are the single point of contact for cyber security issues affecting major Australian businesses. The CERT is part of the Federal Attorney-General s Department, with offices in Canberra and Brisbane. We also work in the Cyber Security Operations Centre, sharing information and working closely with the Australian Security Intelligence Organisation (ASIO), the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD). In addition, we work closely and share information with our international counterparts. This means we are very well connected and informed, so we are best placed to help businesses protect themselves from cyber attacks.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information