Article

Learning from Heartbleed: 5 ways online retailers can stay safe and ready

Even with protections in place for standard security events, online retailers must understand that Heartbleed was truly an acute event.

May 12, 2014

By Scott Walters, Director of Security, INetU

Just one month ago, the OpenSSL Heartbleed vulnerability came out of nowhere, reminding online retailers and consumers just how vulnerable they are on the Web. It's estimated that nearly two-thirds of web servers worldwide were affected, including online merchants of all sizes, and according to Forrester Research, at least half of all external-facing web sites currently use OpenSSL in some fashion.

Even with protections in place for standard security events, online retailers must understand that Heartbleed was truly an acute event, and unfortunately, there's no magic, single switch to keep customer data truly safe from incidents like these. With Heartbleed, even online retailers who were doing everything correctly to best protect their customer data may have still been exposing sensitive information to nearly any hacker.

The SANS Technology Institute's Internet Storm Center (ISC) dubbed Heartbleed a fairly serious "Threat Level: Yellow" event. Threats at that level have occurred at a rate of about one per year over the last five years, but with the growing complexity of our online world, and sophistication of malicious attackers, this rate will surely continue or even increase in years to come.

Knowing that other vulnerabilities like Heartbleed are imminent, online retailers should consider the following: is your online retail business, and corresponding customer data, prepared for the next Heartbleed? Here are five easy steps that will help ensure your readiness and safety:

1) Subscribe to Vulnerability Mailing Lists and Alerts

A massive new threat just popped up – how long will it be until you know about it? When it comes to protecting you and your customers' data, time is of the essence and early detection of vulnerabilities is absolutely essential. Key to early detection: subscribing to mailing lists, such as ISC and CERT, that alert you known security vulnerabilities. The National Retail Federation also just launched an information-sharing platform specifically for retailers, in fact, that will allow you to access data about threats that have been identified by other retailers, government agencies and law enforcement officials. Your technology vendors should also offer relevant security announcement mailing lists. In the case of Heartbleed, OpenSSL (the cryptography library that Heartbleed originated in) was the first to publicize the bug. Shortly after that, the U.S. Government's Computer Emergency Readiness Team (CERT) delivered notifications, and the news continued to propagate from there.

2) Optimize Inventory and Scanning Processes

When a vulnerability has been identified, every online retailer needs to quickly determine how – or if – it affects them. First, have an inventory system. Know what vendors and platforms you're using within each of your systems, and keep a record of any recent revisions they've undergone in the last few months. Second, ensure you have scanning capabilities that allow you to look for specific vulnerabilities like Heartbleed. Many security scans look at a single device or system from top to bottom, but doing such a comprehensive scan takes significant time and bandwidth. There are other tools available that can scan more quickly and effectively for specific breaches like Heartbleed, which you should also have in your arsenal.

3) Implement Layers of Security

With many Heartbleed-like vulnerabilities, the vendor it originated from or other technology vendors in its ecosystem are often the ones who provide solutions to the problem. In the case of Heartbleed, OpenSSL provided a patch, and other providers such as Red Hat also offered solutions. These vendor patches can sometimes take a fair amount of time to develop and release, however, and while you wait, your customer data remains vulnerable. Remember that other security tools can be used for blocking attacks. Consider implementing an intrusion detection system (IDS), intrusion prevention systems (IPS) or web application firewall (WAF) to control access to your systems.

4) Prepare a "Sorry Page"

In the unfortunate circumstance where you feel it is necessary to take your system off-line, either from a security issue, unplanned outage, or scheduled maintenance, having a "Sorry Page" at the ready is essential. Along with the page, you will also need to have a pre-planned procedure for putting the page into place. During a critical event, avoid scrambling to whip up a web page that simply states "Internal Server Error" or "Site could not be contacted." Prepare maintenance pages for all of your customer-facing sites ahead of time. That way, you're not dealing with two emergencies during a crisis, and your customers' user experience can remain uninterrupted.

5) Keep Your IT Vendor Contacts Current

As technology vendors are often your best source for information and solutions in the case of a new bug, it is important to make sure that your support contracts are in place to ensure your vendor is available as a resource if anything goes wrong. You should also be sure that you can get into their support portals and that you know how to contact their support teams if needed. Have a step-by-step action plan and contact list in place so the response team knows exactly what to do in situations like this.

There's no telling how soon the next Heartbleed will be, which can be a frightening thing – particularly for online retailers working with vast amounts of highly sensitive customer data. But these five simple steps can help you prepare for future vulnerabilities, and save precious time and energy if and when the time comes.