You will no doubt have read about the Heartbleed bug affecting some web based systems which was widely reported in the national press last week. There is a significant amount of confusing and often conflicting information about what action you may need to take. So here is the Pro Drive view on it:
What is the Heartbleed bug?
The bug is a vulnerability in a piece of open source software known as OpenSSL and affects specific versions of the software. OpenSSL is used with certain web servers used to power the internet. Some analysts estimate that this could mean up to two thirds of all internet based web servers are potentially at risk. The vulnerability can allow hackers to intercept communications with the website and potentially capture secure data such as passwords.
What should our business do about it?
As a business you need to consider both internal web servers which your business may run to provide services to your employees and clients and also any externally managed web services that your business uses.
If your internal web services run on the Microsoft platform (known as IIS) then they are not affected by the Heartbleed bug as they do not utilise OpenSSL. If you have services running on open source platforms such as Apache you will need to check the version of OpenSSL you are running and upgrade if necessary – advising all users they may need to update their passwords.
For externally provided web services such as cloud based applications or secure websites you will need to check the action required with the website providers. Some lists of affected web sites and applications have been published on websites including mashable. These can be referenced but the safest bet is to speak to the website or application provider directly.
Do I need to reset all my passwords?
In some cases you are strongly advised to but the website or application provider will confirm whether this is the case or not. Resetting passwords for multiple sites or applications across a business can be particularly onerous and remembering the new passwords even more challenging. To minimise the impact on your business, and reduce the headache of passwords, Pro Drive recommends a corporate password management single-sign on system.