Last month the Heartbleed vulnerability took the world by storm. IT groups across the globe scrambled to patch systems that were susceptible to the OpenSSL vulnerability known as Heartbleed. Y2K—the millennium bug—has been dwarfed in comparison to the impact the Heartbleed vulnerability has had on the world. Let’s face it, software has vulnerabilities and cybercriminals will take advantage of them. We can expect another “Heartbleed-like” vulnerability and should prepare—now. The question is, have you budgeted for it?
Have you considered the costs associated with responding to the Heartbleed vulnerability? I’m not talking about the financial impact from the theft of intellectual property or brand damage but the man-hours and salary costs to respond. Before doing so, here’s a quick recap on the severity of the Heartbleed vulnerability:
An attacker can steal keys and certificates without a trace.
The stolen keys and certificates can then be used in trust-based attacks like phishing, man-in-the-middle (MITM), and replay attacks.
Replacement of all keys and certificates is recommended, because you don’t know which systems—even non-OpenSSL ones—may have had keys and certificates stolen via stepping-stone attacks. You must assume all keys and certificates have been stolen!
The average large enterprise has in excess of 17,000 encryption keys and certificates. Consider the monumental task of changing all 17,000 encryption keys and certificates in an enterprise network. This task is especially burdensome, because most organizations manually manage their public key infrastructure (PKI) via spreadsheets or basic tracking software to detect expiring certificates. To replace a certificate on a system, an administrator needs to perform multiple manual steps:
Generate a new key
Issue a certificate signing request (CSR)
Install the new key and certificate on the respective system
Revoke the old certificate
The average large enterprise takes up to four hours to perform the necessary steps to replace a certificate on a single system. The median salary for a system administrator responsible for administering the PKI is U.S. $60,000. When extrapolating the cost to respond to the Heartbleed vulnerability, it costs the organization $115.00 per certificate. To replace 17,000 encryption keys and certificates it will cost your organization $1.95 million—in labor costs alone!
And 17,000 keys and certificates is a moderate estimate for the average enterprise network. At Venafi, we have customers that have replaced all of their keys and certificates within their networks and this equaled hundreds of thousands of keys and certificates per customer.
By using Venafi TrustAuthority™, organizations can quickly identify systems impacted by the Heartbleed vulnerability and then determine how many keys and certificates are in use, where they are used, and who is responsible for them. Venafi TrustForce™ enables automated remediation of keys and certificates. This includes the installation and validation on impacted systems.
Whether you were impacted by Heartbleed or preparing to defend against the next crippling vulnerability, now is the time to implement a solution that enables your organization to quickly and efficiently replace all keys and certificates. Can you really afford not to?