First Windows XP and Now Heartbleed: What Should You Do?
You probably heard that support ended for the Windows XP operating system. Then came Heartbleed — a major computer security flaw that was all over the news last week. The Heartbleed security gap affected online banking and shopping sites, Gmail, Facebook, and many other popular websites.
“Anywhere you log in that is supposed to be secure could potentially be affected by this breach,ˮ says Randy Romes, an information security principal with CliftonLarsonAllen. “Organizations and individuals can close the security gap by following specific procedures.ˮ
The end of Windows XP support could impact the availability, integrity and security of any network that has a Windows XP system connected to it. It could also impact your ability to be compliant with internal control reporting standards (SSAE 16/SOC), and audit and attestation outcomes.
Here's what happened with Heartbleed
The security flaw was discovered in the popular encryption application, OpenSSL, allowing attackers to gain access to private data. Only applications that directly depend on OpenSSL versions 1.01 through 1.01f are affected by this vulnerability.
Here is what you should do
Don't ignore this security breach. Take the following steps to help build back your web security.
- Create an inventory of every website you log into with a username and password.
- Go to the website of each vendor — but don't login. Instead, look for a notice indicating whether the merchant patched the flaw on the site. You can also determine if a website has made the patch by typing a web address into Qualys SSL Labs (https://www.ssllabs.com/ssltest) which tracks SSL patches.
- If the web vendor has validated that it has patched the security hole, change your password. But do not change your password until the website has patched the hole.
“End-users should not update their password until they know the flaw has been fixed by the website,ˮ says Romes. “If the vendor has not fixed the breach but you already changed your password, you will need to change it again after they fix it.ˮ
Here is what businesses and organizations should do
Businesses and organizations that conduct business online must also take action to secure their site.
- Investigate which version of OpenSSL you use to determine if your product is vulnerable to the Heartbleed flaw.
- Work with your SSL vendor to get the proper update for your system, and update your digital certificates per vendor instructions.
- Then announce to your user community (through website and social media channels) to update their passwords.
“One way to ensure your users update their password is to force all passwords to expire. This will prompt end-users to change their passwords the next time they log in,ˮ says Romes.
The end of Windows XP
April 8, 2014, marked the end of Microsoft support for the Windows XP operating system. Without vendor supplied security patches, any newly discovered vulnerabilities could create potential targets for exploitation, malware, and other malicious attacks.
What to do if your organization runs XP
If Windows XP systems reside on your network, migrate to a vendor-supported operating system, such as Windows 7, Windows 8, or other desktop computing operating systems. For more information visit the Microsoft Windows XP website (http://www.microsoft.com/en-us/windows/enterprise/end-of-support.aspx).
How we can help
CLA can perform scanning and penetration testing of your businesses systems to help you understand if your organization is vulnerable to Heartbleed, viruses related to the end of Windows XP, or other malware concerns.