Bank systems are generally thought to be safe from the direct effects of the Heartbleed bug, according to security experts, but the galaxy of vendors and service organizations — to say nothing of employee devices — are another matter.
The Heartbleed exploit refers to a weakness in OpenSSL, an authorization and encryption protocol that is used by many servers around the web, most notably those running Yahoo.
The Federal Financial Institutions Examination Council (FFIEC) told banks yesterday to get to work on fixing systems, but that could be easier said than done.
Breaches related to Heartbleed are undetectable, according to Joram Borenstein, VP of marketing for NICE Actimize. This makes the forensic work of deciding which systems to fix a matter of educated guesswork. “This can be a huge waste of resources,” Borenstein said, “fixing a problem that may have never happened.”
Another problem with Heartbleed is that problems may come up months or even years from now, like a disease with a long incubation period. Hackers may have stolen blocks of data, Borenstein said, that were subsequently found to be encrypted. But Heartbleed may lead hackers back to unpatched systems in search of encryption keys for data. So a data breach from 2012 that was not judged to be serious at the time may have become more serious thanks to Heartbleed.
“Heartbleed points to the increasing interconnection of systems,” said Richard Wilding, director of cyber products at BAE Systems. “Very large institutions rely on these systems using shared components.” Areas of the bank outside the IT department need to pay attention to systemwide security, in other words. “Security is not a technical issue. It is a business issue,” Wilding said.
“Banks need to triage different suppliers and contractors,” Borenstein said. These vendors need to be assessed before banks are in a decision to tell customers to take any action related to Heartbleed. “These are the conversations security teams and compliance teams are having right right now.”
Heartbleed seems to be a problem that could linger and continue to haunt banks for some time to come.
Below is BAE Systems’ Heartbleed exploit infographic.