The Heartbleed vulnerability, renowned for allowing hackers anywhere on the internet to access encrypted communication between websites and their users; has been discovered to still be present on nearly 200,000 devices – 85% (170,000) of which, are websites – more than three years after it was originally discovered.
A patch for the weakness was released in April 2014, and yet the flaw is still present on 170,000 sites all over the world, with some 6,000 or so based in the UK, and over a third of which were hosted on either Amazon Web Services or Verizon Wireless.
This is particularly surprising given that the same weakness is reported to have been fundamental to the breach of 4.5 million patient records from US Health firm Community Health Systems, and that the exploit code is in the wild, making it trivial for even low-skilled hackers to exploit.
Even more interesting is to think that on average 8,000 security vulnerabilities are being released each year. So since these systems have clearly not been patched since 2014, roughly 24,000 new vulnerabilities have been discovered, some of which have been equal to or worse in nature than the Heartbleed flaw. Perhaps there are 170,000 website owners out there who either don’t know that they’re vulnerable, don’t care or don’t know what to do.
This really drives home the importance of regular security testing and remediation. Our partnership with Verify has enabled us to deliver not just singular penetration tests but “Always on” security monitoring. Here we perform frequent baseline assessments of your digital assets, to identify newly introduced weaknesses and can issue notifications for recently released vulnerabilities that could be used to breach your systems.
Chris Wallis is Founder & CEO of Intruder Systems
Do you know if you’re vulnerable or not? Call or Email us to discuss your assessment.