Repeating History

IT Security teams scrambled yesterday to upgrade all devices running older versions of OpenSSL to 1.0.2h or 1.0.1t which will, according to the OpenSSL project team, “…fix several security defects with maximum severity ‘high.’” It’ll be a busy few days, but because your organization has a mature security team led by an experienced CISO, you’ve prepared for the new release, put a plan in place to execute the upgrades, and in short order, will have all your Internet-facing IPs securely patched.

Mission probably accomplished by the time you’ve read this.

But if you have even a single vendor that has access to your sensitive data, patching your own devices is only part of the challenge. Now, your vendors may also have professional CISOs, competent security teams, and a plan…but maybe not.

They say history repeats itself, and this adage is never more true than in the IT world (and, in particular, when it comes to OpenSSL vulnerabilities and patches).

Rewind with us to March 2014, and the announcement of the Heartbleed vulnerability. InfoSec teams scrambled to patch their web servers, and all were also confronted with the challenge of understanding the risk their third party vendors posed to their organizations as a result of the Heartbleed issue. Prevalent VRM users, however, had a leg up on their counterparts in this regard, and one in particular, leveraged the VRM’s speed and flexibility masterfully in response to the Heardbleed threat.

Having deployed Prevalent’s Vendor Risk Management (VRM) solution, a leading Life Sciences company was able to understand and remediate their Heardbleed exposure in days, while other large organizations remained largely in the dark for weeks at best, and in reality, many never were truly able to quantify the risk the virus posed to their sensitive data via their extensive vendor networks.

Using the VRM’s automated questionnaire development capability, the Life Sciences Company’s security team was able to create – in minutes – a short questionnaire, and with a few clicks, send that questionnaire to the appropriate vendor security contacts. Automated collection of the responses was completed efficiently via the Prevalent Vendor web-based Gateway, making responding to the questions as simple as opening a browser for the Company’s vendors. The VRM system accumulated the responses, processed and analyzed the results, and provided the Company a risk exposure assessment, including a list of the vendors with the most exposure to Heartbleed. VRM gave them the contextualized information they needed – not just stacks of question responses – in days.

The VRM’s custom questionnaire feature enabled the Life Sciences security team to develop and deploy a streamlined binary-response question list in minutes to its over 2,000 vendors. Yes/no questions were not only easy for the vendors to respond to, encouraging quick feedback with minimal effort, but also enabled automated risk scoring via the Prevalent VRM, instantly surfacing critical risk areas for the Company’s security team. The questions included, for example:

• Do any of your secure web servers use Open SSL?
• Have you scanned all servers for Heartbleed?
• Have you discovered any infected servers?

Without the VRM, the manual process of surveying vendors and deriving any meaningful, actionable intelligence from the responses would not only be tedious and time-consuming, but, practically, nearly impossible.

VRM users today can mimic that approach easily for the latest OpenSSL fire drill, and we’re pretty sure this is the latest…not the last.

To learn more about how you, too, can be a lucky VRM user the next time OpenSSL history repeats itself, drop us a line any time at [email protected].