Venafi, the leading provider of Next Generation Trust Protection, today announced new research reevaluating the risk of attacks that exploit incomplete Heartbleed remediation in Global 2000 organizations.
Using Venafi TrustNet, a cloud-based certificate reputation service designed to protect enterprises from the growing threat of attacks that misuse cryptographic keys and digital certificates, Venafi Labs found that 85 percent of Global 2000 organizations’ external servers remain vulnerable to cyber attacks due to Heartbleed. This leaves these organizations defenseless to brand damage and widespread intellectual property loss.
When the Heartbleed vulnerability was discovered in April 2014, many organizations scrambled to patch the bug, but failed to take all of the necessary steps to fully remediate their servers and networks. As of August 2014, 76 percent of Global 2000 organizations with public-facing, Heartbleed-susceptible systems were still vulnerable, having failed to complete remediation despite specific guidance from Gartner and other industry experts. As of April 2015, that number remains nearly unchanged at 74 percent.
A year after Heartbleed revealed massive vulnerabilities in the foundation for global trust online, a major alarm needs to be sounded for this huge percentage of the world’s largest and most valuable businesses who are still exposed to attacks like those executed against Community Health Systems,” said Jeff Hudson, CEO, Venafi. “Given the danger that these vulnerabilities pose to their business, remediating risks and securing and protecting keys and certificates needs to be a top priority not only for the IT team alone, but for the CEO, BOD, and CISO.”
According to new Ponemon research 2015 Cost of Failed Trust Report, the risk facing every Global 5000 enterprise from attacks on keys and certificates is at least $53 million (USD) over the next two years, an increase of 51 percent from 2013. Out of the countries examined in the report, TrustNet analysis found that Australian organizations are by far the most behind in remediating Heartbleed when compared to UK, Germany, France, United States and Netherlands.
In 2014, cybercriminals used the keys and certificates that were captured via Heartbleed in the Community Health Systems breach in which APT 18, a known Chinese espionage operator, stole data on 4.5 million patients. Among more than 2,300 IT security professionals surveyed in the 2015 Cost of Failed Trust research, 100 percent acknowledged having responded to at least one attack on its organization’s keys and certificates in the past two years. Sixty percent of participants agreed their organizations must do a better job responding to vulnerabilities like Heartbleed involving keys and certificates.