Security thought-leaders agree that the newly discovered Heartbleed bug is a serious threat, but what are the specific risks, and how can they be mitigated?

Information Security Media Group polled security experts in banking, government and healthcare, as well as the research and vendor communities, for insights on Heartbleed and how organizations should respond to it.

John LaCour of PhishLabs, an online security firm that tracks cyber-attacks, says the seriousness of the vulnerability cannot be overstated. "SSL is designed for the purpose of securing sensitive information like authentication credentials," he says. "The Heartbleed vulnerability makes it possible for an attacker to compromise whatever it is that is meant to be protected and potentially all communications over SSL."

About Heartbleed

Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as web, e-mail, instant messaging and some virtual private networks (see: Heartbleed Bug: What You Need to Know).

"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software," says Codenomicon, the Finland-based security vendor that discovered the bug, along with a researcher at Google Security. "This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

Codenomicon says Fixed OpenSSL has been released and needs to be deployed now across websites vulnerable to the bug. Operating system vendors and distribution, appliance vendors and independent software vendors need to adopt the fix and notify their users, Codenomicon says. "Service providers and users have to install the fix as it becomes available for the operating systems, networked appliance and software they use."

Additionally, organizations can use this online tool to see if their website is vulnerable.

Expert Insights

Noted security expert and blogger Bruce Schneier calls the exploit "catastrophic."

"Half a million sites are vulnerable, including my own," Schneier says in a blog. "On the scale of 1 to 10, this is an 11."

Healthcare information security expert Brian Evans warns organizations are likely affected either directly or indirectly. "This means that users are vulnerable to having their passwords and other sensitive data compromised," says Evans, a principal at Tom Walsh Consulting.

Alan Brill, senior managing director at the security advisory firm Kroll Solutions, says the notion that open source technologies are often more open to inspection and "more secure" isn't always the case. "The lesson is simple," he says. "Any software or hardware can fail."

The Heartbleed bug highlights the risk that encryption keys can be stolen, says Richard Moulds, VP of strategy at Thales e-Security, a data security company. "Once again the importance of sound key management has been brought into sharp focus," he says. "An attacker that can access these keys can decrypt any data that has been previously encrypted using those keys and probably any future data until each key is changed."

Jean Taggart, senior security researcher at Malwarebytes, an anti-malware firm, says the Heartbleed bug "impacts the fabric beneath secure communications on the web. A cursory search illustrates there are a large number of likely vulnerable servers."