how to detect the heartbleed vulnerability with alienvault usm

LIVE PRODUCT DEMOSpecial Session: How to Detect the HeartBleed Vulnerability using AlienVault USM

A Brief OverviewWHAT IS THE HEARTBLEED BUG?

Specifically, A bug in the heartbeat mechanism within OpenSSL

Attackers could potentially use leaked cryptographic keys to decrypt secured SSL sessions

Sensitive information such as cryptographic keys used to secure SSL sessions may be disclosed

IT IS A VULNERABILITY IN OPENSSL

DISCLOSED INFORMATION CAN LEAD TO ADDITIONAL ATTACKS

CAN BE USED TO ILLICIT INFORMATION LEAKAGE/DISCLOSURE

WHY IS THE HEARTBLEED BUG SIGNIFICANT?

Specifically, applications such as web servers, mobile application servers, etc. that make the Internet what it is today.

Cisco has advised that their Nexus 1000v and 4000 series switches are vulnerable

That includes mail servers, proxy servers, load balancers and lots more.

OPENSSL PROVIDES CRYPTOGRAPHIC SERVICES TO LOTS OF NETWORKED APPLICATIONS

NETWORK INFRASTRUCTURE DEVICES MAY BE VULNERABLE AS WELL

ANY APPLICATION USING OPENSSL FOR CRYPTOGRAPHIC SERVICES MAY BE VULNERABLE

WHAT IS THE IMPACT IF EXPLOITED?

vulnerable system’s memory in 64 kilobyte chunks

completely circumvent the security services provided by OpenSSL

user passwords to data being transmitted by the applications relying on OpenSSL

AN UNAUTHENTICATED, REMOTE ATTACKER CAN RETRIEVE CONTENTS OF A

WITH THE RIGHT SET OF CIRCUMSTANCES AND A BIT OF EFFORT AN ATTACKER CAN

DISCLOSED/LEAKED INFORMATION CAN RANGE FROM CRYPTOGRAPHIC KEYS TO

HOW DOES THE ATTACK WORK?

explains it quite well actually

xkcd.com/1354/

THIS COMIC FROM XKCD.COM

CREDIT:

Vulnerability and attack detection

HOW IT CAN BE DETECTED

The Heartbleed bug can be detected through remote vulnerability scanning – CVE ID: CVE-2014-0160

Correlation can be used to differentiate between attack attempts and attacks that are successful.

An attacker’s request and a vulnerable server’s response can be detected by monitoring the network. Note that vulnerable applications will not log attempts to exploit this vulnerability. Network intrusion detection is the only effective method for detecting this type of attack.

USE A VULNERABILITY SCANNER TO FIND VULNERABLE SYSTEMS

USE CORRELATION TO IDENTIFY SUCCESSFUL ATTACKS

USE A NETWORK INTRUSION DETECTION SYSTEM TO MONITOR NETWORKS

HOW DO YOU FIX IT?

www.openssl.org/source/

USE VULNERABILITY SCANNING TO IDENTIFY VULNERABLE SYSTEMS AND APPLY THE PATCH

SOME VENDORS, NETWORK DEVICE VENDORS IN PARTICULAR MAY NEED TO PUBLISH THEIR OWN UPDATES/PATCHES

OPENSSL HAS RELEASED A PATCH THAT IS AVAILABLE HERE:

NOW FOR SOME Q&A…

Test Drive AlienVault USMDownload a Free 30-Day Trial

http://www.alienvault.com/free-trial

Try our Interactive Demo Site

http

://www.alienvault.com/live-demo-site

Questions? hello@alienvault.com