Friday, April 11, 2014

Scanning for Heartbleed Efficiently

So now you have a Heartbleed scanner, what do you do?

At this point in the game you have probably picked at least one (probably two or three) scanners to work with when you're detecting Heartbleed vulnerabilities. Where do you start?

1. Start with your external, internet routable devices and services. Internal is important too, but your external stuff could be under attack from anywhere and anyone in the world.

Even if you've checked your tools documentation and it doesn't specify that it uses OpenSSL, scan it. It's easy for OpenSSL to be used somewhere and the impact of missing a vulnerable system could be large.

Take special care to scan VPN appliances, anything that processes passwords, and anything that has a private key it uses, keeping in mind that if you find something you may need to reissue a certificate.

For your first pass, scan ports you know use SSL (443, 8443, and anything else you have configured). You want to get the most value with the least amount of time spent scanning. If you just scan everything, every IP and every port, a scanner could take a long time to finish.

For your second pass, scan everything. You've already looked at high risk ports, now it's time to look for fringe vulnerabilities.

2. Scan your internal network. Use the same methodology, scan high risk systems and ports first to get quick results and start your engineering teams patching them, then scan everything.

3. Scan your company's workstations. Because Heartbleed can go both directions, look for OpenSSL on your workstations. I'd recommend first using a deployment tool to scan for any devices with OpenSSL in a file name or add/remove programs on windows. This will give you a good initial count and then you can use other methods to dig deeper.

Best of luck.