In our recent Heartbleed Outpatient Care: Steps for Secure Recovery webcast, we received many great questions from attendees on responding to the Heartbleed bug using Tripwire SecureScan. In my experience, webcast Q&A sessions aren’t always worth sitting trough, but this was a great discussion—I encourage you to watch and listen to the entire session.
Lots of great questions on securing employee home networks, scanning network perimeters, ensuring PCI compliance, and finding other vulnerabilities in addition to Heartbleed.
We reached the end our allotted time and had to close the webcast before we were able to address all of the questions about Tripwire SecureScan. Since we received so many good questions during the webcast we’re publishing the answers in this post.
Heartbleed Questions and Answers:
So SecureScan is free to download and we can use it for our private networks?
Yes. Sign up now and start scanning!
Does SecureScan find vulnerabilities other than Heartbleed? If so, does the tool recommend how to fix vulnerabilities that are found?
Yes, all of Tripwire’s vulnerability management products find over 60,000 other vulnerabilities in addition to Heartbleed, and provide details on how to fix or patch what’s found.
I’m not able to run SecureScan on my external network. Is the free tool only for use on internal/private networks?
We also offer the Tripwire PureCloud service for scanning external and perimeter networks. Tripwire SecureScan is for internal scanning of private networks.
Do the results of SecureScan stay local only or are they transmitted back over the internet? Is there an offline version of SecureScan?
With Tripwire SecureScan, results are safely transmitted from our highly secure data center using encrypted communications to your secure datacenter. However, many of Tripwire’s customers prefer having complete control over how their security information is transmitted and where it’s stored. We offer an “offline” vulnerability management solution called Tripwire IP360 that does not transmit results or scan data over the Internet.
What should we be doing for our VPN users that work from home? Should each of these users setup and run SecureScan locally at home to check their router and workstation?
Yes, Tripwire SecureScan is a great way to secure employee home networks. Ask your users signup for the service, install the secure connector, and start scanning. Tripwire also offers PureCloud Enterprise that uses the same scanning technology, but can consolidate reports from multiple users and networks for a comprehensive view of network risk.
Is SecureScan PCI compliant? i.e., is SecureScan an ASV?
Tripwire is an Approved Scanning Vendor (ASV) through our Tripwire PureCloud for PCI service. However, Tripwire SecureScan is not a PCI ASV service.
If Heartbleed is detected on SSL VPN should we contact the vendor to resolve the issue?
Yes, if a vulnerable version of OpenSSL or OpenVPN is embedded within a software application or service, you’ll want to contact the vendor for resolution.
One of our applications detected the OpenSSL installed, but the scan report says we cannot decide the version. How do we fix this kind of issue?
Doing a “local” credentialed scan may uncover the exact version used. Alternatively, you will need to determine which software and services on the host may be affected and manually verify. An up to date inventory of software and devices on your network can help here to quickly narrow down the potential culprits.
What kind of overhead (processing delay) can one expect using your scan(s)?
For Tripwire SecureScan, this depends on several factors including network speed, number of devices, if credentials are being used for deeper scans, and the configuration of the devices being scanned. In general, you can expect scans to complete in about 10 minutes on a small network with a dozen devices or a few hours for larger networks. If you’re looking for speed and continuous scanning, our on-premise vulnerability management solutions offer powerful appliances for fast and distributed scanning.
Why is the Heartbleed vulnerability scored very low? It should be given a high score from the start.
Initially, our scoring algorithm placed Heartbleed at the lower end of the spectrum because of its age and the unavailability of exploit tools. However, automated exploits are now available and we’ve adjusted the score accordingly. Tripwire IP360 customers can also take advantage of in-product options for adjusting vulnerability scores.
I’m a SOHO. Will your products work for me or do I need an IT expert to manage and monitor?
Tripwire SecureScan is designed to be easy to setup and use on small networks. You won’t need an IT expert to manage and monitor the tool, but understanding how to apply patches and software updates is useful for following remediation advice.
Can SecureScan run on Linux as well as Windows platforms?
Tripwire SecureScan is only available for Windows, but we’re monitoring demand for other platforms such as Linux and OS X.
Is it possible that more malicious variants can come from Heartbleed and maybe create a DDOS attack and impact your network or group of networks.
Yes there will be mutations of Heartbleed. There are a number of exploits targeting the vulnerability with varying degrees of sophistication, however they target the same vulnerability, so as long as the systems are patched they should be safe. In terms of a DDoS if a system is compromised and C&C malware is installed, there is always that possibility, but the larger concern should be the compromise of systems and data.
Is there really a robust method to prevent Heartbleed from compromising our internal network. What remediation solutions does Tripwire offer?
Unfortunately there is no silver bullet in terms of preventing Heartbleed or any other vulnerabilities. Heartbleed is not the first vulnerability and will not be the last, it is just one of the more widespread and easily exploitable vulnerabilities the security industry has seen. When it comes to securing an organization a continuous multi-tiered approach is required that will identify system changes, security events and monitor known vulnerabilities as they are identified.
Ok, The Heartbleed bug exposes the SSL keys, so people can decrypt the traffic between point A (Web Site) and B (End User), Correct? Wouldn’t the Black Hat have to monitor the network traffic between the two points to take advantage of the bug?
No, as the exploit is reading the data directly out of the server’s memory where the data is not encrypted, the interception of the data is not occurring when it is in transit, but when it has been decrypted and is sitting in system memory. Also in memory is private keys and server credentials which would otherwise be secured from a hacker.
If I scan and do not identify any Open SSL on my network am I covered from Heartbleed?
No, as the vulnerability also affects the websites and services you use outside of your own network, websites you log into, cloud services and other web based services that utilize OpenSSL. So although you may not detect the vulnerability on your network, it does not mean your information is no compromised on someone else’s.
We already are a customer of tripwire but we do not use its most of the applications i am seeing here? Can we have a professional call setup for discussion with my team to review those services? We use it for PCI solutions.
Yes, please contact your sales representative, or technical account representative and they can work with you to see what tools you have that can help identify and remediate the vulnerability as well as what other tools you may want to add that will integrate with your existing infrastructure.
Is this a cross-platform problem, that is, is Heartbleed primarily a Linux/UNIX/MacOS problem or equally a problem with Windows?
Yes, this is cross-platform, it affects all operating systems and devices that used the vulnerable version of OpenSSL (1.0.1 through 1.0.1f).
Are open source tools still safe for enterprise system security?
Commercial products have vulnerabilities as well, it is just that OpenSLL is so widespread, it is not a matter of open source versus commercial.
How does Tripwire detect the statically linked Heartbleed bug?
Each of our products has a part to play in detecting, preventing, and remediating the threat gaps for Heartbleed. For IP360, our vulnerability scanner, IP360 has heuristic checks to catch heartbleed based on whether data is leaked rather than just comparing OpenSSL versions. For TE we have created checks for application by version and setting the commands you’d need to run to test all your systems. Customer-created custom content can also be detected. For TLC alerts have been set when exploits are detected.
Not a question, but a note of caution. You might want to let people know that it may be illegal to scan networks and resources that you do not own. If you lease lines, you need the permission of the owner of those lines to scan. Additionally, the owner of the data on the resources that you scan must also grant permission to perform those scans.
Yes, good point. For home systems however, it’s your home, router, and other equipment, so no permissions or notifications are needed. If you’re really uncertain, check with your IT team for guidance.
I understand there are a series of scanning tools, like Tripwire to now detect Heartbleed vulnerability after the public disclosure. However the Heartbleed bug existed undisclosed for over 2 years. These security tools don’t seem to protect against undisclosed vulnerabilities and a serious security gap exists. NIST just released almost a dozen Oracle MySql vulnerabilities yesterday. Security tools seem to only pick up signatures from CVE databases after disclosure. How is Tripwire addressing these gaps?
True enough that undisclosed (or “previously unknown – 0Day-style”) vulnerabilities are tough to catch for all security products, despite some vendor claims. In the case of Heartbleed, the code flaw existed within the widely used OpenSSL open source, and apparently Codenomicon discovered it in their code security research, and as well Google’s security team (independently discovered Codenomicon claims.) So all the security tools out there were not able to see/catch it for these number of years before it was disclosed. This, even though it’s open source, and every programmer using the code and libraries could have seen the error. So while our product set has stronger checks than only existing CVE (suspicious behavior, file changes, odd log records of activity, and heuristic prioritizations for what to check first) it’s very difficult to catch something that behaves normally (doesn’t appear to be anomalous or suspicious behavior.) The bad news is that in a post-Heartbleed fixed” world, you still could be vulnerable if you were a target and didn’t know it. The good news is it’s tremendously useful to have all your settings ready for the lateral movement and file changes that an intruder could make with authorized credentials – and that’s the type of behavior we’re especially good at catching.
Does Tripwire include or offer a cross-platform patching tool?
No. However, we can detect whether patches have been applied or are needed.
I’m the one asked about Tripwire Enterprise file system/coco rules for Heartbleed question. I got your answer but I didn’t find any specific rules for Heartbleed?. Could you please provide more info.
We recommended you contact our customer service org to help you locate if it’s not seeming evident. Once you’re logged into the portal, you have to navigate to the product area you’re interested in. Searching on Heartbleed should help you.
Editor’s Note: The tool Tripwire SecureScan is no longer in use. For more information, please refer to Tripwire IP360 instead.
- Heartbleed and Your SOHO Wireless Systems
- Stopping the Heartbleed
- Detecting Heartbleed Exploits in Real-Time
- How to Detect the Heartbleed OpenSSL Vulnerability in Your Environment
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].