The Open SSL Project has recently announced two high-severity flaws
in their open-source cryptographic library used to encrypt communication channels and HTTPS connections. If left unpatched, the flaws can lead to stack buffer overflows or remote code execution. The vulnerabilities apply to Open SSL versions 3.0.1-3.0.6. In response, the Open SSL Project issued version 3.0.7 to patch the security flaws and have said that they are not aware of any active exploit against the vulnerabilities at this time.
Despite the assurance from the Open SSL Project, it’s essential to determine the extent of Open SSL 3.0.1-3.0.6 usage in your third-party vendor and supplier base so your organization can quantify its exposure and develop the appropriate mitigation plans. To help, Prevalent has created a seven-question assessment that we are providing free to the security community. Using the assessment will:
Note to Prevalent customers: This assessment is now available in your questionnaire library.
Questions | Answer Choices |
---|---|
1) Does the organization use OpenSSL for its cryptographic key management? Help text: OpenSSL is the core open-source library that implements SSL and TLS protocols, making it possible to securely communicate over the Internet. |
Please select one of the following: a) Yes, OpenSSL is used for cryptographic key management. b) No, OpenSSL is not used for cryptographic key management. |
2) What versions of OpenSSL does the organization use? Help text: OpenSSL has provided notification of a vulnerability affecting versions 3.0.1 to 3.0.6 of its OpenSSL software library. |
Please select one of the following: a) The organization is utilizing OpenSSL version 1.1.1 or earlier. b) The organization is utilizing a mixture of OpenSSL version 1.1.1 or earlier, and version 3.0.1 or later. c) The organization is utilizing OpenSSL version 3.0.1 or later. |
3) Has the organization prioritized the creation of an inventory of all systems with vulnerable versions of OpenSSL? |
Please select one of the following: a) Yes, an inventory has been created for all systems that use version 3 or later. b) No inventory has been identified for systems that use version 3 or later. |
4) Has the organization downloaded and installed the latest 3.0.7 patch released by OpenSSL? Help text: The Open SSL Project announced that released Open SSL version 3.0.7 on November 1, 2022 that patched the vulnerability affecting versions 3.0.1 to 3.0.6. |
Please select one of the following: a) Yes, the 3.0.7 patch has been installed and applied to all systems using version 3.0.1 or later. b) No, the 3.0.7 patch has not been installed and applied to all systems using version 3.0.1 or later. |
5) Has the organization determined, based on the use of OpenSSL v.3.0.1 or later, the level of impact to critical systems and applications? Help text: Consideration should be given to where the impact has occurred, as well as the level of impact. a) Significant impact: The vulnerability has caused a loss of confidentiality or integrity of data. b) High impact: System availability has been periodically lost, and some loss of confidentiality or integrity of data. c) Low impact: No loss of confidentiality or integrity of data; minimal or no disruption to system availability. |
Please select one of the following: a) There has been significant impact to our critical systems or applications. b) There is a high level of impact to our critical systems or applications. c) There has been a low level of impact to our critical systems or applications. d) The cyber-attack has had no impact to our critical systems or applications. |
6) Who is designated as the point of contact who can answer additional queries? |
Please state the key contact for managing information and cybersecurity incidents. Name: Title: Email: Phone: |
7) Has the organization verified with any third parties whether they are using OpenSSL v.3.0.1 or later? If so, are plans in place to address the vulnerability? |
Please select one of the following: a) Yes, the organization has identified our third parties that are using version 3.0.1 or later, and they have implemented the latest patches. b) The organization has identified its third parties using version 3.0.1 or later, however no current plans are in place to address the vulnerability. c) No, the organization has not identified our third parties that are using version 3.0.1 or later. |
The announcement of a high-impact security incident is the wrong time to ensure your organization has a third-party incident response plan in place. Instead, start preparing for the next incident by developing a proactive approach now. Here are four best practices to consider:
Inventorying your vendors should be done in a centralized platform – not spreadsheets – so that multiple internal teams can participate in vendor management, and the process can be automated for everyone’s benefit. Then, conduct inherent risk scoring to help you determine how to assess your third party vendors on an ongoing basis according to the risks they pose to your business.
Collecting 4th-party technologies deployed in your vendor ecosystem during the inventorying process helps to identify relationships between your organization and third parties based on certain technology usage and will help you visualize attack paths into your enterprise and take proactive mitigation steps. You can do accomplish this through a targeted assessment or via passive scanning.
Proactively engage impacted vendors with simple, targeted assessments that align with known industry supply chain security standards such as NIST 800-161 and ISO 27036. Results from these assessments will help you target needed remediations to close potential security gaps. Good solutions will provide built-in recommendations to speed the remediation process and close those gaps quicker.
Being continuously vigilant for the next attack means looking for signals of an impending security incident. Monitoring
criminal forums, onion pages, dark web special access forums, threat feeds, paste sites for leaked credentials, security communities, code repositories, and vulnerability and hack/breach databases is essential. You can monitor these sources individually, or you can look for solutions that unify all the insights into a single solution, so all risks are centralized and visible to the enterprise.
9 Steps to a Third-Party Incident Response Plan
When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.
For more on how Prevalent can simplify and accelerate discovery and response to third-party cyber incidents, download our best practices guide. Or, contact us to schedule a maturity assessment or demo today.
Effectively manage third-party cybersecurity incidents with a well-defined incident response plan.
09/24/2024
Why third-party breaches are on the rise, who is being affected, and what you can do...
09/20/2024
Use these 6 tips to improve your third-party breach response procedures.
09/17/2024