Open SSL Vulnerability: How to Determine Your Third-Party Risk Exposure

Use this free, seven-question assessment to uncover risks posed to your organization from third-party vendor and supplier exposure to the Open SSL vulnerability. Then, follow our four best practices to improve third-party incident response.
By:
Alastair Parr
,
Senior Vice President, Global Products & Services
November 04, 2022
Share:
Blog ssl vulnerability 1122

The Open SSL Project has recently announced two high-severity flaws in their open-source cryptographic library used to encrypt communication channels and HTTPS connections. If left unpatched, the flaws can lead to stack buffer overflows or remote code execution. The vulnerabilities apply to Open SSL versions 3.0.1-3.0.6. In response, the Open SSL Project issued version 3.0.7 to patch the security flaws and have said that they are not aware of any active exploit against the vulnerabilities at this time.

Free Assessment to Determine Your Organization’s Third-Party Vendor and Supplier Exposure to the Open SSL Vulnerability

Despite the assurance from the Open SSL Project, it’s essential to determine the extent of Open SSL 3.0.1-3.0.6 usage in your third-party vendor and supplier base so your organization can quantify its exposure and develop the appropriate mitigation plans. To help, Prevalent has created a seven-question assessment that we are providing free to the security community. Using the assessment will:

  • Determine usage of the in-scope Open SSL version
  • Reveal third-party plans for inventorying at-risk systems
  • Identify patching priority and point of contact
  • Clarify business impact
  • Expose fourth- and Nth-party usage and risks

Note to Prevalent customers: This assessment is now available in your questionnaire library.

Questions Answer Choices

1) Does the organization use OpenSSL for its cryptographic key management?

Help text: OpenSSL is the core open-source library that implements SSL and TLS protocols, making it possible to securely communicate over the Internet.

Please select one of the following:

a) Yes, OpenSSL is used for cryptographic key management.

b) No, OpenSSL is not used for cryptographic key management.

2) What versions of OpenSSL does the organization use?

Help text: OpenSSL has provided notification of a vulnerability affecting versions 3.0.1 to 3.0.6 of its OpenSSL software library.

Please select one of the following:

a) The organization is utilizing OpenSSL version 1.1.1 or earlier.

b) The organization is utilizing a mixture of OpenSSL version 1.1.1 or earlier, and version 3.0.1 or later.

c) The organization is utilizing OpenSSL version 3.0.1 or later.

3) Has the organization prioritized the creation of an inventory of all systems with vulnerable versions of OpenSSL?

Please select one of the following:

a) Yes, an inventory has been created for all systems that use version 3 or later.

b) No inventory has been identified for systems that use version 3 or later.

4) Has the organization downloaded and installed the latest 3.0.7 patch released by OpenSSL?

Help text: The Open SSL Project announced that released Open SSL version 3.0.7 on November 1, 2022 that patched the vulnerability affecting versions 3.0.1 to 3.0.6.

Please select one of the following:

a) Yes, the 3.0.7 patch has been installed and applied to all systems using version 3.0.1 or later.

b) No, the 3.0.7 patch has not been installed and applied to all systems using version 3.0.1 or later.

5) Has the organization determined, based on the use of OpenSSL v.3.0.1 or later, the level of impact to critical systems and applications?

Help text: Consideration should be given to where the impact has occurred, as well as the level of impact.

a) Significant impact: The vulnerability has caused a loss of confidentiality or integrity of data.

b) High impact: System availability has been periodically lost, and some loss of confidentiality or integrity of data.

c) Low impact: No loss of confidentiality or integrity of data; minimal or no disruption to system availability.

Please select one of the following:

a) There has been significant impact to our critical systems or applications.

b) There is a high level of impact to our critical systems or applications.

c) There has been a low level of impact to our critical systems or applications.

d) The cyber-attack has had no impact to our critical systems or applications.

6) Who is designated as the point of contact who can answer additional queries?

Please state the key contact for managing information and cybersecurity incidents.

Name:

Title:

Email:

Phone:

7) Has the organization verified with any third parties whether they are using OpenSSL v.3.0.1 or later? If so, are plans in place to address the vulnerability?

Please select one of the following:

a) Yes, the organization has identified our third parties that are using version 3.0.1 or later, and they have implemented the latest patches.

b) The organization has identified its third parties using version 3.0.1 or later, however no current plans are in place to address the vulnerability.

c) No, the organization has not identified our third parties that are using version 3.0.1 or later.

Four Best Practices for Proactive Third-Party Incident Response

The announcement of a high-impact security incident is the wrong time to ensure your organization has a third-party incident response plan in place. Instead, start preparing for the next incident by developing a proactive approach now. Here are four best practices to consider:

1. Develop a centralized inventory of all third parties

Inventorying your vendors should be done in a centralized platform – not spreadsheets – so that multiple internal teams can participate in vendor management, and the process can be automated for everyone’s benefit. Then, conduct inherent risk scoring to help you determine how to assess your third party vendors on an ongoing basis according to the risks they pose to your business.

2. Build a map of third parties to determine technology concentration risk

Collecting 4th-party technologies deployed in your vendor ecosystem during the inventorying process helps to identify relationships between your organization and third parties based on certain technology usage and will help you visualize attack paths into your enterprise and take proactive mitigation steps. You can do accomplish this through a targeted assessment or via passive scanning.

3. Assess third parties’ business resilience and continuity plans

Proactively engage impacted vendors with simple, targeted assessments that align with known industry supply chain security standards such as NIST 800-161 and ISO 27036. Results from these assessments will help you target needed remediations to close potential security gaps. Good solutions will provide built-in recommendations to speed the remediation process and close those gaps quicker.

4. Continuously monitor impacted vendors and suppliers for cyber-attacks

Being continuously vigilant for the next attack means looking for signals of an impending security incident. Monitoring criminal forums, onion pages, dark web special access forums, threat feeds, paste sites for leaked credentials, security communities, code repositories, and vulnerability and hack/breach databases is essential. You can monitor these sources individually, or you can look for solutions that unify all the insights into a single solution, so all risks are centralized and visible to the enterprise.

9 Steps to a Third-Party Incident Response Plan

When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.

Read Now
White paper incident response 0421

Next Steps: Utilize the Assessment and Measure Your Third-Party Incident Response Program

For more on how Prevalent can simplify and accelerate discovery and response to third-party cyber incidents, download our best practices guide. Or, contact us to schedule a maturity assessment or demo today.

Tags:
Share:
Leadership alastair parr
Alastair Parr
Senior Vice President, Global Products & Services

Alastair Parr is responsible for ensuring that the demands of the market space are considered and applied innovatively within the Prevalent portfolio. He joined Prevalent from 3GRC, where he served as one of the founders, and was responsible for and instrumental in defining products and services. He comes from a governance, risk and compliance background; developing and driving solutions to the ever-complex risk management space. He brings over 15 years’ experience in product management, consultancy and operations deliverables.

Earlier in his career, he served as the Operations Director for a global managed service provider, InteliSecure, where he was responsible for overseeing effective data protection and risk management programs for clients. Alastair holds a university degree in Politics and International Relations, as well as several information security certifications.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo