Global Velocity, in collaboration with Josh More from Erya Security, wants to keep you informed about a relatively new Internet security vulnerability. We feel that security works best when everyone functions as a team, be they consultants, vendors or clients. Collaborations such as this allow us to get the word out about ways to help you improve security, compliance, and reduce the risk of a data breach.

By now, you’ve almost certainly heard of the recent Heartbleed SSL security issue. When such critical concerns arise, we like to do our best to cut through the hype. In our experience, the root cause of most security issues is not under investment, but misplaced investment … a possible knee-jerk reaction that seldom provides tangible benefits.

So without getting into the technical details, what does this SSL security issue mean to you? The first thing is that, while a patch fixes the flaw, it does not address the core concern. Because the weakness is two years old, we must assume there is a high likelihood that some sensitive data was lost. Thus, we must determine both which data is at risk and what to do about it.

At the time of this email, the likely concerns fall into four categories: keys, certificates, passwords and vendors. Due to how the attack works, this information is vulnerable to theft and there is a possibility that it along with other related sensitive data might have been stolen. This means:

If you are running a Linux-based web server, or a Windows server with a proxy or load balancer, anyone who has stolen the key can pretend to be you. Thus, if they trick your customers to connecting to them, they win.
If you use an SSL-based […]