New SSL Vulnerability DROWN - expert comments
March 2016 by Brendan Rizzo, Technical Director - EMEA at HPE Security - Data Security
We are starting to see reports appear about a new OpenSSL vulnerability - DROWN. Affecting servers using SSLv2, it was revealed today as an attack that could decrypt secure HTTPS communications, including passwords and credit card numbers. Reports indicate that more than 33% of servers are vulnerable - significantly less than Heartbleed but still a surprisingly high number.
Brendan Rizzo, Technical Director - EMEA at HPE Security - Data Security:
"Once the full extent of this vulnerability are determined, administrators will quickly move into triage mode - addressing the problems that are most obvious and most under public scrutiny. Attackers, on the other hand, generally avoid the ’front door’ and will be shifting their focus to secondary attack vectors.
Companies will need to shore up all possible attack vectors of this vulnerability. This can only happen once organisations have performed a thorough assessment to uncover everywhere they are using the vulnerable protocols and code in their applications and servers.
This reactive ’whack-a-mole’ approach to security further highlights the need to take a different approach to protection of a company’s most sensitive data – especially personal customer information. Instead of just relying on an SSL/TLS tunnel to keep sensitive data secured, businesses need to embrace a holistic defence-in-depth approach to security, with data-centric protection serving as the critical