By now internet users and organizations have now heard of Heartbleed. However, what is unclear—as sites of all sizes and across all industries scurry to fix the immediate damage and assess longer term consequences – is whether all internet users and online web sites are checking to see if the sites they use have been affected and if their personal, financial, and medical data is at risk.
With the wide adoption of online applications and services from everyday tasks like paying bills and communicating with business colleagues, friends, and family, to activities like filing taxes and booking vacations; these all could have been affected.
Alvaro Hoyos, Director of Risk and Compliance for OneLogin, has put together a list of four suggested steps to do now.
1. Check “The Heartbleed Hit List: The Passwords You Need to Change Right Now”maintained by Mashable. If a site you use is not there, go to the individual sites and check their latest news releases or blog posts for information on how Heartbleed affected them. This vulnerability has received extensive press coverage and most vendors have made statements on where they stand on the issue by now.
2. Check that any affected site you use has fixed the problems with updates. This also includes issuing new certificates; digital forms that websites use to identify themselves and are a key part of establishing that secure communication. To check that a website is no longer vulnerable, simply enter its address in the Heartbleed Test tool. To check that they have issued new certificates, click on the browser lock icon when you navigate to the website and verify whether they issued a certificate sometime this week.
3. Change your password but NOT until services have been updated. When you do this, don’t re-use any old passwords, use easy to guess words, or personal data. You should use different details for each service or website, or use an Identity and Access Management service like OneLogin to help centralize your account access.
4. Focus on what data is stored or transacted through each website that you use that has been affected including whether they contain sensitive data like payment information or medical records. These are the most important sites to look at first, while others can be updated in due course.
Hoyos, in addition to being director of Risk and Compliance for OneLogin, has over 8 years of compliance experience working for PwC and Grant Thornton, two of the largest global public accounting firms.