If exploited, the Heartbleed vulnerability is capable of leaking sensitive information such as credentials, key material, and other content from the targeted server 64 kilobytes at a time. FireEye has observed several different lists being posted to github and pastebin monitoring what sites are vulnerable, not vulnerable, and not running SSL on their web servers.
Organisations are encouraged to apply the patch at their earliest opportunity. They should identify their own strategy for deployment based on their own needs and testing requirements, however FireEye recommends:
• All externally facing servers be patched first to reduce the potential number of individuals who could connect to a vulnerable system.
• Patch any servers providing authentication which could leak legitimate credentials to a hacker.
• Then patch any servers that contain sensitive data including personally identifiable information (PII), customer data, critical intellectual property, or those conducting financial transactions.
• Then pursue a strategy to patch all other internal systems.
• Identify partner organisations websites that employees may use, and ensure that these other websites have been secured as well.
• Create, install/deploy new certificate(s). Organisations who suspect being attacked already, should also consider revocation of the old keypairs that were just superseded, and also invalidating all session keys and cookies.
In addition, organisations should preform network scans as soon as possible. They need to identify if any other devices may be running OpenSSL as well. This could include appliances, wireless access points, routers, or anything else that may use SSL. As an example, several different types of voice over IP (VOIP) phones used in the corporate environment run SSL. For these other devices, organisations may need to work with their vendors to apply a patch, firmware, or solution.
Finally, organisations will want to ensure appropriate logging is enabled on their servers, and conduct increased auditing to determine if any unauthorised users are leveraging compromised credentials that may have already been leaked. As the credentials are legitimate, auditing serves as one of the best ways to identify anomalous activity. Auditors should be on the lookout for anything outside of the normal including logins for different geographic regions, extreme off hour activity, increase in outbound bandwidth usage, and other similar activity.