The “Heartbleed” cybersecurity vulnerability has received a great deal of media attention in the past few days. Safeguarding the ethics and compliance data we process for customers is one of our top priorities. We would like to share the measures we have taken to protect our clients and partners from this risk.
Known formally as CVE-2014-0160, the “Heartbleed” vulnerability is a weakness in the popular OpenSSL cryptographic software library that allows eavesdropping on information that is normally protected by SSL/TLS encryption. The bug leaves no trace and allows the attacker to gain access to private keys effectively defeating the TLS security mechanism. However, we have a number of policies and procedures in place to mitigate these types of ongoing risks.
Review & Mitigation
Upon learning about the vulnerability, we immediately screened each of our customer-facing servers to determine the impact. Our EthicsPoint, Third Party Risk Management, TopClass (online training) and PolicyTech products do not use the affected versions of OpenSSL. IntegriLink Classic and Portal servers did have the affected versions of OpenSSL.
In response to this risk, on April 9, 2014 the IT Hosting Team deployed a patch that disabled the keepalive, preventing the bug’s exploitation of the vulnerability. Our team then followed best practices by rekeying all certificates on web servers that have the affected versions of OpenSSL.
In addition to this action, the IT Hosting Team deployed signatures on NAVEX Global’s intrusion detection and prevention layer to block exploitation of OpenSSL’s vulnerability.
With additional questions or concerns, please feel free to reach out to Client Support or discuss with your NAVEX Global sales representative.