News about the serious “Heartbleed” vulnerability, which may have led to the exposure of the login names and passwords you use to access Web sites and other online services, has been spreading across online and traditional media.
We got on the phone with Chris Finegan, the Vice President of FullScope IT Inc., a Baltimore, Maryland area Managed IT Service Provider to get his thoughts and recommendations.
Chris explained, “Our remote management system is not based on the OpenSSL software at issue, so the encrypted connections that we use to maintain and access our clients’ computers were never vulnerable. That’s especially important to our numerous medical and financial clients with HIPAA, SEC, and FINRA compliance requirements.
We only had one offsite backup server that was affected, and we had that patched within hours of the vulnerability being published. Backups sent to that server are also separately encrypted and password protected, meaning the integrity and contents of our clients’ backups were never at risk.
Because of the unique severity of this bug, we felt that it was our duty to provide some advice on what people could do to protect their sensitive personal information. So we are providing suggestions to our clients directly through email and to our community through our blog and social media.”
Finegan went on to say, “If your readers are using an outsourced IT provider and have not been contacted by them yet, I strongly suggest they reach out to that provider and ask to what extent their business data may have been compromised by “HeartBleed” and what risk mitigation steps their provider has taken.”
Below are some tips we found on FullScope IT’s Facebook page.
What You Should Do
1. Immediately change your passwords on all of the web sites that you frequent. At the top of this list should be your email accounts, financial institutions, and medical portals. This will provide a measure of protection in the short term.
2. Repeat this password change in two weeks, and use all new passwords. Due to the nature of the Heartbleed bug, many sites are still vulnerable and may not be patched for some time. This second round of password changes will help to ensure longer-term protection.
3. Do not use the same password on multiple web sites. We recommend using unique randomly-generated passwords created and stored in a password manager. We also recommend changing passwords at least every 3-6 months as a matter of routine precaution.
4. If you receive a password reset request via email, do not click on any links in that email. Open a web browser and go directly to the website, then login and change your password. Unscrupulous organizations will take advantage of the confusion around Heartbleed to mount attacks aimed at stealing your new credentials.
Heartbleed is perhaps the most serious and far-reaching security incident to occur since the widespread adoption of the Internet. The steps above will take time, but they are critical to maintaining your privacy and protecting your personal data.
To contact Chris Finegan, or to learn more about FullScopeIT, visit their website at www.FullScopeIT.com