You may have seen in the press this week that Google have discovered another vulnerability – POODLE – that could enable a hacker to access information from a secure (https) web connection. The vulnerability only applies to an old version (SSLv3) of the protocol used to secure the communication between a users browser and the web site. The reality is that in the overwhelming majority of cases (>98%!) communication between the browser and web site uses a newer version of the communication protocol (TLS) which is not affected.
Your information is only vulnerable if the web site you access supports SSLv3, AND if the browser can be convinced (using a malicious web site or virus) to use SSLv3 instead of the new TLS protocols AND if the hacker has network level access to the communication channel between the browser and web site. It is therefore somewhat challenging (but not impossible) to exploit and Safe4 consider it to be a relatively low risk in respect of typical business information.
What has Safe4 done to protect your information?
You will be aware that in April this year, following the Heartbleed announcement, Safe4 undertook a comprehensive review of the security protocols used and the configurations of the web servers. Although Safe4 was never vulnerable to Heartbleed we did make some changes to our security configurations earning Safe4 an A+ rating on independent tests. The changes we made in April included disabling the SSLv3 protocol which was not being used by any of our clients. Safe4 is therefore not vulnerable to the POODLE vulnerability.
What you can do to protect your information?
Safe4 expect that over the coming months many other websites will follow our lead and disable support for SSLv3 – however you can also protect yourself by disabling SSLv3 in the browser. It is suggested that you speak to your network managers about how to do this – Safe4 can provide advice if required.
Remember that the majority of information exploits rely on some form of human intervention, e.g. visiting a malicious web site, your first line of defence needs to remain robust virus protection and effective firewalls and web protection. Safe4 can also provide a 3 hour training session for your staff to gain a better understanding of information security on the web and provide simple approaches that everyone can take to improve their online security both at work and in personal life.
Safe4 will continue to monitor developments and threats to information security and will provide updates as items develop.
Email us at firstname.lastname@example.org or call us on 0845 094 8045 to find out more.