Juniper, Heartbleed, and CHS Breach

Community Health Systems (CHS) experienced a Target like breach recently, and 4.5M members were affected by the incident. No medical records were stolen, only patient names, addresses, birthdates, and social security numbers. CHS hired Mandiant, the leader in incident response that’s now part of FireEye, to investigate the security breach. Mandiant believes the attacker is an “Advanced Persistent Threat Group” that used advanced malware to bypass CHS security system. More recently, TrustedSec, a high-end InfoSec consulting firm, stated that the attacker used the OpenSSL heartbleed vulnerability in a Juniper router, that wasn’t patched in time, to gain entry into the CHS network. The founder of TrustedSec previously worked for the NSA, so there’s probably credence in what he is saying.

The breach raises a lot of questions. The first question, does Juniper bear some of the responsibility for the breach? That’s not for me to decide. CHS does bear much of the responsibility for not patching the vulnerable Juniper router fast enough, even though Juniper, Cisco, and entire world was in “patch-mode” for weeks. For the large CDNs, this was a major distraction, where engineering resources had to be diverted away from their productive activities to deal with this major issue. Everyone has learned from the heartbleed incident, that if any company plans on using any open source software in anything, its worthwhile to use a service like Contrast Security to scan the entire application, including libraries, and so on. Better to pay a few thousands dollars now, than millions later, when the application gets hijacked.

As the founder of Contrast Security said:

 “Contrast finds problems like #heartbleed, except at the application layer, not the infrastructure.  Most organizations were able to quickly scan for servers that were vulnerable to HeartBleed and get them patched.  But when problems with application layer libraries crop up, most organizations have no infrastructure to find and eliminate them. That’s where Contrast comes in — we shine a floodlight on security in the application layer.”