The Next Heartbleed: 5 security vulnerabilities to watch

What comes next?

IT executives know one thing about security: Be prepared. Over the past few months, many large companies had to deal with the Heartbleed virus, which is capable of stealing logins and passwords on Internet servers.

But what comes next? asked security companies, consultants and IT experts to discuss other potential flaws that are ripe for exploit. These five should catch your attention.

[ Related: 'Elderwood' Hackers Continue to Set Pace for Zero-day Exploits ][ How-to: Enterprise Bug Bounty Programs Bring Big Savings, Better Security ]

1. Apache: Hitting 'Heartbeat' of the Internet

Several analysts mentioned a threat related to the Apache server, essentially the heartbeat of the Internet. (Apache servers control how Web addressing works.) " Apache has massive market penetration, runs across a variety of OS platforms and is also maintained by the open source community," says security analyst Troy Hunt. "A previously undisclosed flaw, such as a local file inclusion risk, could enable an attacker to pull arbitrary files from the system."

[ More: DoS Vulnerability Puts Apache Tomcat Servers At Risk ]

2. Programming Backdoors: Easy Access for Admins - and Hackers

When developers create software that runs at a retail store or as a custom app for the marketing team, they sometimes leave a "backdoor" method to authenticate without using the proper login system. Hackers could exploit this, says Vince Berk, the CEO of FlowTraq, a network security company. While programmers leave the door open for testing the app, they might not realize how a hacker could gain access to the entire network.

[ Not Just Software: Cisco Systems and Netgear Hit by Router Backdoor Exploits ]

3. Amazon Web Services: Could Single Sign-on Pose a Problem?

You don't hear about this one as a threat, but Tom Smith, the vice president of business development and strategy at CloudEntr, a cloud security company, says AWS is a prime target because it's so widely used.

As companies start embracing the " social login" technique to authenticate users with an account at a service such as Facebook, AWS becomes even more susceptible. Smith says hackers who gain access using social login could potentially tap into the underlying infrastructure as well.

[ Then Again ... What the CIA Private Cloud Really Says About Amazon Web Services ]

4. RAM Scraping: Steal Data at Point of De-encryption

One of the great challenges of IT is that, to protect a storage medium or service, companies use encryption. However, at some point - to gain entry, say, or process a transaction - data must be unencrypted, usually to RAM.

Dave Frymier, CISO of Unisys, says a hacker could "scrape" RAM to steal the data as it sits in an unencrypted state. (That's what happened to Target.) "This RAM scraping issue is one of the reasons we don't see greater adoption of public cloud computing in regulated industries," he says.

[ Analysis: Is the Federal Government Ready to Embrace the Cloud? ]

5. PHP: Popularity Could Be Its Downfall

Yes, Heartbleed attacked the OpenSSL library that accounts for about 60 percent of all Web servers. However, PHP is an even great target, as it's used on 80 percent of today's servers. What's more, the server-side scripting language is easy to use for new Web programmers who might not be thinking about security.

Barry Shteiman, the director of security strategy at Imperva, a data center security company, says hackers could even create a bug and try to sell it to the highest bidder, pinging off the news that put many companies into a recent tailspin with Heartbleed.

[ Tips: How to Test the Security Savvy of Your Staff ][ More: Heartbleed's Silver Lining: Users Getting Smarter ]

John Brandon is a former IT manager at a Fortune 100 company who now writes about technology. He has written more than 2,500 articles in the past 10 years. You can follow him on Twitter @jmbrandonbb. Follow everything from on Twitter @CIOonline, Facebook, Google + and LinkedIn.

Read more about security in CIO's Security Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags the next heartbleedTechnology Topics | SecurityMicrosoftsecuritysecurity vulnerabilitiesHeartbleedNetcrafthow to avoid secuirty risksTechnology Topics

More about Amazon Web ServicesAmazon Web ServicesApacheCiscoCiscoFacebookFederal GovernmentGoogleImpervaMicrosoftNetcraftNetgear AustraliaUnisys Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Brandon

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place