It is critical that enterprises audit their SSL/TLS servers as part of a regular security hygiene assessment process. Failure to do so can lead to security breaches and service outages.
Every year we see very public examples of companies that have suffered outages due to certificate expiration. Last week’s headlines about significant outages in Europe and Japan underscore that expired certificates can have a massive impact on a business. If technology stops running, the business will, too – with potentially disastrous consequences for sales, customer confidence, and brand equity, not to mention productivity.
Since its creation by Netscape in 1994, the SSL/TLS protocol has suffered a number of significant attacks. Over time, standards and compliance bodies like PCI-DSS, NIST, CIS and the IETF have published guidelines on which SSL/TLS protocols and cipher suites should be used in order to avoid becoming victims of attacks such as DROWN, POODLE, BEAST, CRIME and ROBOT.
Taking steps to ensure compliance-readiness
These guidelines are continuously revised, and the latest version of the PCI-DSS standard no longer considers the SSL 2.0, SSL 3.0 and TLS 1.0 protocols to be secure. Whilst TLS 1.1 is still acceptable, the 1.2 version of the TLS protocol is considered best practice as it includes support for modern AEAD cipher suites. The use of anything other than TLS 1.1 or TLS 1.2 will cause a business to fail PCI compliance as of June 2018.
Business Resilience starts with good security hygiene and total visibility of your environment. Auditing an environment to ensure you’re compliance-ready can be very difficult, but using Tanium you can immediately show:
- Every server in your environment that offers only TLS 1.1 and TLS 1.2 and therefore meets PCI-DSS compliance requirements
- If an SSL server offers TLS 1.2, the strongest version of the TLS protocol that is readily available
- Servers that offer SSL 2.0, SSL 3.0 and TLS 1.0, and thus put you at risk for noncompliance – and a breach
- Certificates that are soon to expire
Business Resilience is more than prevention. It’s more than recovery. It’s a shared practice that unites IT, operations and security teams to ensure strong security fundamentals are embedded across the entire company network. Only then can organizations act – and react – in real-time to threats and outages.
- Download our research on Business Resilience
- Read about how compliance and security hygiene go hand in hand