Is web security part of your annual security audit
- 1. Is web security part of your annual security audit? Is your organization ready? Do you have a data governance program or security audit? Do you know what your IT assets are? It’s important to be prepared. Many customers we speak with are unaware of the need to monitor widely in order to prevent a breach…that especially includes their SSL/TLS certificates. What if your organization has nothing? No monitoring, no management, no audit, no policies. It’s important to start somewhere and it’s important to start as soon as possible. The Ponemon Institute reports that in many cases an audit or data governance program could have a major financial impact for your organization. “Improvements in data governance programs will reduce the cost of data breaches. Incident response plans, appointment of a CISO, employee training and awareness programs and a business continuity management strategy continue to result in cost savings when it comes to data breaches.” (Ponemon Institute Research Report, page 2). An information Security Audit covers topics from auditing the physical security of data centers to auditing the logical security of databases. It highlights key components to look for and different methods for auditing in order to prevent a breach. The cost of a data breach is permanent. Preparing for or attempting a security audit or data governance program can be a daunting task. Organizations need to be prepared to deal with and incorporate breach response into their data protection strategies. Many organizations are moving at a rapid pace and simply coming up with the time, resources and money to implement a security audit or a plan are overwhelming. Many organizations overlook their SSL/TLS certificates as part of this security audit. SSL/TLS certificates are a big part or your web security strategy and should also be audited and reviewed regularly. The CA Browser Forum is the governing body for all certificate authorities like Entrust. It stipulates the rules and guidelines to which Certification Authorities should adhere to. Entrust helps to get you the latest information by pushing notifications to customers via the Entrust Certificate Service Cloud. Along with regular touch points of the Entrust account management program, our resident SSL certificate expert and Certificate Authority Board Member, Bruce Morton, shares news regularly through the Entrust IdentityON Blog. In September Google announced that Google’s Chrome will start to indicate HTTP sites that transmit passwords or credit cards as "non-secure" sites that transmit passwords or credit cards as “non-secure”. Google indicated they will become increasingly stringent as part of a long term plan to mark all HTTP sites as non-secure to end users. Since the end of 2014 there has been a push for HTTPS everywhere. In June 2015, The White House issued an HTTPS-only standard directive, requiring that all publicly accessible Federal websites and webs services only provide service through a secure HTTPS connection. Does your organization have a plan to increase use of SSL/TLS certificates to keep up with these security advances? Will you proactively manage your SSL/TLS server settings? While this push for HTTPS continues, we still see a great deal of failing scores when scanning servers for certificate implementation and best practices.
- 2. Are all SSL/TLS certificates created equal? EV? OV? Oh My…. SSL certificates are grouped by type of verification or authentication of identity. Extended Validation (EV) Certificates offer the most complete validation. The validation process determines the place of business, the registration number and the place of registration. Authorization includes validation of the certificate approver and the contract signer. The goal of EV is to mitigate phishing and man-in-the-middle (MitM) attacks. The validation process mitigates the chances of an attacker getting an EV certificate to represent your site. Note that all EV certificates are logged for certificate transparency (CT) discussed below. Extended Validation certificates increase consumer trust and providing the padlock and Green Bar Assurance. https://www.entrust.com/green-address-bar/ Organization Validation (OV) certificates provide a verification of the identity of the organization or individual purchasing the SSL/TLS certificate. Certification Authorities (Entrust) that issue these certificates check with third parties to establish the official name and location. If your organization has deployed Wildcard certificates or is considering deploying them, you need to consider and weigh the convenience and risk. Sharing private keys and increasing the private key value o When sharing private keys on multiple servers/appliances you increase the risk of also sharing vulnerabilities. A prime example is Heartbleed, if a company hosted one public facing web site on a server that was vulnerable to the Heartbleed bug with other platforms (e.g. MS IIS, Exchange, Cisco) then an attacker that breached the affected Heartbleed server could listen in on the traffic from all other servers that the same private key was shared with. o Private key value, when you deploy a certificate to a web server the private key has the responsibility of securing all the traffic for that web server. The question is, how much is that traffic worth to a company if it was breached? Now add on any other server traffic that the same private key is being used on, this gives you a dollar figure that you can determine how much a breach will impact your company. The higher the private key value, the more risk to the company. Which type of SSL/TLS certificate do I need? Compare different types of certificates. Has your organization applied the correct certificates and have those certificates been selected to optimize consumer trust?
- 3. Certificate Transparency Certificate Transparency (CT) provides an open framework for monitoring and auditing SSL/TLS certificates in nearly real time. Certificate Transparency makes it possible to detect SSL/TLS certificates that may have been mistakenly issued by a Certificate Authority or maliciously attained. Illegitimate certificates have been issued in the past and used to masquerade as legitimate, secure websites that appear to be authentic fooling end users. The CT logs allow for all domain owners and the public to monitor that certificates issued for a specific domain name are legitimate. All EV certificates issued without CT will be downgraded by Google and will not produce the Green Bar Assurance. Have you migrated from SHA-1? SHA-1 (Secure Hash Algorithm) has been in use since the late 1990’s. SHA-1 certificates are found to have vulnerabilities and are no longer considered secure for ongoing use. Major browsers have announced that they will no longer accept SHA-1 SSL/TLS certificates by January 1st , 2017. Do you have SHA-1 certificates still in use? SHA-2 is the new industry standard and organizations require a plan for replacement. By using a tool like Entrust Discovery Agent and use our Discovery Manager to find what SHA-1 certificates you may have still lurking. This migration will require coordination of people, process and technology across the organization. Check out the Entrust migration guide. SSL/TLS use is increasing. Putting a certificate on it and forgetting it isn’t the answer Applying the certificate is the first step. Configuration and adherence to web security guidelines are a key part of web security. Two scanning sites that can help check your configuration are the SSL Server Test by Qualys and “Observatory” by Mozilla. The SSL Server Test has been incorporated into the Entrust Certificate Services so that every time our customers log in, they can view their certificate ratings. SSL Server Test by Qualys - https://entrust.ssllabs.com/ The SSL Server Test by Qualys is built in functionality to the Entrust Certificate Service so that all certificates and websites can be monitored for their ratings.
- 4. Observatory by Mozilla - https://observatory.mozilla.org/ Many organizations we speak with are unaware of how many Certificate Authorities they have used over the years and not truly sure of the number of certificates deployed and their locations. Entrust can also assist with this. The Entrust Discovery Agent can help you understand how many Certificate Authorities you really have, as well as what certificates you have deployed and where – even your non- Entrust certificates. Get Started Have nothing to start with? Below is a quick checklist to get you started – have I forgotten anything? Any checklists that you’d like to share? Entrust can help your organization get started in your SSL/TLS security audit by helping you create your SSL/TLS Asset list, creating an SSL/TLS threats list and identifying areas for intrusion prevention. Create Your Own Security Audit - http://www.itsecurity.com/features/it-security-audit-010407/ Mozilla Rapid Risk Assessment - https://wiki.mozilla.org/Security/Risk_management/Rapid_Risk_Assessment#Rapid_Risk_Assessment Mozilla Risk Table - https://wiki.mozilla.org/Security/Risk_management/Rapid_Risk_Assessment#Risk_table_.285- 10_minutes.29
- 5. SSL/TLS Security Audit Quick Start Checklist Yes No In Progress Is there more than one person responsible for and aware of SSL/TLS in my organization? Does my organization have web server security policies? Does my organization run employee security awareness programs? Do we currently have an inventory of all web servers? How many Certificate Authorities does my organization have deployed? Do you track your SSL/TLS certificates centrally? Does a current certificate inventory exist including type of certificate issued and where? Have we scanned for SHA-1 Certificates? Have we covered all transmissions of passwords and credit card with a certificate? Have we considered EV certificate deployment? Does my organization have a policy for reviewing and creating a trusted list of SSL/TLS protocols and ciphers? Are our employees familiar with the Server Compliance Timeline? https://www.entrust.com/ssl-timeline/ Have we run the SSL server test independently or through the Entrust Certificate Service Cloud? Has anyone scanned the Certificate Transparency logs on all our domains? Do we run regularly scheduled reports that provide the following: 1. Expiring certificates? 2. Newly issued certificates? 3. Web Site Ratings? Non-compliant certificates (SHA-1, unauthorized CA)? Are there any compliance or regulatory bodies your organization is required to adhere/report to? Is there a step by step plan in the event of a breach? Action Plan To Complete To Schedule TBD 30 days 60 days 90 days 12 months 18 months