According to a recent CSO report, online attackers are stepping up their SSL/TLS (Secure Sockets Layer/Transport Layer Security) game to hide malicious activities. The report confirms that there has been significant growth recently in the application of SSL/TLS, which creates encrypted links between browsers and Web servers. This growth includes both legitimate and malicious activities, as criminals rely on valid SSL certificates to distribute their nefarious content. These certificates link cryptographic keys, used to encrypt data, to an organization’s details. The report researchers saw an average of 300 hits per day for web exploits that included SSL as part of the infection chain.

How are the Bad Guys using SSL/TLS?

The exploitation of weaknesses in SSL/TLS for malicious activity by the Bad Guys involves delivering malware as a payload across the encrypted link. This includes Trojans such as ZBot which is often used to steal banking information by browser keystroke logging and form grabbing. Ransomware payloads can also be delivered this way. Phishing exploits use SSL/TLS when the perpetrators host malicious pages on sites with legitimate certificates. Users think they are on a valid site, since they see the word “secure” or the padlock icon in the browser. However those indicators just mean the certificate itself is valid and the connection is encrypted. Despite this, the page itself or even the whole site may still be compromised.

Implications for merchants and PCI DSS Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) states that entities using SSL or early versions of TLS (v1.0) need to be aware of the vulnerabilities that have been identified with these services. Specifically, PCI DSS requires that  all new implementations, where entities are storing, processing or transmitting payment card information must be enabled with TLS 1.1 or greater. Also all payment card processing and third party entities must cut-over to a secure version of TLS (as defined by NIST) effective June 2018.

So what can you do about it?

SSL/TLS encryption is crucial to protecting data in transit during web transactions, email communications and for the use of mobile apps. So organizations need think carefully about SSL/TLS implementations.

The PCI DSS provides the following guidance, which is a good starting point for all organizations with SSL or early TLS implementations:

  • Migrate to a minimum of TLS 1.1, preferably TLS 1.2
  • Patch TLS software against implementation vulnerabilities
  • Configure TLS securely. For example, ensure you’re supporting secure TLS cipher suites and key sizes, and disable support for other cipher suites that are not necessary for interoperability

SSL decryption and inspection technology can be deployed by organizations to manage threats and sensitive data on their networks. SSL inspection includes the ability to decrypt and forward SSL traffic to other tools for analysis and timely reaction to find and stop attacks hiding under the cover of encryption. When these tools are chosen and deployed properly, organizations can find the threats hiding within encrypted data without degrading business-critical communications.

These services can be provided by cloud-based platforms or by appliances that are deployed inline, such as those offered by Microsoft, Arbor Networks and Check Point. As more attacks rely on SSL/TLS to avoid scrutiny by traditional network monitoring tools, enterprises need to take steps to make sure all data is protected and that bad traffic isn’t sneaking past their defenses.

About Welford Management & Consulting

Welford is a multi faceted technology consultancy providing advice, support and solutions for companies in a wide range of industries. We develop and execute strategies for our clients in three practice areas: Security & Compliance, Business Strategy & Support and Sales & Marketing  Automation. Our expertise comes from a team of individuals who focus on one area of our practice disciplines so that we can bring the necessary skills and experience to the business challenge or opportunity that you’re currently facing.

In the Security & Compliance practice we help assess your current level of risk related to the sensitive customer information that you may hold within your organization. This may be payment card information, personal health information or data on European citizens that fall under the requirements of the General Data Protection Regulation (GDPR) which becomes law on May 25th, 2018. We develop and execute strategies to address your data security requirements and support the implementation of the technologies and processes that help reduce the likelihood of you suffering a damaging and expensive data breach.

 Set up your FREE PCI Compliance assessment with Welford