How are the Bad Guys using SSL/TLS?
The exploitation of weaknesses in SSL/TLS for malicious activity by the Bad Guys involves delivering malware as a payload across the encrypted link. This includes Trojans such as ZBot which is often used to steal banking information by browser keystroke logging and form grabbing. Ransomware payloads can also be delivered this way. Phishing exploits use SSL/TLS when the perpetrators host malicious pages on sites with legitimate certificates. Users think they are on a valid site, since they see the word “secure” or the padlock icon in the browser. However those indicators just mean the certificate itself is valid and the connection is encrypted. Despite this, the page itself or even the whole site may still be compromised.
Implications for merchants and PCI DSS Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) states that entities using SSL or early versions of TLS (v1.0) need to be aware of the vulnerabilities that have been identified with these services. Specifically, PCI DSS requires that all new implementations, where entities are storing, processing or transmitting payment card information must be enabled with TLS 1.1 or greater. Also all payment card processing and third party entities must cut-over to a secure version of TLS (as defined by NIST) effective June 2018.
So what can you do about it?
SSL/TLS encryption is crucial to protecting data in transit during web transactions, email communications and for the use of mobile apps. So organizations need think carefully about SSL/TLS implementations.
The PCI DSS provides the following guidance, which is a good starting point for all organizations with SSL or early TLS implementations:
- Migrate to a minimum of TLS 1.1, preferably TLS 1.2
- Patch TLS software against implementation vulnerabilities
- Configure TLS securely. For example, ensure you’re supporting secure TLS cipher suites and key sizes, and disable support for other cipher suites that are not necessary for interoperability
SSL decryption and inspection technology can be deployed by organizations to manage threats and sensitive data on their networks. SSL inspection includes the ability to decrypt and forward SSL traffic to other tools for analysis and timely reaction to find and stop attacks hiding under the cover of encryption. When these tools are chosen and deployed properly, organizations can find the threats hiding within encrypted data without degrading business-critical communications.
These services can be provided by cloud-based platforms or by appliances that are deployed inline, such as those offered by Microsoft, Arbor Networks and Check Point. As more attacks rely on SSL/TLS to avoid scrutiny by traditional network monitoring tools, enterprises need to take steps to make sure all data is protected and that bad traffic isn’t sneaking past their defenses.
About Welford Management & Consulting
Welford is a multi faceted technology consultancy providing advice, support and solutions for companies in a wide range of industries. We develop and execute strategies for our clients in three practice areas: Security & Compliance, Business Strategy & Support and Sales & Marketing Automation. Our expertise comes from a team of individuals who focus on one area of our practice disciplines so that we can bring the necessary skills and experience to the business challenge or opportunity that you’re currently facing.