Monitoring SSL Vulnerabilities in Your Network

Nick Gagalis | February 5, 2015 | tag: Security Risk Management

Microsoft has announced that it is removing SSLv3 support in both Internet Explorer (according to VentureBeat) and Azure Storage (according to Redmond Mag) on Tuesday, February 10. The company is not the first to stop supporting the technology, but this announcement should be one of the final straws for companies still supporting it.

Mozilla stopped supporting SSLv3 in November 2014. Oracle updated 19 Java vulnerabilities, while also disabling SSLv3 entirely on Tuesday, January 20. On the same date, Google Chrome removed SSLv3 support.

The Reason: SSL Vulnerabilities

One of the biggest reasons for the move away from SSLv2 and v3 are their vulnerabilities. SSLv2 is a deprecated protocol and has a wide range of known vulnerabilities. SSLv3 is vulnerable to the POODLE attack, discovered in October of 2014.

Are You Following These Recommendations Within Your Network?

In the fall, we wrote about how you can monitor your third parties' vulnerability to POODLE. This will eventually factor into a company's BitSight Security Rating as well. (We will announce when that feature is live.) 

BitSight is adding two new SSL annotations:

  • Allows insecure protocol: SSLv2

  • Allows insecure protocol: SSLv3.

Why are these Annotations Being Incorporated into the BitSight Algorithm?

Currently, in order to check if a company is vulnerable to the POODLE attack, a customer has to run the POODLE test separately. This test is limited in that it only checks the company’s primary domain. Incorporating this test into the TLS/SSL diligence risk vector means that customers don't have to run the POODLE test separately for entities, that all domains controlled by a company are tested for the vulnerability, and that being vulnerable to POODLE is actually reflected in the company’s rating.

How Will this Affect Security Ratings?

The ratings for companies that still support SSLv2 or SSLv3 may get lower because of the update.

This is a view of the SSL Diligence Data in the BitSight Platform.

How to Monitor the TLS/SSL Certificates in Your Network

Within the BitSight platform, customers can hover over the TLS/SSL graph on the Diligence page to see the percentage of a company’s TLS/SSL certificates with each grade (Good, Fair, Neutral, Warn, and Bad). In the chart beneath it, the reason for each certificate's grade is given, so it is easier for IT teams to fix problems with their certificates and improve their network security. (It also could cause a bump in the company's Security Rating.)

 

Suggested Posts

The BitSight and Moody's Partnership: A New Era For Cybersecurity

Cybersecurity is one of the biggest threats to global commerce in the 21st century.

By providing data-driven insights into cybersecurity, we can empower the marketplace to make better, risk-informed decisions and create a more secure...

READ MORE »

4 Critical Success Factors for Effective Security Risk Management

With the average cost of a data breach in the U.S. reaching nearly $8.6 million, your organization can’t afford to ignore cybersecurity risk. Indeed, the need for security risk management is greater than ever. When cyber risk is managed...

READ MORE »

IoT Cybersecurity: How Your Organization Can Tame the Wild West

From sensors on the factory floor to those that guide autonomous vehicles, the Internet of Things (IoT) is transforming how we live and work. Over the coming years, IoT will continue to change our world, with the number of connected...

READ MORE »

Get the Weekly Cybersecurity Newsletter.