<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Security Risk Management

Monitoring SSL Vulnerabilities in Your Network

Nick Gagalis | February 5, 2015

Microsoft has announced that it is removing SSLv3 support in both Internet Explorer (according to VentureBeat) and Azure Storage (according to Redmond Mag) on Tuesday, February 10. The company is not the first to stop supporting the technology, but this announcement should be one of the final straws for companies still supporting it.

Mozilla stopped supporting SSLv3 in November 2014. Oracle updated 19 Java vulnerabilities, while also disabling SSLv3 entirely on Tuesday, January 20. On the same date, Google Chrome removed SSLv3 support.

The Reason: SSL Vulnerabilities

One of the biggest reasons for the move away from SSLv2 and v3 are their vulnerabilities. SSLv2 is a deprecated protocol and has a wide range of known vulnerabilities. SSLv3 is vulnerable to the POODLE attack, discovered in October of 2014.

Are You Following These Recommendations Within Your Network?

In the fall, we wrote about how you can monitor your third parties' vulnerability to POODLE. This will eventually factor into a company's BitSight Security Rating as well. (We will announce when that feature is live.) 

BitSight is adding two new SSL annotations:

  • Allows insecure protocol: SSLv2

  • Allows insecure protocol: SSLv3.

Why are these Annotations Being Incorporated into the BitSight Algorithm?

Currently, in order to check if a company is vulnerable to the POODLE attack, a customer has to run the POODLE test separately. This test is limited in that it only checks the company’s primary domain. Incorporating this test into the TLS/SSL diligence risk vector means that customers don't have to run the POODLE test separately for entities, that all domains controlled by a company are tested for the vulnerability, and that being vulnerable to POODLE is actually reflected in the company’s rating.

How Will this Affect Security Ratings?

The ratings for companies that still support SSLv2 or SSLv3 may get lower because of the update.

This is a view of the SSL Diligence Data in the BitSight Platform.

How to Monitor the TLS/SSL Certificates in Your Network

Within the BitSight platform, customers can hover over the TLS/SSL graph on the Diligence page to see the percentage of a company’s TLS/SSL certificates with each grade (Good, Fair, Neutral, Warn, and Bad). In the chart beneath it, the reason for each certificate's grade is given, so it is easier for IT teams to fix problems with their certificates and improve their network security. (It also could cause a bump in the company's Security Rating.)

 

Suggested Posts

3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...

READ MORE »

Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...

READ MORE »

Takeaways from the 2017 Gartner Security & Risk Management Summit

This year marked another great Gartner Security & Risk Management Summit with over 3,000 attendees, bringing together CEOs, CIOs, CISOs, IT Directors, Risk Managers, and other risk and security professionals to National Harbor, MD from...

READ MORE »

Subscribe to get security news and updates in your inbox.