SSL/TLS Discovery

Keeping up with compliance standards can be a difficult task, even more so when minor changes impact many devices in the network.  The PCI Council released a special bulletin that says all versions of SSL/TLS are no longer acceptable; this was preceded by NIST making the same requirement.  This dashboard provides a detailed view of SSL/TLS currently in use on the network. 

The Payment Card Industry Security Standards Council (PCI SSC) released a special bulletin on February 13, 2015 announcing impending revisions to the Payment Card Industry Data Security Standard (PCI DSS) as well as the Payment Application Data Security Standard (PA-DSS). The stated purpose of this bulletin is to inform the payment card industry that the PCI SSC has determined that the Secure Sockets Layer (SSL) protocol is no longer an acceptable solution for the protection of data based on the PCI SSC’s definition of “strong cryptography.”

This dashboard helps identify several of the requirements that will be changed such as:

• 2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.
• 2.3 Encrypt all non-console administrative access using strong cryptography.
• 4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.
• 4.1.g For SSL/TLS implementations, examine system configurations to verify that SSL/TLS is enabled whenever cardholder data is transmitted or received.

The components in this dashboard provide a detailed view of SSL usage in the network.  There are several components that analyze data collected using active, passively, and through event correlation.  By separating out the different methods of detecting SSL traffic, the analysts is able to better identify systems that are not in compliance and focus remediation efforts.

The dashboard and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessments.

The dashboard requirements are:

• Tenable.sc 4.8.2
• Nessus 8.5.1
• LCE 6.0.0
• NNM 5.9.1

According to Tenable’s Jeffrey Man, the reference to SSL will most certainly be dropped in the PCI DSS, where it is explicitly noted as an example of a common security protocol. Organizations will likely have to demonstrate or prove that SSLv2 or SSLv3 is not used in any the services, protocols, or daemons used regarding cardholder data environment.  Removing SSL will also impact the use of web-based interfaces for administrative access to servers, databases, or network devices. As the remediation plans are developed the primary focus will highlight the fact that all transmissions of cardholder data such as web server traffic or secure file transfers will no longer be able to use SSLv2 or SSLv3. In addition, any internal solutions such as secure communications from Point of Sale (POS) systems to payment switches will also no longer be allowed to use SSLv2 or SSLv3.

Tenable.sc Continuous View (CV) provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance.  Tenable has the largest installed based and best know-how, and quickly identifies security and compliance issues. Tenable.sc CV enables the analysts to react to advanced threats, zero-day vulnerabilities, and new forms of regulatory compliance.  With more supported technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and critical infrastructure, Tenable.sc CV users are more prepared for the dynamic chaining environment.

Components

SSL/TLS Discovery - SSL/TLS Vulnerabilities By Type: This component provides an overview of systems and vulnerabilities related to SSL.  By separating the view based on detection method and SSL version, the analysts can ensure that all SSL related PCI compliance issues are identified and can be mitigated.  Also by identifying systems running TLS, the analyst is able to see which systems are in compliance.  

Vulnerabilities by Common Ports - Severity Levels by Common Port: This component effectively uses color and empty space to convey information about vulnerabilities and risk severity. Each column is a severity level of low, medium, high, or critical. Each row is a common popular port chosen at random.  Using this matrix as a template, a security administrator can modify the matrix to use assets, IP addresses, plugin families, repositories, and more.  The icon colors can communicate risk: green for low severity, yellow for medium, and red for high severity.  For the critical severities, the red icon with white 'X' is used.  When no match is found, the default setting is an empty display text field.

SSL/TLS Discovery - Asset Summary: Using the Asset Summary tool, this bar chart provides a view of the top 10 most affected assets with SSL vulnerabilities.  A separate bar for each severity starting with Low – Critical is displayed.  The count is sorted using the vulnerability weight score.  This data is used to help identify the assets requiring immediate attention.

Where is the POODLE - Vulnerabilities By Type: This component displays information about systems on the network with vulnerabilities related to POODLE. The first row contains detected general SSLv3 vulnerabilities, the second row contains detected POODLE-specific vulnerabilities, and the third row calculates the percentage of the general SSLv3 vulnerabilities that are POODLE vulnerabilities. The first column shows the count of systems and the next four columns show the vulnerabilities detected actively and passively, as well as events.

SSL/TLS Discovery - SSL/TLS Subnets: Using the Class C Summary tool, this table provides a view of the top 10 most affected subnets with SSL vulnerabilities.  A separate column for each severity starting with Low – Critical is displayed.  The count is sorted using the vulnerability weight score. This data is used to help identify the subnets requiring immediate attention.

Where is the POODLE - SSL Plugins: All the plugins that refer to SSL or certificates have been grouped into these indicators.

Where is the POODLE - SSLv3 Events: This component searches all events for events related to SSLv3 in the raw text.  The table uses the Normalized Event summary tool to provide a 24 hour trend for each identified event.  The events that relate to SSLv3 could mean either local servers are running SSLv3 or clients are connecting via SSLv3, both of which are not desirable.  The table is sorted based on the number of events collected.