Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

SSL/TLS Discovery

by Cody Dumont
February 17, 2015

Keeping up with compliance standards can be a difficult task, even more so when minor changes impact many devices in the network.  The PCI Council released a special bulletin that says all versions of SSL/TLS are no longer acceptable; this was preceded by NIST making the same requirement.  This dashboard provides a detailed view of SSL/TLS currently in use on the network. 

The Payment Card Industry Security Standards Council (PCI SSC) released a special bulletin on February 13, 2015 announcing impending revisions to the Payment Card Industry Data Security Standard (PCI DSS) as well as the Payment Application Data Security Standard (PA-DSS). The stated purpose of this bulletin is to inform the payment card industry that the PCI SSC has determined that the Secure Sockets Layer (SSL) protocol is no longer an acceptable solution for the protection of data based on the PCI SSC’s definition of “strong cryptography.”

This dashboard helps identify several of the requirements that will be changed such as:

  • 2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.
  • 2.3 Encrypt all non-console administrative access using strong cryptography.
  • 4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.
  • 4.1.g For SSL/TLS implementations, examine system configurations to verify that SSL/TLS is enabled whenever cardholder data is transmitted or received.

The components in this dashboard provide a detailed view of SSL usage in the network.  There are several components that analyze data collected using active, passively, and through event correlation.  By separating out the different methods of detecting SSL traffic, the analysts is able to better identify systems that are not in compliance and focus remediation efforts.

The dashboard and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessments.

The dashboard requirements are:

  • Tenable.sc 4.8.2
  • Nessus 8.5.1
  • LCE 6.0.0
  • NNM 5.9.1

According to Tenable’s Jeffrey Man, the reference to SSL will most certainly be dropped in the PCI DSS, where it is explicitly noted as an example of a common security protocol. Organizations will likely have to demonstrate or prove that SSLv2 or SSLv3 is not used in any the services, protocols, or daemons used regarding cardholder data environment.  Removing SSL will also impact the use of web-based interfaces for administrative access to servers, databases, or network devices. As the remediation plans are developed the primary focus will highlight the fact that all transmissions of cardholder data such as web server traffic or secure file transfers will no longer be able to use SSLv2 or SSLv3. In addition, any internal solutions such as secure communications from Point of Sale (POS) systems to payment switches will also no longer be allowed to use SSLv2 or SSLv3.

Tenable.sc Continuous View (CV) provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance.  Tenable has the largest installed based and best know-how, and quickly identifies security and compliance issues. Tenable.sc CV enables the analysts to react to advanced threats, zero-day vulnerabilities, and new forms of regulatory compliance.  With more supported technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and critical infrastructure, Tenable.sc CV users are more prepared for the dynamic chaining environment.

Components

SSL/TLS Discovery - SSL/TLS Vulnerabilities By Type: This component provides an overview of systems and vulnerabilities related to SSL.  By separating the view based on detection method and SSL version, the analysts can ensure that all SSL related PCI compliance issues are identified and can be mitigated.  Also by identifying systems running TLS, the analyst is able to see which systems are in compliance.  

Vulnerabilities by Common Ports - Severity Levels by Common Port: This component effectively uses color and empty space to convey information about vulnerabilities and risk severity. Each column is a severity level of low, medium, high, or critical. Each row is a common popular port chosen at random.  Using this matrix as a template, a security administrator can modify the matrix to use assets, IP addresses, plugin families, repositories, and more.  The icon colors can communicate risk: green for low severity, yellow for medium, and red for high severity.  For the critical severities, the red icon with white 'X' is used.  When no match is found, the default setting is an empty display text field.

SSL/TLS Discovery - Asset Summary: Using the Asset Summary tool, this bar chart provides a view of the top 10 most affected assets with SSL vulnerabilities.  A separate bar for each severity starting with Low – Critical is displayed.  The count is sorted using the vulnerability weight score.  This data is used to help identify the assets requiring immediate attention.

Where is the POODLE - Vulnerabilities By Type: This component displays information about systems on the network with vulnerabilities related to POODLE. The first row contains detected general SSLv3 vulnerabilities, the second row contains detected POODLE-specific vulnerabilities, and the third row calculates the percentage of the general SSLv3 vulnerabilities that are POODLE vulnerabilities. The first column shows the count of systems and the next four columns show the vulnerabilities detected actively and passively, as well as events.

SSL/TLS Discovery - SSL/TLS Subnets: Using the Class C Summary tool, this table provides a view of the top 10 most affected subnets with SSL vulnerabilities.  A separate column for each severity starting with Low – Critical is displayed.  The count is sorted using the vulnerability weight score. This data is used to help identify the subnets requiring immediate attention.

Where is the POODLE - SSL Plugins: All the plugins that refer to SSL or certificates have been grouped into these indicators.

Where is the POODLE - SSLv3 Events: This component searches all events for events related to SSLv3 in the raw text.  The table uses the Normalized Event summary tool to provide a 24 hour trend for each identified event.  The events that relate to SSLv3 could mean either local servers are running SSLv3 or clients are connecting via SSLv3, both of which are not desirable.  The table is sorted based on the number of events collected.

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.