Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Just how secure is the data that you are entering on any given website?
Unfortunately, this question is taken for granted by many internet users, resulting in undesirable consequences like theft of sensitive data, for which the organization responsible for the insecure site is culpable. All too often organizations have expired SSL certificates existing on their web assets, which can be hazardous to those visiting their sites, and therefore, hazardous to their businesses.
Back in May, I posted a blog highlighting the prevalence of insecure web forms that RiskIQ identified across our customers’ assets, and what the data uncovered was interesting, to say the least. Much of the guidance we offered in that post also applies to broken SSL certs, and in this blog, I’ll discuss expired SSL certs relative to the web compliance of RiskIQ customers.
‘SSL’ has become an umbrella term that is used to describe both the original SSL, or Secure Sockets Layer encryption method, and the newer, more secure Transport Sockets Layer, or TLS method. Mostly, when people refer to ‘SSL,’ they just mean establishing a secure, encrypted connection between a web server and a client. At their basis, SSL certs are powerful security measures that, for the most part, protect against threats on insecure networks, such as man-in-the-middle cyber attacks.
SSL certs make use of various types of symmetric and asymmetric encryption algorithms when sending information between a web server and a client in a process known as the ‘SSL handshake.’ The SSL handshake occurs on top of the Transmission Control Protocol layer (TCP) and involves an exchange of public (and sometimes private) keys between the server and the client or the server and another server, resulting in a secured connection. Once the handshake is established, a client’s browser will visually display a URL as ‘HTTPS.’
Fig-1 Chrome Expired SSL Certificate Warning
Not all SSL Certificates are Equal
You now know that SSL certs can have different means of encryption, but they also have different authentications for website owners. Certificate Authorities (CAs) such as Symantec offer varying degrees of SSL authentication that include Domain Validation, Organizational Validation, and Extended Validation, each requiring increasing levels of security measures to register. Extended Validation authentication contains the most advanced security measures, making it most formidable against false registrations and phishing attacks.
But just how secure is any particular SSL certification? Well, that depends. A newer, more secure TLS cert, for example, may still use weak or outdated algorithms and hashes such as a SHA-1. Recently, my colleague used Chrome dev tools to inspect the SSL cert on his personal bank’s website (Fig. 2) and found a newer TLS certificate that was running an old RSA algorithm with an obsolete SHA-1 hash:
Fig-2 Bank Website’s SSL Certificate in Chrome
Google, along with Microsoft and Mozilla, have all publicly announced plans to disable support for certificates using outdated SHA-1 hashes. Even more recently, it was announced that security researchers at Google have even broken the dated SHA-1 encryption. The consensus is that SSL certificates should be using the most current and up-to-date algorithms/key exchanges to guard against threat actors adequately.
I decided to examine data from ten of our Digital Footprint customers who also happen to be large financial institutions. While there was variation in the size of each digital footprint, all ten customers had noticeable security flaws related to their assets having either expired SSL Certificates or using obsolete SHA-1 hashes. On average, each customer had roughly 38 assets using expired SSL Certificates, with one outlier. Furthermore, each customer also had approximately 15 assets using SHA-1 hashes, except two, which had none:
Fig-3 SSL Issues in Customers’ Digital Footprint
For some organizations, SSL Certification is basic internet security. However, at times, cataloging known web assets and certificate types and statuses it can be a daunting task. To help, RiskIQ’s Digital Footprint offers easy and simple solutions to these problems with large queryable data sets, including potentially unknown or forgotten web assets.
EDF offers continuous monitoring of these web assets to highlight compromised web infrastructure and web compliance issues such as expired SSL certificates and the use of now obsolete SHA-1 certs. Furthermore, notifications are sent to our Digital Footprint customers whose certifications are set to expire at both the 90 and 60-day marks so that they may be addressed before they become a critical security issue. SSL Certifications are the first line of defense against external threat actors and, as such, should always be appropriately updated and configured.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
Tomorrow: Stop by the @CrowdStrike booth at 11:30 to see the RiskIQ Illuminate app in action! It analyzes CrowdStrike endpoint coverage and compares it to RiskIQ's unmatched external data to provide a 360-degree view of your attack surface: https://bit.ly/2ujagwt #RSAC2020
The RiskIQ Illuminate app for @CrowdStrike shows your organization's security visibility gaps by analyzing CrowdStrike endpoint coverage and comparing it to @RiskIQ's view of your digital attack surface https://bit.ly/2HFXStG
🛡️#CyberSecurityBrief #Alert: @FTC Refunds Victims Of @OfficeDepot Tech Support Scam via @BleepinComputer @AthertonLab #CyberSecurity #InfoSec #Malware #Ransomware #DDoS #DataBreach #ITsecurity #CyberThreats #CloudSecurity #CyberSecurityInsights https://cybersecurityinsights.substack.com/p/your-friday-morning-cybersecurity?r=63k3&utm_campaign=post&utm_medium=web&utm_source=twitter
At #RSAC2020, stop by the @CrowdStrike booth on Tuesday at 11:30 to see the RiskIQ Illuminate app in action! It analyzes CrowdStrike endpoint coverage and compares it to RiskIQ's unmatched external data to provide a 360-degree view of your attack surface: https://bit.ly/2ujagwt