THE SEVEN HIDDEN SSL VULNERABILITES in EVERY NETWORK Ensuring That Your Network Is Secure from Every Possible Threat Can Be a Full-Time Job

TOPIC: NETWORK VULNERABILITES

THE SEVEN HIDDEN SSL VULNERABILITES IN EVERY NETWORK Ensuring that your network is secure from every possible threat can be a full-time job. This challenge is heightened by the fact that many network admins only think about encryption and their SSL certificates on an irregular basis. This article touches on some of the most common areas that companies inadvertently leave exposed to attackers.

SSL CERTIFICATES AND ENDPOINT VULNERABILITIES

SL Certificates serve as the security backbone of the The Heartbleed Bug is a serious vulnerability in the popular internet, securing billions of interactions annually. OpenSSL cryptographic software library. This weakness allows SYet, too often, system administrators fail to properly stealing the information protected, under normal conditions, configure and install certificates, unknowingly leaving open by the SSL/TLS encryption used to secure the Internet. SSL/TLS vulnerabilities. provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and It is important for security professionals to discover forgotten some virtual private networks (VPNs). or neglected certificates, misconfigured certificates, identify potential liabilities - such as weak keys, problematic ciphers, The Heartbleed bug allows anyone on the Internet to read the expired certificates – as well as vulnerabilities to Heartbleed, memory of the systems protected by the vulnerable versions of CRIME, BEAST, or BREACH attacks. the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the Of these attack vulnerabilities, Heartbleed is one of the most names and passwords of the users and the actual content. This troubling, at one time affecting over two thirds of the active allows attackers to eavesdrop on communications, steal data sites on the interneti. On Monday, April 7, 2014, this bug in directly from the services and users and to impersonate services the OpenSSL software library was announced and named and users. http://www.heartbleed.com. Heartbleed. Heartbleed impacts versions 1.0.1 through 1.0.1f and v1.0.2-beta1 of OpenSSL. This is not a bug or flaw with the A few things that set Heartbleed apart from other SSL/TLS protocol — it is a bug in OpenSSL’s implementation vulnerabilities are: of SSL/TLS. • It is impossible to tell if your information has been According to the Heartbleed website hosted by Codenomicon, compromised by Heartbleed. whose engineers were among the first to discover Heartbleed: TOPIC: NETWORK VULNERABILITES

• The vulnerability existed for over two years before being Your servers are the same way. If you make sure your server discovered, which increases the scope of potentially is completely secure and then put it in your mattress — or, affected websites. more likely, in a server rack in a datacenter somewhere — and never think about it again, the “inflation” of increasingly • Heartbleed does not depend on any other vulnerability. skilled hackers and technology development will eat away Many attacks require the attacker to gain a foothold at your security even faster than economic inflation dinged through some poor security practice, but Heartbleed does your inheritance. On the other hand, if you take advantage not. of the “interest” provided by new technology and software updates, you can come out much stronger than you were in • The affected versions of OpenSSL have been pushed the beginning. by security experts because they contain fixes for other vulnerabilities. You can be secure today and get hacked tomorrow if you simply “stand still.” Neglected servers quickly become huge There were several documented cases of Heartbleed being security liabilities. A few steps you should take: exploited immediately following public announcement of this vulnerability. Notably, the Canada Revenue Agency lost • “Keep the target moving” by keeping up-to-date. The taxpayer data, including social insurance numbers, for at least longer a piece of old software is sitting on your servers, the 900 taxpayers over a six-hour period.ii However, because an longer hackers have to find weaknesses in that software. attack is undetectable by security surveillance systems, it is Failing to keep on top of operating system updates, impossible to say that no attempt has been made on your patches, and new versions of your software creates new systems. If your server is running a version of OpenSSL between attack vectors for bad actors. This problem is amplified if 1.0.1 and 1.0.1f with the heartbeat extension enabled, you are these vulnerable servers contain the keys used to secure potentially vulnerable to Heartbleed. your network.

If you have any question as to whether you are vulnerable, • Strongly consider decommissioning and unplugging the latest version of DigiCert Certificate Inspector has added servers on your network that are not providing a specific, Heartbleed to the lengthy list of certificate and endpoint important function. vulnerabilities it can detect. For instructions on the six steps to take to remediate against Heartbleed and to get access • Keep track of the SSL Certificates on your network. to this tool, visit https://www.digicert.com/heartbleed-bug- Utilities such as DigiCert’s Certificate Inspector help you vulnerability.htm. identify certificates that are on the cusp of expiring, are improperly installed, or have been installed without your As the severity of Heartbleed shows, certificate and endpoint knowledge. vulnerabilities must be taken seriously to ensure your organization’s security. Knowing the location and details • Subscribe to blogs and newsfeeds detailing the latest of every certificate in your network is essential in being security exploits. Knowledge is your best defense. able to respond quickly and completely to any discovered vulnerabilities. INADEQUATELY TRAINED OR OVERWORKED STAFF

OUT-OF-DATE SERVERS A phone call comes in to your support team. Amos answers the phone. “Hi Amos, this is Joanna’s cousin Fernando. I’m Imagine you woke up this morning and discovered that you trying to get ahold of her. I tried her cell, but she didn’t answer. had inherited one million dollars. (Congratulations! Can we Do you know if she is back in town, or is she still down in the be friends?) You have two options: stick it in your mattress, or Bahamas?” invest it. How would each approach turn out ten years down the road? Amos might actually be talking to Joanna’s cousin Fernando, or he might be talking to someone who saw on Joanna’s If you invested the money, and it averaged 8% interest over Instagram that she is on vacation in the Bahamas and wants ten years, you would have $2,158,925, which, adjusted for to exploit that knowledge. Once he has Amos convinced that annual inflation of 3%, would be worth $1,606,443 in today’s he’s a relative of a dear co-worker, he has Amos’s implicit trust, dollars. which he can then misuse to get Amos to open an infected file sent via email or visit a malicious website (for example). If you stuck the money in your mattress, after ten years you would still have exactly $1,000,000, but because of the annual This attack is a combination of social engineering and spear inflation of 3%, it would only be worth $744,094 in today’s phishing. Whereas phishing is a more general attack where an dollars. attacker tries to trick a person or organization into trusting him with sensitive information, this approach takes it to the That’s right — by sticking your money in your mattress to keep next level by targeting and initiating contact with a specific it safe, you would lose more than $250,000 in value over the individual. The personalized nature of the attack increases course of a decade. the success rate — a person who would see right through a TOPIC: NETWORK VULNERABILITES

“Nigerian prince” scam still might fall into the trap of trusting the Internet. FTP’s low cost and ubiquity make it attractive to someone he presumes is his friend’s cousin. admins; a recent poll by Harris Interactive of 1,000 IT decision makers found that 51 percent of organizations use FTP to Even after deploying a complex security plan and properly exchange large files. configuring all of the servers in your network with state-of-the- art SSL encryption, you can still end up with one glaring weak Unencrypted FTP sites and file transfers are a treasure trove link in your precautions — inadequately trained or overworked for attackers looking for easy pickings. The simple fact that employees. passwords are passed in the clear is a significant risk, and credentials and files often sit on an unprotected server. While Whether these employees are part of your IT staff or any FTP is convenient for end-users, related exploits have been other users scattered throughout your company, their risky responsible for many of the most damaging network hacks habits and behaviors can quickly poke holes in your otherwise in recent years. Because of its inherent risks, use of standard ironclad security. Every employee in your organization needs unencrypted FTP is frowned upon by security auditors. It to be trained on security best practices and what to watch for is embarrassing when a regulator finds an unsecured FTP in common exploits, both software-based and through social connection, and even more so when a Google spider stumbles engineering. They need to know what spear phishing is, how upon it and publishes it to the whole web. to spot suspicious activity, how to ensure sites are secured by HTTPS, and how to react when they see something unusual. In Improperly issued permissions are also a potential problem addition, regular security audits and Security Information and when supposedly limited users end up with access to the entire Event Management (SIEM) will help you identify issues and directory, including other people’s sensitive data. Avoiding which employees need additional training. FTP altogether is the safest bet, but if you are determined to implement it in your network environment, always protect Most of all, employees need training on reporting anomalies your servers with secure transfer protocols such as SCP (Secure and to be confident that their concerns will be quickly Copy) or SFTP (Secure File Transfer Protocol). investigated and are appreciated. Maintaining the security of your network is a collaborative team effort that depends on the participation of even the most junior employee. SELF-SIGNED CERTIFICATES

YOUR INTRANET & MAIL SERVERS Remember Aesop’s “boy who cried wolf”? To amuse himself when he was bored, this shepherd boy would cry out that a wolf was chasing the sheep. After being fooled by this trick several No matter how many locks you have on the doors and times, the villagers began to ignore the boy. Unfortunately, windows to your house, it is still a good idea to keep your most the one time that there really was a wolf, no one believed him, valuable possessions in a safe, a secret hiding spot, or even a and the sheep were lost. safe deposit box, just in case an intruder gains access to your house. The same concept applies to your internal servers. The moral of Aesop’s fable is this: no one believes a liar, even when he is telling the truth. Too many network administrators assume that internal servers behind a firewall are safe and that SSL certificates arenot Self-signed SSL certificates are often used in development, needed on servers that are not public-facing. In fact, Mandiant testing, and internal servers accessed by small groups of users. research shows that advanced attackers are on the network They are popular because they are “free,” but they come with iii 243 days (median) before being detected . The failure to use a huge risk: they turn the web browser into the boy who cried multiple levels of security leaves your network vulnerable wolf, the liar who can’t be trusted. to the first hacker or malware that slips in. Once an attacker is able to sniff your network, the network becomes more susceptible to Man-in-the-Middle (MITM) attacks and attacks Browsers are programmed to only trust certificates from that intercept or compromise data on your servers. A hacker a finite list of providers. Certificate Authorities (CAs) face with access to your company email, proprietary code, and rigorous auditing to qualify for inclusion in these browsers, databases is a worst case scenario that is often preventable which protects end users from untrustworthy or counterfeit — and while you probably have a high degree of trust in your certificates. staff, it is worth noting that malicious or rogue employees (or former employees) are one of the most common hacker types. The problem with self-signed certificates is that, because they are not signed by a public CA, browsers encountering The best way to prevent these attacks is to deploy SSL the certificate display a series of critical messages, causing certificates on every server, internal or external, regardless of confusion and alarm. Your users become conditioned to ignore the sensitivity of the data it holds or the traffic it manages. vital warning messages. Once your employees learn to ignore security messages from the browser, the likelihood of them FILE TRANSFER PROTOCOL (FTP) recognizing an actual threat is diminished.

First conceived in 1971, File Transfer Protocol (FTP) remains To protect your network, you should issue publicly trusted one of the most common ways to transfer large files across certificates for every site and server you manage, including TOPIC: NETWORK VULNERABILITES internal resources. Wildcard SSL certificates and Unified About DigiCert Communications certificates from CAs like DigiCert provide an easy and cost-effective means of protecting a complex DigiCert is a premier online trust provider of enterprise environment without requiring a large number of certificates. security solutions with an emphasis on authentication, PKI, and high- assurance digital certificates. Headquartered in Lehi, Some enterprises choose to manage an internal CA that issues Utah, DigiCert is trusted by a continually growing clientele of single SSL certificate for internal sites. Because administrators more than 80,000 of the world’s leading government, finance, need to configure every single browser and device to use the education, and Fortune 500® organizations, including six of correct trust anchor, this approach is both costly and time the Alexa Top 10 U.S. websites. DigiCert has been recognized consuming. In addition, an internal CA presents another attack with dozens of awards for providing enhanced customer value, surface to worry about in the security of your network. The high premium customer support and market growth leadership. For cost in obtaining and managing the additional infrastructure the latest DigiCert news and updates, visit digicert.com, like and expertise required to manage an internal CA makes using DigiCert on Facebook® or follow Twitter® handle @digicert. publicly trusted certificates cheaper and more secure. Self- signed certificates are only “free” if you don’t value your time. i http://heartbleed.com/ ii http://arstechnica.com/security/2014/04/heartbleed-bug-exploited-to-steal- taxpayer-data/ FAILURE TO CONDUCT PENETRATION TESTING iii http://www.mandiant.com/threat-landscape/

A penetration test (or “pentest” for short) is an attack on a computer system designed to identify weakness or security holes. Pentests can come in two varieties: black-box (basically mimicking an attack by an outsider with no inside information) and white-box (where system information is given). Your system is probably subject to black-box pentests whether you know it or not — even if you’re not conducting them, the bad guys are. And if they can exploit a vulnerability they find and get a foot in the door to your system, they can use any information they find to perform more malicious attacks.

If there is a vulnerability on your server that an attacker can find, it is your challenge to find it and fix it. A good pentest will help you identify your “attack surface” — the different points on your network that an attacker might target — and uncover potential holes in your security, helping you to seal them before they are discovered by an attacker. Regular pentests are vital to the ongoing security of your systems.

The security requirements of your site dictate how often you run a pentest, but you certainly need to run one for any major updates. While invasive pentests can cause bandwidth or speed issues on your network, when you are the one conducting the pentest you can dictate when the testing takes place and quickly address any problems that arise. Avoid the urge to exclude big parts of your network during the testing — you can be sure that attackers aren’t going to give you the same courtesy. If necessary, a pentest of a mirrored dev server can reveal most of the vulnerabilities on your sites.

CONCLUSION

No network is 100% bulletproof, and maintaining security takes constant vigilance, but tightening up or closing these common vulnerabilities will remove the low-hanging fruit that hackers are looking for.