Are you ready to say goodbye to SSL/early TLS?

30 June 2018 is the deadline for disabling Secure Sockets Layer/early Transport Layer Security (SSL/early TLS) and implementing a more secure encryption protocol in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data. In addition, according to NIST (National Institute Of Standards And Technology), there are no fixes or patches that can repair SSL or early TLS (NIST SP 800-52 Rev. 1). For over 20 years Secure Sockets Layer (SSL) has certainly been one of the most widely used encryption protocols ever released to date, and remains in widespread use today despite various security vulnerabilities exposed in the protocol. SSL v3.0 was superseded in 1999 by TLS v1.0, which has since been superseded by TLS v1.1 and v1.2. To date, SSL and early TLS no longer meet minimum security standards due to security vulnerabilities in the protocol for which unfortunately, there are no fixes. It is extremely important that everyone upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS. SSL/early TLS was removed as an example of strong cryptography in PCI DSS v3.1 (April 2015). Organizations which use SSL/early TLS are greatly increasing their...

Continue reading

Brief highlights of the Verizon 2018 Data Breach Report

The latest Verizon 2018 Data Breach Report (11th edition) has been published and it’s certainly a great read. This year the data comes from over 53,000 incidents and 2,216 confirmed data breaches. Based on the report, most of the data breaches are caused by outsiders (73%) with organised criminal groups accounting for 50% of the breaches. It should not come as a surprise that as much as 58% of victims are SMB’s. They are very often most resource constrained in their security efforts and this trend continues to carry on. The healthcare industry is also a popular target to hackers, especially in United States of America where the data coming from healtcare breaches is very valuable. Stolen credentials and phishing continue to be within top 5 action varieties in breaches. Unlike pretexting, which is financially motivated over 95% of the time, motives for phishing are split between financial (59%) and espionage (41%). This is a very brief post and I highly encourage everyone interested to read the full report, available as a free download here....