Make sure you update your encryption to the latest software by next year
|By: Michael Simpson|
QSA, CISSP, CCNP
The PCI SSC now requires that all businesses be migrated from SSL and older versions of TLS to the new version of TLS (TLS v1.2) by June 30, 2018.
Here are some things you should know about the SSL to TLS migration.
What is TLS Security? What is SSL?Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are used to establish a secure communications channel between two systems. Basically, SSL and TLS encrypt information sent between web browsers and web servers, providing a secure path between channels for that data.
Why migrate?Besides the new mandate, operating under SSL isn’t secure any more. There are several exploits that hackers have taken advantage of to steal data and install malware. If you don’t move to the latest encryption, your business could be in danger of losing sensitive data.
Since the release of SSL v3, unfixable vulnerabilities were identified. You may have heard of some of these vulnerabilities in 2014, including FREAK, POODLE, and WinShock. A more recent vulnerability called DROWN showed the growing need to migrate to more secure encryption protocols.
Migrating to the most secure version of TLS protects your business, your clients, and you. It’s more than just avoiding a compliance fine; it’s a matter of protecting valuable data.
How do I migrate?The PCI Council offers great guidance on migrating from SSL and early TLS, as well as examples and recommendations on how to deal with this requirement in their Migrating from SSL and Early TLS information supplement.
If you have existing implementations of SSL or early TLS that you don’t need for regular business operations, immediately remove or discontinue all instances of SSL and TLS1.0. Do not use any new technologies that use these insecure transmission encryption protocols. It is highly recommended to configure systems to use version 1.2 of TLS and disable fallback to SSL or early TLS versions.
If you need to continue using SSL or early versions of TLS to continue regular business operations, here are some examples of what you can do:
- Encrypt data with strong cryptography before sending over SSL/early TLS (for example, use field-level or application-level encryption to encrypt the data prior to transmission)
- Set up a strongly-encrypted session first (e.g. IPsec tunnel), then send data over SSL within the secure tunnel
- Check firewall configurations to see if SSL can be blocked
- Check all application and system patches are up to date
- Check and monitor systems to ID suspicious activity that may indicate a security issue
Further tips to protect your card data onlineHere are a few other actions you may want to take to make sure your sensitive data is secure:
- Make sure coding is secure: review any coding your organization has created to make sure there are no vulnerabilities
- Encrypt where needed: Make sure sensitive information is properly encrypted
- Use unique credentials: having employees using the same credentials makes it that much easier for hackers to gain access to your CDE
- Get a penetration test: a pen test is a great way to find holes in your security. To fight a hacker, you need to think like one
- Work with an expert: If you’re not sure about some elements of security, or whether you’ve migrated to TLS v 1.2, talking to a Qualified Security Assessor would be a good move
Michael Simpson (QSA, CISSP, CCNP) is a Principal Security Analyst at SecurityMetrics and has been in the IT Security industry for 15 years. He has a Bachelor of Science in Computer Science and a Masters in Business Administration.