sans 20 critical security control 17 requirements for ssl/tls security and management
TRANSCRIPT
SSL/TLS is the foundation of online trust— and it’s now threatenedSSL/TLS certificates are used for authentication and authorization
applications appliances devices cloud services
23,000 OVER keys and certificates per enterprise
—up 34% since 201323,000
SSL/TLSSSL/TLS
But cybercriminals are using rogue or fraudulent SSL/TLS keys and certificates to...
HeartbleedPOODLEFREAKEX
AMPL
ES
Snoop on encrypted communications
Bypass security controls, like IDS/IPS, DLP, and NGFW
Impersonate legitimate websites
NIST has declared that SSL is no longer acceptable to protect data
New PCI DSS v3.1 requires TLS 1.1 or higher
SANS 20 adds key and certificate requirements to CSC 17: Data Protection
Organizations need to secure SSL/TLS to regain online trustThe greatest threat is the lack of adherence to security standards
An actionable approach is needed to meet new SANS 20 SSL/TLS key and certificate requirements
CSC 17-2: Verify configured to use publicly vetted algorithms
CSC 17-3: Identify sensitive information that requires encryption
CSC 17-10: Only allow approved certificate authorities (CAs)
CSC 17-11: Perform an annual review of algorithms and key lengths
CSC 17-14: Define roles, responsibilities, and process lifecycle for key management
CSC 17-2:
CSC 17-3:
CSC 17-10:
CSC 17-11:
CSC 17-14: