Secure information with a current SSL certificate
posted by Ben Hayden on Tuesday, November 20, 2018 in SHAZAM Blog
In the majority of audits SHAZAM Secure® conducts across the country, we see that the tools used to ensure that information is received from a trusted source just simply aren’t up-to-date.
A high number of institutions have findings related to SSL certificates that can’t be trusted. An SSL certificate verifies that the data being shared is actually from a trusted source. When the certificate is correctly installed on the institution’s web server, a secure connection is established. These certificates are issued by a registered certificate authority to ensure authenticity.
Out-of-date certificates create vulnerability to man-in-the-middle attacks. These attacks occur when an attacker secretly relays, and possibly alters, communication between two parties who believe they are directly communicating with each other.
Take these steps to make sure your certificates work to keep information safe:
- Confirm that the top of the certificate chain sent by the server is from a known public certificate authority. When the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing, the certificate may fail.
- Make sure the certificate chain contains a certificate that is valid at the time of the scan. If the scan occurs before one of the certificate’s “Not Before” dates, or after one of the certificate’s “Not After” dates, it can fail.
- Ensure that the certificate chain doesn’t contain a signature that doesn’t match the certificate’s information or it doesn’t contain a signature that can’t be verified. Bad signatures can be resolved by getting the certificate re-signed by its issuer.
Your IT staff or IT vendor should make this issue a priority for your next information security assessment. The confidentiality, integrity and availability of your institution and your customer’s information is at stake.
About the Author
Ben Hayden utilizes his expertise in cyber investigations, financial crimes and digital forensics to assist financial institutions in evaluating their cybersecurity vulnerabilities. He manages SHAZAM’s risk management services, helping member institutions mitigate their risks in information
... read entire bio
SHAZAM, Inc. and ITS, Inc. provide this blog for general informational purposes only. Our blog may be shared by a direct link wherein the content remains as originally presented and has not been altered. SHAZAM, Inc. and ITS, Inc. assume no responsibility for errors or omissions in the contents on the blog. By using this blog, reader agrees that the information published does not constitute nor is a substitute for legal advice which should only be sought from a qualified, licensed attorney.
comments powered by