The weakest points in the external perimeter of companies are support for TLS protocol version 1.0/1.1, the use of non-resilient encryption algorithms in SSL, and the expiration of the SSL certificate. These vulnerabilities lead to the fact that the connection channel to a remote resource, such as a website, will be unprotected, or modern browsers will notify users that the resource is insecure, which ultimately may lead to customer churn.
The anti-rating also includes self-signed SSL certificates, the lack of application of the HSTS header (RFC 6797), the use of Diffie-Hellman module <= 1024 bits in SSL/TLS (Logjam), and the signing of an SSL certificate with a non-resilient hashing algorithm.
In addition to the listed vulnerabilities, the top 10 includes parameters such as the use of an unsupported version of the web server, support for the weak RC4 cipher suite, and an SSL certificate chain that contains RSA keys smaller than 2048 bits.
"Information security staff may simply not be aware of new services deployed by the IT department. For this, it is necessary to regularly inventory the external perimeter: daily, weekly. Vulnerabilities can be both the cause of an unbuilt vulnerability management process and the result of excluding DevSecOps in the development of digital services," comments Andrey Makarenko, Head of Business Development at Angara Security.
Among the recommendations, Angara Security also notes the use of continuous monitoring services for the security of the external perimeter. On the one hand, this allows you to identify attacked digital assets in real time, and on the other hand, to verify the criticality of cyber threats according to various indicators in automatic mode.