Scribd
Upload
162 views16 pages

Applying 15 Affecting 3: Top 25 Remediations by Risk

1. Disable insecure TLS/SSL protocol support and only enable TLS 1.2 to address vulnerabilities in older protocols. This affects two assets. 2. Disable SSLv2, SSLv3 and TLS 1.0 and only enable TLS 1.2 to address vulnerabilities in older protocols. This affects two assets. 3. Disable support for the 3DES cipher suite on the server to improve security as it has known vulnerabilities. This affects two assets.

Uploaded by

ikeral
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
162 views16 pages

Applying 15 Affecting 3: Top 25 Remediations by Risk

1. Disable insecure TLS/SSL protocol support and only enable TLS 1.2 to address vulnerabilities in older protocols. This affects two assets. 2. Disable SSLv2, SSLv3 and TLS 1.0 and only enable TLS 1.2 to address vulnerabilities in older protocols. This affects two assets. 3. Disable support for the 3DES cipher suite on the server to improve security as it has known vulnerabilities. This affects two assets.

Uploaded by

ikeral
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
You are on page 1/ 16

Top 25 Remediations by Risk 12:51:33 PM CDT

top policy remediations

Will Remediate
Applying Affecting
15 96.3% 100% 3
Vulnerabilities Risk
Remediations Assets
published available
100% exploits 0% malware kits

Remediation Assets Vulnerabilities Risk

1. Disable insecure TLS/SSL protocol support 2 6 1 0 2,410

2. Disable SSLv2, SSLv3, and TLS 1.0. The best


solution is to only have TLS 1.2 enabled 2 2 0 0 986

3. Disable TLS/SSL support for 3DES cipher suite 2 4 2 0 968

4. Fix the subject's Common Name (CN) field in


the certificate 1 1 0 0 788

5. Obtain a new certificate from your CA and


ensure the server configuration is correct 1 1 0 0 695

6. Disable TLS/SSL support for static key cipher


suites 2 2 0 0 691

7. Use a Stronger Key 1 1 0 0 656

8. Restrict Query Access on Caching


Nameservers 1 1 0 0 599

9. Disable TLS/SSL support for RC4 ciphers 1 1 0 0 457

10. Stop Using SHA-1 1 1 0 0 234

11. Restrict Processing of Recursive Queries 1 1 0 0 200

12. Generate random Diffie-Hellman parameters 1 1 0 0 138

13. Use a Stronger Diffie-Hellman Group 1 1 0 0 138

14. Disable TCP timestamp responses on Linux 1 1 0 0 0

15. Enable TLS/SSL support for strong ciphers 2 2 0 0 0

1 of 16
1. Disable insecure TLS/SSL protocol support

Remediation Steps
Configure the server to require clients to use TLS version 1.2 using Authenticated Encryption with Associated Data (AEAD)
capable ciphers.
Assets
Name IP Address Site
addr.arpa 12.49.178.193 basham
Unknown 12.49.178.193 basham

2 of 16
2. Disable SSLv2, SSLv3, and TLS 1.0. The best solution is to only have TLS 1.2 enabled

Remediation Steps
There is no server-side mitigation available against the BEAST attack. The only option is to disable the affected protocols (SSLv3
and TLS 1.0). The only fully safe configuration is to use Authenticated Encryption with Associated Data (AEAD), e.g. AES-GCM,
AES-CCM in TLS 1.2.
Assets
Name IP Address Site
in-addr.arpa 12.49.178.193
Unknown 12.49.178.193 uk

3 of 16
3. Disable TLS/SSL support for 3DES cipher suite

Remediation Steps
Configure the server to disable support for 3DES suite.
For Microsoft IIS web servers, see Microsoft Knowledgebase article 245030 for instructions on disabling 3DES cipher suite.
The following recommended configuration provides a higher level of security. This configuration is compatible with Firefox 27,
Chrome 22, IE 11, Opera 14 and Safari 7. SSLv2, SSLv3, and TLSv1 protocols are not recommended in this configuration.
Instead, use TLSv1.1 and TLSv1.2 protocols.
Refer to your server vendor documentation to apply the recommended cipher configuration:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-
RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-
AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-
SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
Assets
Name IP Address Site
.in-addr.arpa 12.49.178.193
Unknown 12.49.178.193

4 of 16
4. Fix the subject's Common Name (CN) field in the certificate

Remediation Steps
The subject's common name (CN) field in the X.509 certificate should be fixed to reflect the name of the entity presenting the
certificate (e.g., the hostname). This is done by generating a new certificate usually signed by a Certification Authority (CA)
trusted by both the client and server.
Assets
Name IP Address Site
.in-addr.arpa 12.49.178.193

5 of 16
5. Obtain a new certificate from your CA and ensure the server configuration is correct

Remediation Steps
Ensure the common name (CN) reflects the name of the entity presenting the certificate (e.g., the hostname). If the certificate(s)
or any of the chain certificate(s) have expired or been revoked, obtain a new certificate from your Certificate Authority (CA) by
following their documentation. If a self-signed certificate is being used, consider obtaining a signed certificate from a CA.
References: Mozilla: Connection Untrusted Error SSLShopper: SSL Certificate Not Trusted Error Windows/IIS certificate chain
config Apache SSL config Nginx SSL config CertificateChain.io
Assets
Name IP Address Site
.in-addr.arpa 12.49.178.193

6 of 16
6. Disable TLS/SSL support for static key cipher suites

Remediation Steps
Configure the server to disable support for static key cipher suites.
For Microsoft IIS web servers, see Microsoft Knowledgebase article 245030 for instructions on disabling static key cipher suites.
The following recommended configuration provides a higher level of security. This configuration is compatible with Firefox 27,
Chrome 22, IE 11, Opera 14 and Safari 7. SSLv2, SSLv3, and TLSv1 protocols are not recommended in this configuration.
Instead, use TLSv1.1 and TLSv1.2 protocols.
Refer to your server vendor documentation to apply the recommended cipher configuration:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-
RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-
AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-
SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
Assets
Name IP Address Site
93.78.149.201.in-addr.arpa 201.149.78.93 basham
Unknown 201.149.78.90 basham

7 of 16
7. Use a Stronger Key

Remediation Steps
If the weak key is used in an X.509 certificate (for example for an HTTPS server), generate a longer key and recreate the
certificate.
Please also refer to NIST's recommendations on cryptographic algorithms and key lengths.
Assets
Name IP Address Site
93.78.149.201.in-addr.arpa 201.149.78.93 basham

8 of 16
8. Restrict Query Access on Caching Nameservers

Remediation Steps
Restrict the processing of DNS queries to only systems that should be allowed to use this nameserver.

Assets
Name IP Address Site
93.78.149.201.in-addr.arpa 201.149.78.93 basham

9 of 16
9. Disable TLS/SSL support for RC4 ciphers

Remediation Steps
Configure the server to disable support for RC4 ciphers.
For Microsoft IIS web servers, see Microsoft Knowledgebase article 245030 for instructions on disabling rc4 ciphers.
The following recommended configuration provides a higher level of security. This configuration is compatible with Firefox 27,
Chrome 22, IE 11, Opera 14 and Safari 7. SSLv2, SSLv3, and TLSv1 protocols are not recommended in this configuration.
Instead, use TLSv1.1 and TLSv1.2 protocols.
Refer to your server vendor documentation to apply the recommended cipher configuration:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-
RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-
AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-
SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
Assets
Name IP Address Site
Unknown 201.149.78.90 basham

10 of 16
10. Stop Using SHA-1

Remediation Steps
Stop using signature algorithms relying on SHA-1, such as "SHA1withRSA", when signing X.509 certificates. Instead, use the
SHA-2 family (SHA-224, SHA-256, SHA-384, and SHA-512).
Assets
Name IP Address Site
93.78.149.201.in-addr.arpa 201.149.78.93 basham

11 of 16
11. Restrict Processing of Recursive Queries

Remediation Steps
Restrict the processing of recursive queries to only systems that should be allowed to use this nameserver.

Assets
Name IP Address Site
93.78.149.201.in-addr.arpa 201.149.78.93 basham

12 of 16
12. Generate random Diffie-Hellman parameters

Remediation Steps
Configure the server to use a randomly generated Diffie-Hellman group. It's recommend that you generate a 2048-bit group. The
simplest way of generating a new group is to use OpenSSL:
openssl dhparam -out dhparams.pem 2048
To use the DH parameters in newer versions of Apache (2.4.8 and newer) and OpenSSL 1.0.2 or later, you can directly specify
your DH params file as follows:
SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"
If you are using Apache with LibreSSL, or Apache 2.4.7 and OpenSSL 0.9.8a or later, you can append the DHparams you
generated earlier to the end of your certificate file and reload the configuration.
For other products see the remediation steps suggested by the original researchers.
Assets
Name IP Address Site
Unknown 201.149.78.90 basham

13 of 16
13. Use a Stronger Diffie-Hellman Group

Remediation Steps
Please refer to this guide to deploying Diffie-Hellman for TLS for instructions on how to configure the server to use 2048-bit or
stronger Diffie-Hellman groups with safe primes.
Assets
Name IP Address Site
Unknown 201.149.78.90 basham

14 of 16
14. Disable TCP timestamp responses on Linux

Remediation Steps
Set the value of net.ipv4.tcp_timestamps to 0 by running the following command:
sysctl -w net.ipv4.tcp_timestamps=0

Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf:
net.ipv4.tcp_timestamps=0

Assets
Name IP Address Site
Unknown 201.149.78.85 basham

15 of 16
15. Enable TLS/SSL support for strong ciphers

Remediation Steps
Enable support for at least one of the ciphers listed below:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
• TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Assets
Name IP Address Site
93.78.149.201.in-addr.arpa 201.149.78.93 basham
Unknown 201.149.78.90 basham

16 of 16

You might also like