Name: Enforcing Strong TLS Ciphers
Uploaded: 2021-01-20T20:38:19Z
Duration: 39
Description: In order to encrypt the transmission of CHD across open, public networks, the PCI DSS stipulates a specific testing procedure in PCI Requirement 4.1.c.

Enforcing Strong TLS Ciphers

Testing Inbound and Outbound Traffic

In order to encrypt the transmission of CHD across open, public networks, the PCI DSS stipulates a specific testing procedure in PCI Requirement 4.1.c. It says, “Select and observe a sample of inbound and outbound transmissions as they occur to verify that all cardholder data is encrypted with strong cryptography during transit.” You must directly test traffic to ensure that insecure ciphers are not utilized. Of course, the latest version of TLS is going to change over time as the next version comes out. Right now, our latest version is TLS version 1.3, so the minimum version you should be supporting is version 1.2. Older versions of TLS or legacy SSL protocols are all known to have fatal security flaws and do not provide protection for data in transit.

Transcription

Requirement 4.1.c of the PCI Data Security Standard requires that you directly test the traffic that you are allowing your clients to negotiate with your servers to ensure that they are using strong TLS ciphers. One of the very common findings that we have during assessments is that our clients are allowing these insecure ciphers to still be utilized, such as TLS 1.0. So it’s up to you to go in and configure AWS API endpoints, for example, to enforce the use of TLS 1.2.

Enforcing Strong TLS Ciphers

Related Videos

Basic Tools for AWS Security

Cloud Attacks on the Rise

Do All Keys Have Resources Attached?

Enable Role Based Access Control (RBAC) for Azure Key Vault

Encrypt Kubernetes Secrets Using Keys

Encrypting Traffic In and Out of AWS

Encryption Decisions for Your Technology Stack

Encryption Opportunities

Encryption for EBS Volumes

Encryption for S3 Buckets

Enforce Separation of Duties When Assigning KMS Related Roles

Ensure KMS Cryptokeys Are Not Publicly Accessible

Ensure Use of CMKs for Unattached Disks' (CMK)

Ensure that Virtual Hard Disks Are Encrypted

Ensure that an Expiration Date Is Set for All Keys in Non-RBAC Key Vaults

Ensure that an Expiration Date Is Set for All Secrets in Non-RBAC Key Vaults

Ensure the Key Vault Is Recoverable

Events that Drive Key Rotation

FAQs for Amazon S3 Security

How to Configure Encryption for EBS Volumes on Existing EC2 Instances

How to Configure Encryption for EBS Volumes on New EC2 Instances

How to Configure Encryption for RDS

How to Configure Encryption for S3 Buckets

Install Endpoint Protection for All Virtual Machines

Introduction to Amazon Inspector

Key Rotation and Management

Load Balancers Must Require TLS 1.2

Only Install Company-Approved Extensions on Your Virtual Machines

PCI Requirement 3.1 - Keep Cardholder Data Storage to a Minimum

PCI Requirement 3.2 - Do Not Store Sensitive Authentication Data After Authorization

PCI Requirement 3.3 Mask PAN when Displayed

PCI Requirement 3.4 Render PAN Unreadable Anywhere it Is Stored

PCI Requirement 3.4.1 Logical Access Management

PCI Requirement 3.5 Document & Implement Procedures to Protect Keys

PCI Requirement 3.5.1 Maintain a Documented Description of The Cryptographic Architecture

PCI Requirement 3.5.2 Restrict Access to Cryptographic Keys

PCI Requirement 3.5.3 Store Secret and Private Keys Used to Encrypt/Decrypt Cardholder Data

PCI Requirement 3.5.4 Store Cryptographic Keys in The Fewest Possible Locations

PCI Requirement 3.6 Document & Implement all Key-Management Processes & Procedures

PCI Requirement 3.6.1 Generation of Strong Cryptographic Keys

PCI Requirement 3.6.2 Secure Cryptographic Key Distribution

PCI Requirement 3.6.3 Secure Cryptographic Key Storage

PCI Requirement 3.6.4 Cryptographic Key Changes at Cryptoperiod Completion

PCI Requirement 3.6.5 Replacing Weakened Keys

PCI Requirement 3.6.6 Using Split Knowledge & Dual Control

PCI Requirement 3.6.7 Prevention of Unauthorized Substitution of Cryptographic Keys

PCI Requirement 3.6.8 Key-Custodian Responsibilities

PCI Requirement 3.7 Security Policies & Operational Procedures

PCI Requirement 4.1 – Use Strong Cryptography & Security Protocols to Safeguard Sensitive CHD

PCI Requirement 4.1.1 – Ensure Wireless Network Transmitting CHD Use Strong Encryption

PCI Requirement 4.3 – Ensure Security Policies and Procedures are Known to all Affected Parties

PCI Requirements 3.2.1, 3.2.2, & 3.2.3 Do Not Store Tracks, Codes, or PINs After Authorization

Preventing Public Accessibility on DB Instances

Re-Keying for Decryption

Requirement 4 - Encrypt Transmission of Cardholder Data Across Open, Public Networks

Requirement 4.2 – Never Send Unprotected PAN by End-User Technologies

Rotate KMS Encryption Keys Regularly

Route 53 Support for DNSSEC

Set Expiration Date for All Keys in RBAC Key Vaults

Set Expiration Date for All Secrets In RBAC Key Vaults

Take Advantage of Automatic Key Rotation within Azure Key Vault

The AWS Shared Responsibility Model

Use CMEK To Secure GKE Storage

Using AWS KMS

Using Prowler to Evaluate AWS Security

Using S3 Versioning

Using TLS 1.2 to Encrypt Data in Transit

Utilize CMKs for OS and Data Disks