Transport Layer Security: What Stakeholders Need to Know about Communication Security
Transport Layer Securities are designed to provide security at the transport layer to prevent third parties from eavesdropping or tampering with messages
29 November 2022
The main purpose of penetration testing is to discover weaknesses within our systems and applications. Armed with the knowledge of where those weaknesses lie, organisations can then proceed to fix those issues. As most vulnerabilities tend to be well-documented, the remediation process is usually clear – yet nevertheless many organisations find it extremely difficult to implement the necessary fixes for various reasons. This article will explore a simple scenario drawn from our own experience with pen testing and will hopefully help us to view such situations in a more sympathetic light.
What is TLS and How Does it Work?
Supply Chain and Business Complexities Sometimes Make a Remediation Plan Difficult
Despite this, many organisations nevertheless continue to leave the issue unfixed – not because of technical difficulty, nor cost, but purely for business reasons. Most of these are large organisations with updated systems, but who nevertheless need to communicate with clients, vendors, and business partners regularly, many of whom are SMEs who simply cannot afford to fix the issues on their side. If their vendor's systems are too outdated to support TLS 1.2, then organisations would need to support older versions of TLS to facilitate communications. An organisation would need to be running Windows 10 or Server 2019 to be able to support TLS 1.3, or Windows 7 (and even then, it's not enabled by default) / Server 2008 for TLS 1.2. Surprising as it may sound to some of us, there are many older SMEs out there who do not meet these requirements.
This reminds us that security cannot be implemented in isolation, especially when it comes to supply-chain issues like these – all stakeholders need to work together, and nobody should be left behind. We need to provide support to SMEs, some of whom are still running Windows XP, and educate them on the importance of upgrading their systems. Perhaps some form of standard systems requirement template (updated whenever necessary, of course) enforced by large organisations on their SME partners, or maybe even the option to rent such infrastructure as part of a business partner package. Or perhaps some brave entrepreneurs will see a market for such services and provide them on a third-party commercial basis. Right now, thought, SMEs are struggling to keep up with security requirements, and as a result, organisations are obliged to compromise their security positions to facilitate the working relationship. This is a ticking time-bomb, and hopefully everyone can work towards a solution sooner rather than later.
Business Manager, Intertek NTA
Ian Liew is a Business Manager with Intertek NTA, and manages penetration testing projects across Malaysia, Singapore, and Hong Kong. Ian regularly attends conferences across SE Asia to promote cybersecurity and career opportunities within cyber across the region.
Penetration Tester, Intertek NTA
Rueben Ng is a Penetration Tester with Intertek NTA, and regularly conducts PCI ASV scanning, penetration testing of networks, web applications, and mobile apps, as well as social engineering services, for various industries such as retail, e-commerce, telecommunications, and education.