Call us Toll Free (USA): 1-833-844-9468     International: +1-603-280-4451 M-F 8am to 6pm EST

TrustFour Scan of Fortune 500 Uncovers Seven Deadly Sins of TLS Configuration Non-Compliance Against NIST 800-52R

San Diego (September 26, 2023) – TrustFour, the first TLS control plane, announced today the results of its first semi-annual reports of Transport Security Layer (TLS) boundary configuration compliance for the Fortune 500. In its report titled, “State of TLS Boundary Compliance Report,” TrustFour uncovered several trends that makeup the “seven deadly sins” of TLS configuration non-compliance” against the National Institute of Standards and Technology (NIST) 800-52 R2 standard. NIST 800-52 R2 is the de facto configuration standard that is used by regulators to audit TLS implementation compliance in the finance, utilities, government and healthcare industries, among many others.

“TLS configuration is a mission-critical aspect of reducing the attack surface for any organization, ensuring data-in-transit data integrity and privacy. Frankly we were surprised by several of our findings, when we scanned Fortune 500’s domains and sub-domains North-South boundary against the NIST 800-52R standard,” said Robert Levine, CEO of TrustFour, Inc. “After scanning more than 115,000 domains and sub-domains, we were surprised at the number and types of vulnerabilities. The good news is that these are issues that can mainly be addressed quickly and will significantly lower the organizations’ threat profiles. We will scan the Fortune 500 twice a year and provide the public with the results.”

The Research and Findings
TrustFour’s State of TLS Boundary Compliance Report, analyzed the security and compliance of nearly 120,000 domains across Fortune 500 companies. Inspecting those domains showed a median of 56 subdomains and an average of 1.6 servers per subdomain. TrustFour’s research found 12.5% of those servers still accept connections using TLS 1.0 and 1.1. The IETF deprecated these protocol versions in March 2021, in response to significant security vulnerabilities.

NIST defines standards to guide proper implementation of TLS, including acceptable versions, ciphersuites, key lengths and handshake details. Less than 1% of all Fortune 500 servers are presently NIST compliant, exposing companies to data privacy risk, data integrity vulnerabilities, and man-in-the-middle attacks. Keep in mind, these are the most protected domains on the planet. The biggest risk factors included the use of old versions of TLS, old cipher suites, and incorrect or under configured TLS extensions designed to address known vulnerabilities.

The good news is 80% of the Fortune 500 can achieve NIST compliance with just 7 straight forward configuration changes. TrustFour offers a free service that helps organizations visualize and prioritize configuration changes and boost TLS compliance in just minutes. Simply scan your domains, generate the report, and see your domain’s compliance score at https://www.tlscompliance.com/.

The Seven Deadly Sins of TLS Non-Compliance

• Old versions of TLS:
• 12% of the servers scanned are still running TLS V1.0 and V1.1 which should be disabled due to be deprecated by the IETF.
• Old cipher suites
• 63% of the servers scanned still supported old cipher suites that should be disabled. Most often, CBC cipher suites were enabled.
• Certificate Status Request
• 44% of the servers scanned do not support the ability to send a signed certificate status within the TLS handshake, shunting full OCSP pressure on the Certificate Authority.
• Encrypt-then-Mac
• 29% of the servers scanned are configured to perform a MAC then encrypt which has been the subject of security vulnerabilities.
• Extended Master Secret
• 8% of the servers scanned are not configured properly to prevent a man-in-the-middle attack.
• Server Name Indication
• 6% of the servers scanned don’t support this feature which can cause the server to give the wrong certificate for a given connection.
• Supported Points
• 4% of the servers scanned won’t accept cert/chain or ephemeral keys that use compression causing the server to consume cycles rejecting connections.

The Fortune 500 were scanned using TrustFour’s recently released Amundsen, a part of TrustFour’s TLS Control Plane that provides detection, control and protection. As the most advanced tool for monitoring external transport security layer TLS connection compliance, TrustFour’s Amundsen gives businesses unmatched actionable intelligence to fortify their defenses and safeguard their most valuable assets. TrustFour Amundsen leverages its patented technology, for the first time allowing businesses to scan and monitor an organization’s North-South boundary against the NIST 800-52R standard, the de facto configuration standard that is used by regulators to audit TLS implementation compliance in the finance, utilities, government and healthcare industries, among many others.

As the most widely used security protocol, when configured correctly, TLS provides effective privacy and data integrity for communications. Amundsen examines an organization’s domains and sub-domains, providing a detailed weekly report of the enterprise boundary that includes specific recommendations for helping businesses maintain compliance, ensuring that TLS is configured optimally, significantly increasing data integrity and privacy.

The State of TLS Boundary Compliance Report is available for free at https://trustfour.com/white-papers.

About TrustFour, Inc.

Founded in 2022, TrustFour is the first TLS Control Plane, enabling organizations to effectively monitor and manage their transport security layer implementation. By enabling organizations to detect, control and protect their transport security layer implementations, TrustFour helps organizations ensure data integrity and privacy in today’s dynamic, interconnected digital landscape. For more information, please visit www.trustfour.com.

TrustFour Scan of Fortune 500 Uncovers Seven Deadly Sins of TLS Configuration Non-Compliance Against NIST 800-52R
Press Release by TrustFour
26 September 2023, 7:55

Media Contact

Ed Schauweker
ed[at]avidpr.com