Page 1 of 1

Chasing the perfect security score

Posted: 2020-04-17 14:26
by brashquido
Hi All,

Have been trying to tidy up the security side of things on my server of late and have become perhaps a little too obsessed with getting the "perfect score" for PCI-DSS, HIPAA and NIST. I've managed an A+ score with PCI-DSS compliance, however am falling short for HIPAA and NIST;

https://www.immuniweb.com/ssl/?id=H7ao2L22

The following checks are still outstanding for full compliance;

HIPAA
- OCSP Stapling

NIST
- OCSP Stapling
- Extended Master Secret extension for TLS vresions â‰Ī 1.2
- Key Share extension for TLS 1.3
- Supported Versions extension for TLS 1.3

Just wondering if anyone had managed to achieve full marks here, and if so if they'd be prepared to share what steps they took to achieve that? If it is just a matter of it can't be done, well I'm fine with that too knowing I've got it configured about as securely as I can. Thanks.

Re: Chasing the perfect security score

Posted: 2020-04-17 17:58
by SorenR
Failed on all accounts ... Probably due to my server banning all (12 servers) the immuniweb servers for being intrusive :mrgreen:

Re: Chasing the perfect security score

Posted: 2020-04-18 05:20
by brashquido
Haha, yeah. I had to temporarily disable autoban while running the tests. Does that mean your servers are a level is security above PCI-DSS, HIPAA & NIST compliant if they can't be connected to to prove they aren't compliant ðŸĪŠ

Re: Chasing the perfect security score

Posted: 2020-04-18 05:29
by jim.bus
I couldn't resist this comment.

I loved both yours and SorenR's comments on the security compliance checking software.

Re: Chasing the perfect security score

Posted: 2020-04-19 18:14
by mattg
I got an A+ all round last time I did that test, but today get the same as you


Supported versions is draft - https://tools.ietf.org/id/draft-ietf-tls-tls13-23.html
Keyshare is draft - https://tools.ietf.org/html/draft-bzwu- ... eyshare-01
Extended Master Secret extension for TLS is a proposed standard - https://tools.ietf.org/html/rfc7627


It seem to me that NIST is jumping the gun

Re: Chasing the perfect security score

Posted: 2020-04-19 21:09
by SorenR
brashquido wrote: ↑
2020-04-18 05:20
Haha, yeah. I had to temporarily disable autoban while running the tests. Does that mean your servers are a level is security above PCI-DSS, HIPAA & NIST compliant if they can't be connected to to prove they aren't compliant ðŸĪŠ
I designed my IDS system to ban sender if no email is received after 4+ connect. The banning process is an autonomous process run every 60 seconds. Actually, I am thinking about reducing time to 30 seconds.

The thing is... How secure is a system you can't probe?

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

Re: Chasing the perfect security score

Posted: 2020-04-21 14:51
by brashquido
mattg wrote: ↑
2020-04-19 18:14
I got an A+ all round last time I did that test, but today get the same as you


Supported versions is draft - https://tools.ietf.org/id/draft-ietf-tls-tls13-23.html
Keyshare is draft - https://tools.ietf.org/html/draft-bzwu- ... eyshare-01
Extended Master Secret extension for TLS is a proposed standard - https://tools.ietf.org/html/rfc7627

It seem to me that NIST is jumping the gun

Thanks Matt, it certainly would seem that way. I guess they are just wanting compliance for NIST to be a very exclusive club :? ? Guess that just leaves OCSP Stapling for HIPAA compliance. Did you ever achieve this?
SorenR wrote: ↑
2020-04-19 21:09
I designed my IDS system to ban sender if no email is received after 4+ connect. The banning process is an autonomous process run every 60 seconds. Actually, I am thinking about reducing time to 30 seconds.

The thing is... How secure is a system you can't probe?

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.
Not a bad way to be. I actually got sick of the constant probing so as of a few days ago I started using an external MX service now which I use as a smart relay in hMail. Has meant I can tighten my config right up (at least compared to what it was) as I don't have to worry about supporting old, insecure ciphers and I imagine I'll even disable greylisting and tighten in SMTP access so only those servers specified in my MX records.

Re: Chasing the perfect security score

Posted: 2020-04-21 15:37
by SorenR
brashquido wrote: ↑
2020-04-21 14:51
Not a bad way to be. I actually got sick of the constant probing so as of a few days ago I started using an external MX service now which I use as a smart relay in hMail. Has meant I can tighten my config right up (at least compared to what it was) as I don't have to worry about supporting old, insecure ciphers and I imagine I'll even disable greylisting and tighten in SMTP access so only those servers specified in my MX records.
Oh then you are in for a treat... I had to come up with a few functions to maintain AutoBan and reject mails I don't want... Anyways, I killed the Backup-MX when I switched ISP's earlier this year.

Re: Chasing the perfect security score

Posted: 2020-04-22 13:54
by mattg
brashquido wrote: ↑
2020-04-21 14:51
I guess they are just wanting compliance for NIST to be a very exclusive club :? ? Guess that just leaves OCSP Stapling for HIPAA compliance. Did you ever achieve this?
You have a green tile for HIPAA, so that is a pass for you

I get the same as you do

A+ with all green, except NIST

Re: Chasing the perfect security score

Posted: 2020-04-24 16:44
by brashquido
mattg wrote: ↑
2020-04-22 13:54
You have a green tile for HIPAA, so that is a pass for you

I get the same as you do

A+ with all green, except NIST
It is a pass, but not compliance. I'd need the OCSP Stapling for compliance, such as this;

https://www.immuniweb.com/ssl/?id=2zC2VSPt

Not too fused either way.

Re: Chasing the perfect security score

Posted: 2020-05-18 06:01
by mattg
Just worked this out (NGINX)

Added --staple-ocsp to my certbot command
Added this to my NGINX config file

Code: Select all

		ssl_stapling on;
		ssl_stapling_verify on;
		ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
Tested TWICE on https://www.immuniweb.com/ssl

Now I get A+
PCI DSS compliant
HIPPA compliant
NIST compliant