- October 8, 2020: Added potential risk examples.
Since information is obtained from publicly available data sources, as outlined in our Network Mapping Process, events cannot be removed from Bitsight data stores. If an event was removed and is still publicly available, it’s considered as a leftover or forgotten asset and will still be captured by Bitsight.
Due to leftover or forgotten assets, a company’s liability is extended beyond the scope of its current and past infrastructure. The liability extension helps asset distribution and asset management, and also provides protection from potential risk, such as:
- Older certificates can become insecure for various reasons, including revocation. Certificate lifespans are partly meant to ensure that certificates are replaced periodically. This issue is significant enough that major browser vendors are reducing the maximum validity period, e.g., Apple reduced the maximum validity period to 398 days.
- The certificate may be associated with a deprecated and unused application that is externally exposed but is no longer supported, providing an unnecessary increased attack surface to the organization.
- If the certificate is expired for a given web application, it will be ambiguous to the user or system whether there are other issues ensuring proper encryption and security being applied between the user and the web application.
- Due to the expired certificates, organizational users and customers may be trained to not pay attention to situations where their encryption might be compromised for other web applications. This can lead to a higher susceptibility to phishing attacks that are focused on manipulation and credential harvesting.
- Applications and systems that rely upon properly authenticated and secure TLS communications can fail to function. Numerous famous examples of web applications and systems breaking because of expired certificates:
- Spotify went down for an hour after a certificate expired
- California under counted COVID-19 cases after certificates expired
- Microsoft Teams goes down after Microsoft forgot to renew a certificate
- Equifax breach - Security not not being able to detect malicious exfiltration due to expired certificates
How to prevent leftover or forgotten assets from affecting ratings:
If your ratings are still affected after the TLS/SSL certificates have been removed, remove the FQDN record and/or TLS/SSL certificate from an asset or completely remove the asset. If the record is removed or is no longer observable, Bitsight will apply the last observation date as the “last seen date.” Please allow up to 60 days from the last seen date for events to stop affecting your rating.
Today is June 2020. Company “B Inc.” had an office in city Zed between 2015 and 2017. They used to subscribe to the Internet and phone service via “D LLC” as their service provider (ISP). As part of the contract with the ISP, a Content Delivery Network (CDN) service was provided to “B Inc.” to host their main website (https://example.com/) with an SSL certificate in the name of example.com.
After the office in city Zed was shut down in late 2017, internet service was disabled, contract was closed, and the example.com website and TLS/SSL certificates were moved to a different service provider. The ISP “D LLC” never removed the SSL certificate in the example.com FQDN from their infrastructure. In order to remove this record, the ISP “D LLC” will need to be informed of who the contractual relationship was with and then asked to remove the stale SSL certificate.
- Apple, “About upcoming limits on trusted certificates” March 03, 2020
- The Verge, “Spotify went down for an hour after a certificate expired” August 19, 2020
- SC Media, “California under counted COVID-19 cases after certificate expired” August 11, 2020
- The Verge, “Microsoft Teams goes down after Microsoft forgot to renew a certificate” February 3, 2020
- U.S. Government Accountability Office, “Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach” [Page 14] August 2018