Vulnerabilities / Threats

3/28/2019
02:30 PM
Pankaj Parekh
Pankaj Parekh
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Quantum Computing and Code-Breaking

Prepare today for the quantum threats of tomorrow.

With all the grand speculation and hype tied to quantum computing, the technology seems more like it belongs in the realm of science fiction rather than your daily tech newsfeed. But this isn't science fiction. Tech companies around the world are racing to bring quantum computers into the mainstream of business processes to unlock new capabilities, services, and revenue models.

However, as quantum computers are beginning to gain traction and soon will be moving out of R&D environments, government agencies and security experts are already sounding the alarm for the potential harm such breakthrough technology could be capable of wreaking in the area of data security.

A quantum computer is based on the superposition principle — that a qubit (a bit in a quantum computer) can exist in the state of a 0, a 1, or both states at once. Today, the largest publicly available quantum computer from IBM Q (an IBM initiative to build quantum computers for business and science) has 20 qubits — so it can exist in 220 or just over a million states at once. When technologists double this to 40 qubits, that becomes just over a trillion states at once. This could be a powerful tool for breaking data encryption; instead of trying one combination at a time sequentially, the quantum computer can try a very large number at the same time. Experts suggest that a computer with 2,000 to 4,000 qubits would be enough to defeat conventional strong encryption standards within a reasonable time.

Today's largest publicly available computer from IBM: IBM's Q System One, a 20-qubit machine, was on display at IBM's THINK Conference in San Francisco this February. It is shown here without the cooling required to get it to a fraction of a degree above absolute zero.

Source: SecurityFirst
Today's largest publicly available computer from IBM: IBM's Q System One, a 20-qubit machine, was on display at IBM's THINK Conference in San Francisco this February. It is shown here without the cooling required to get it to a fraction of a degree above absolute zero. Source: SecurityFirst

Luckily for the data security industry, a quantum computer is made of a collection of high-end refrigeration and other large-science experimental gear — because, well, it is cutting-edge experimental physics. When first invented, a 5MB disk drive was as big as two large vending machines. Now you can put a million times more data on a thumb drive that fits in your pocket. The constant in computing is that things get smaller, faster, and cheaper, but for now, quantum computing is a large, expensive, and finicky physics lab resident.

The security industry is gearing up to upgrade standards to protect against quantum attacks. But there are a couple of methods available to protect against this threat right now. Today, best practices in security require multiple levels of protection. Advanced persistent threats (APTs) involve malicious code being installed on a server inside the security perimeter, so once the hacker has defeated the firewalls, the malicious code is inside and looks for vulnerable servers. Every server should use encryption to prevent data extraction or corruption. You can't put a quantum computer onto a corporate server because, remember, it's a physics lab, not a piece of portable code. Therefore, you need to protect data right at the source — on the servers. It is important to protect data with proper access policies that ties to process, applications, and users with unique encryption for different data sets. This reduces APT-initiated process's ability to access data in the first place, and unique encryption makes it even more difficult to decrypt all the data together.

But what if a cybercriminal or nation-state hacker extracts data or keys and transports them to a quantum computer facility? IBM and others already have made small quantum computers available to the public. And if you compare an emerging technology such as TensorFlow for machine learning, you will see that you can already provision very large capacities of highly optimized TensorFlow on Amazon Web Services, so it's likely that a public cloud provider will offer quantum computing as a service once the technology has matured.

To face this threat, adopting a comprehensive approach to protecting data on servers includes:

  • Proper management of keys, including hierarchical keys to enable key rotation.
  • Applying firewall-like rules for data access, restricting access by user ID and application.
  • Reporting any unauthorized or suspicious attempts to access data. Good reporting and alerting can prevent loss of data after a single key or server has been compromised but before critical data is sent out for quantum-powered code breaking.

Encrypting and spreading the data across multiple servers or clouds provides additional protection, meaning that if one is compromised, the data is still secure and can be recovered from the uncorrupted servers, while the threat is being identified and neutralized.

Particularly, organizations need to have cryptographic agility, which is the capacity for an IT system to promptly shift from existing cryptographic methods without significant changes to system infrastructure. In fact, according to NIST guidelines, becoming crypto-agile is no longer optional. Here are a few steps organizations can take to become crypto-agile:

  • Implement a cryptographic control center that functions as an interface to manage cryptographic policies for every application.
  • Establish an abstraction layer that acts as an API to hide cryptographic information. This ensures that application programmers can continue development without any clear disruptions to cryptographic solutions. When a security team needs to update an encryption solution, all they have to do is update the abstraction layer, thus eliminating the need to educate programmers on complex details of cryptography.
  • Conduct a full assessment of cryptography used by various information systems, and implement a centralized crypto key management system. This gives administrators the flexibility to manage application keys through automated protocols.

Regular use of quantum mechanics in computing is still far from common, but according to a recent report from the National Academies of Sciences, Engineering, and Medicine, companies need to speed up preparations for the time when quantum technology can crack conventional defenses.

While there may not be an immediate danger of sensitive data being breached by someone with quantum computing technology, all organizations should have the beginnings of a quantum resilience data protection plan in place because the race to the first quantum computer is fierce. Fortune 500 companies, including IBM, Google, Microsoft, and Intel, are increasingly plugging away on quantum technology, and countries (including China) are investing billions of dollars into research and development, ensuring the era of quantum computing is quickly approaching. My advice: Begin protecting against tomorrow's — or 2029's — threats today.

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Pankaj Parekh was appointed Chief Product and Strategy Officer (CPSO) of SecurityFirst in August 2018. He is responsible for the long-range vision to set the direction for the company's products, as well as running the development, testing, and delivery organizations for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18643
PUBLISHED: 2019-04-25
GitLab CE & EE 11.2 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 have Persistent XSS.
CVE-2018-19359
PUBLISHED: 2019-04-25
GitLab Community and Enterprise Edition 8.9 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 has Incorrect Access Control.
CVE-2019-11488
PUBLISHED: 2019-04-25
Incorrect Access Control in the Account Access / Password Reset Link in SimplyBook.me Enterprise before 2019-04-23 allows Unauthorized Attackers to READ/WRITE Customer or Administrator data via a persistent HTTP GET Request Hash Link Replay, as demonstrated by a login-link from the browser history.
CVE-2019-11489
PUBLISHED: 2019-04-25
Incorrect Access Control in the Administrative Management Interface in SimplyBook.me Enterprise before 2019-04-23 allows Authenticated Low-Priv Users to Elevate Privileges to Full Admin Rights via a crafted HTTP PUT Request, as demonstrated by modified JSON data to a /v2/rest/ URI.
CVE-2019-3720
PUBLISHED: 2019-04-25
Dell EMC Open Manage System Administrator (OMSA) versions prior to 9.3.0 contain a Directory Traversal Vulnerability. A remote authenticated malicious user with admin privileges could potentially exploit this vulnerability to gain unauthorized access to the file system by exploiting insufficient san...