Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/29/2020
10:00 AM
Tim Hollebeek
Tim Hollebeek
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Is Your Encryption Ready for Quantum Threats?

Answers to these five questions will help security teams defend against attackers in the post-quantum computing era.

In October 2019, Google announced it had achieved "quantum supremacy" in a Forbes article entitled "Quantum Computing Poses An Existential Security Threat, But Not Today." The Google team had developed a quantum computer that could complete a computation in just over three minutes instead of the 10,000 years it would have taken on a traditional computer.

While large-scale commercial quantum computers today are still probably years away from achieving this landmark quantum benchmark, it's worth noting that cybercriminals with access to a sufficiently capable quantum computer can harness the technology to crack encryption protecting companies' data. The following questions and answers will help you get ready for the coming post-quantum computing (PQC) era.

Related Content:

NIST Quantum Cryptography Program Nears Completion

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: What Is End-to-End Encryption?

Question 1: How can my organization prepare for quantum computing?
It's impossible to know where to go without knowing where you currently stand. Measuring your organization's current PQC level of maturity (knowledge of the threat plus action taken so far to mitigate it) is an important start to developing an action plan. Some companies have little to no knowledge and haven't prepared much, if at all, to address the threat, while those at the other end of the spectrum have made major strides in both areas.

In between are organizations that have a vast knowledge of the future threat but haven't taken action yet, those that have some knowledge and have taken some action, and those with advanced knowledge and the beginnings of a plan. Knowing where your organization stands will guide your company's future strategy. One of your most important first steps, once you're familiar with the threat, is to find all the places where cryptography is used within your organization. This allows you to evaluate and prioritize these uses, and develop a plan to replace them.

Question 2: Do my partners and vendors share my mindset?
Get the buy-in of people within your organization, including the executive team, in your quantum computing preparedness efforts, but look beyond your organization as well. Your vendors, partners, and third parties could inadvertently put you at risk if they haven't properly prepared for quantum threats themselves. All the time you've spent quantum-proofing your organization could be undone if the companies you partner with aren't secured against quantum attacks. Don't trust your data and information with these companies until learning if they share your perspective.

Question 3: Are you following encryption management best practices?
Effective encryption management offers insights into all your networks. Look for an encryption management platform that offers comprehensive reporting to ensure current systems are correctly configured and updated. Other useful features include digital certificate automation and full visibility into what's happening with your company's network and connected devices.

Question 4: Does your organization understand — and possess — crypto-agility?
Cryptographic agility, or crypto-agility, doesn't mean using different algorithms for encrypting and other essential functions. Instead, it involves understanding where encryption is used in your organization, how these encryption technologies are deployed, and how to identify and solve problems. This will put you in the right place to act fast when the time comes to replace outdated cryptography using an automated certificate manager.

Question 5: Does your company use Hardware Security Modules?
Hardware Security Modules (HSMs) — often in the form of a plug-in card or external device connected to a computer — have secure crypto processor chips. They protect and manage digital keys and enable companies to create custom keys. Opt for HSMs that can be upgraded to quantum-safe encryption.

Estimates vary on when cybercriminals will begin using quantum computing to challenge today's cryptography. It's clear, though, that software devices and encrypted data developed and used today will still be around when the quantum threat emerges. Tightening data encryption is going to be critical.

Timothy Hollebeek has 19 years of computer science experience, including eight years working on innovative security research funded by the Defense Advanced Research Projects Agency. He then moved on to architecting payment security systems, with an emphasis on encryption and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20538
PUBLISHED: 2021-05-10
IBM Cloud Pak for Security (CP4S) 1.5.0.0 and 1.5.0.1 could allow a user to obtain sensitive information or perform actions they should not have access to due to incorrect authorization mechanisms. IBM X-Force ID: 198919.
CVE-2021-20559
PUBLISHED: 2021-05-10
IBM Control Desk 7.6.1.2 and 7.6.1.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199228.
CVE-2021-20577
PUBLISHED: 2021-05-10
IBM Cloud Pak for Security (CP4S) 1.5.0.0 and 1.5.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force I...
CVE-2021-29501
PUBLISHED: 2021-05-10
Ticketer is a command based ticket system cog (plugin) for the red discord bot. A vulnerability allowing discord users to expose sensitive information has been found in the Ticketer cog. Please upgrade to version 1.0.1 as soon as possible. As a workaround users may unload the ticketer cog to disable...
CVE-2020-13529
PUBLISHED: 2021-05-10
An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.