Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/29/2020
10:00 AM
Tim Hollebeek
Tim Hollebeek
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Is Your Encryption Ready for Quantum Threats?

Answers to these five questions will help security teams defend against attackers in the post-quantum computing era.

In October 2019, Google announced it had achieved "quantum supremacy" in a Forbes article entitled "Quantum Computing Poses An Existential Security Threat, But Not Today." The Google team had developed a quantum computer that could complete a computation in just over three minutes instead of the 10,000 years it would have taken on a traditional computer.

While large-scale commercial quantum computers today are still probably years away from achieving this landmark quantum benchmark, it's worth noting that cybercriminals with access to a sufficiently capable quantum computer can harness the technology to crack encryption protecting companies' data. The following questions and answers will help you get ready for the coming post-quantum computing (PQC) era.

Related Content:

NIST Quantum Cryptography Program Nears Completion

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: What Is End-to-End Encryption?

Question 1: How can my organization prepare for quantum computing?
It's impossible to know where to go without knowing where you currently stand. Measuring your organization's current PQC level of maturity (knowledge of the threat plus action taken so far to mitigate it) is an important start to developing an action plan. Some companies have little to no knowledge and haven't prepared much, if at all, to address the threat, while those at the other end of the spectrum have made major strides in both areas.

In between are organizations that have a vast knowledge of the future threat but haven't taken action yet, those that have some knowledge and have taken some action, and those with advanced knowledge and the beginnings of a plan. Knowing where your organization stands will guide your company's future strategy. One of your most important first steps, once you're familiar with the threat, is to find all the places where cryptography is used within your organization. This allows you to evaluate and prioritize these uses, and develop a plan to replace them.

Question 2: Do my partners and vendors share my mindset?
Get the buy-in of people within your organization, including the executive team, in your quantum computing preparedness efforts, but look beyond your organization as well. Your vendors, partners, and third parties could inadvertently put you at risk if they haven't properly prepared for quantum threats themselves. All the time you've spent quantum-proofing your organization could be undone if the companies you partner with aren't secured against quantum attacks. Don't trust your data and information with these companies until learning if they share your perspective.

Question 3: Are you following encryption management best practices?
Effective encryption management offers insights into all your networks. Look for an encryption management platform that offers comprehensive reporting to ensure current systems are correctly configured and updated. Other useful features include digital certificate automation and full visibility into what's happening with your company's network and connected devices.

Question 4: Does your organization understand — and possess — crypto-agility?
Cryptographic agility, or crypto-agility, doesn't mean using different algorithms for encrypting and other essential functions. Instead, it involves understanding where encryption is used in your organization, how these encryption technologies are deployed, and how to identify and solve problems. This will put you in the right place to act fast when the time comes to replace outdated cryptography using an automated certificate manager.

Question 5: Does your company use Hardware Security Modules?
Hardware Security Modules (HSMs) — often in the form of a plug-in card or external device connected to a computer — have secure crypto processor chips. They protect and manage digital keys and enable companies to create custom keys. Opt for HSMs that can be upgraded to quantum-safe encryption.

Estimates vary on when cybercriminals will begin using quantum computing to challenge today's cryptography. It's clear, though, that software devices and encrypted data developed and used today will still be around when the quantum threat emerges. Tightening data encryption is going to be critical.

Timothy Hollebeek has 19 years of computer science experience, including eight years working on innovative security research funded by the Defense Advanced Research Projects Agency. He then moved on to architecting payment security systems, with an emphasis on encryption and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...