Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/29/2020
10:00 AM
Tim Hollebeek
Tim Hollebeek
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Is Your Encryption Ready for Quantum Threats?

Answers to these five questions will help security teams defend against attackers in the post-quantum computing era.

In October 2019, Google announced it had achieved "quantum supremacy" in a Forbes article entitled "Quantum Computing Poses An Existential Security Threat, But Not Today." The Google team had developed a quantum computer that could complete a computation in just over three minutes instead of the 10,000 years it would have taken on a traditional computer.

While large-scale commercial quantum computers today are still probably years away from achieving this landmark quantum benchmark, it's worth noting that cybercriminals with access to a sufficiently capable quantum computer can harness the technology to crack encryption protecting companies' data. The following questions and answers will help you get ready for the coming post-quantum computing (PQC) era.

Related Content:

NIST Quantum Cryptography Program Nears Completion

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: What Is End-to-End Encryption?

Question 1: How can my organization prepare for quantum computing?
It's impossible to know where to go without knowing where you currently stand. Measuring your organization's current PQC level of maturity (knowledge of the threat plus action taken so far to mitigate it) is an important start to developing an action plan. Some companies have little to no knowledge and haven't prepared much, if at all, to address the threat, while those at the other end of the spectrum have made major strides in both areas.

In between are organizations that have a vast knowledge of the future threat but haven't taken action yet, those that have some knowledge and have taken some action, and those with advanced knowledge and the beginnings of a plan. Knowing where your organization stands will guide your company's future strategy. One of your most important first steps, once you're familiar with the threat, is to find all the places where cryptography is used within your organization. This allows you to evaluate and prioritize these uses, and develop a plan to replace them.

Question 2: Do my partners and vendors share my mindset?
Get the buy-in of people within your organization, including the executive team, in your quantum computing preparedness efforts, but look beyond your organization as well. Your vendors, partners, and third parties could inadvertently put you at risk if they haven't properly prepared for quantum threats themselves. All the time you've spent quantum-proofing your organization could be undone if the companies you partner with aren't secured against quantum attacks. Don't trust your data and information with these companies until learning if they share your perspective.

Question 3: Are you following encryption management best practices?
Effective encryption management offers insights into all your networks. Look for an encryption management platform that offers comprehensive reporting to ensure current systems are correctly configured and updated. Other useful features include digital certificate automation and full visibility into what's happening with your company's network and connected devices.

Question 4: Does your organization understand — and possess — crypto-agility?
Cryptographic agility, or crypto-agility, doesn't mean using different algorithms for encrypting and other essential functions. Instead, it involves understanding where encryption is used in your organization, how these encryption technologies are deployed, and how to identify and solve problems. This will put you in the right place to act fast when the time comes to replace outdated cryptography using an automated certificate manager.

Question 5: Does your company use Hardware Security Modules?
Hardware Security Modules (HSMs) — often in the form of a plug-in card or external device connected to a computer — have secure crypto processor chips. They protect and manage digital keys and enable companies to create custom keys. Opt for HSMs that can be upgraded to quantum-safe encryption.

Estimates vary on when cybercriminals will begin using quantum computing to challenge today's cryptography. It's clear, though, that software devices and encrypted data developed and used today will still be around when the quantum threat emerges. Tightening data encryption is going to be critical.

Timothy Hollebeek has 19 years of computer science experience, including eight years working on innovative security research funded by the Defense Advanced Research Projects Agency. He then moved on to architecting payment security systems, with an emphasis on encryption and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29144
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via an Alert Dashboard comment. In most test cases, session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or e...
CVE-2020-29145
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS via the name or description field to a solutionUnitServlet?SuName=UserReferenceDataSU Access Rights Group. In most test cases, session hijacking was also possible by utilizing t...
CVE-2020-29136
PUBLISHED: 2020-11-27
In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).
CVE-2020-29137
PUBLISHED: 2020-11-27
cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577).
CVE-2020-29135
PUBLISHED: 2020-11-27
cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).