Vince Berk is the Chief Strategist at Quantum Xchange, a post-quantum crypto-agility provider. Ph.D. in AI/ML, founder of FlowTraq.
Many security conversations revolve around intrusive attacks, hacks and threats, with far less focus on the risks of a much larger attack due to the failure of cryptography.
The danger is being augmented by the potential for the speed of advanced computers and quantum technology to decrypt sensitive data. This raises the stakes for security professionals to be prepared for the quantum eventuality.
The U.S. National Institute of Standards and Technology (NIST) is hard at work preparing new encryption algorithms that will give us diversity and optionality in encrypting, and the National Cybersecurity Center of Excellence is trying to help security professionals plan for the forthcoming migration to that new, quantum-resistant cryptography.
That said, protection starts with visibility into the state of your cryptographic infrastructure.
For a variety of reasons, the cryptography we all rely on “just being there” often turns out “not to be there.”
When it comes to cybersecurity, most people focus on “detectors”—network detection tools, phishing email scanners, intrusion detection and malware detection tools—to spot intrusions. This detection-first approach often leaves organizations without adequate visibility and forensic ability to determine what happened.
And with costs up to $100,000 per incidence, the reality is that most companies just try to clean up the known mess and move on.
But even with a modest investment in visibility, these “flight recorders” can harness that forensic data when a breach happens. Conversely, you can use that exact same information to your advantage—before the bad guy gets in.
Visibility works both ways.
Case in point: Most internal systems are configured to use a basic software protocol to store passwords and usernames as part of authenticating a user’s right to access applications or files.
All it takes is one user to click on a phishing link, and the hacker is inside the network with that one person’s credentials. At first, the attacker can only access what’s available to that one user. But they can sniff around the network, listen to traffic, see who’s logging in via an unencrypted authentication protocol that should have been encrypted and then they can spread.
And they spread quickly. A survey of 300 ethical hackers found that nearly 60% of hackers needed less than five hours to exploit a weakness and access data, with 20% saying they could escalate privileges in under two hours.
Such short timelines are a consequence of lacking security implementation inside the perimeter. If you work under the premise the bad guy is going to come in, you can devise policies and practices to make it hard for him to just walk around once he’s inside your network.
Following the guiding philosophies of zero trust network access goes a long way in making it harder for the adversary to gain deeper access, but unfortunately, the “as designed” is frequently different from the “as implemented” state of zero trust.
Taking proactive steps toward the visibility and auditability of the network is, therefore, crucial. And although access control is often audited, on-network cryptography frequently is not assessed.
First, you need to discover your cryptographic risks. Understand when, where and how encryption is used within your organization and, most crucially, where encryption is deficient or outright lacking. You’ll be able to define an inventory of risks and prioritize them based on your own needs.
Second, assess cryptographic risks in near real time, including monitoring the status of security certificates and crypto handshakes and communications sessions. You’ll be able to visualize possible criminal intent and detect violations.
And third, examine and validate your security policies vis-à-vis ongoing cryptographic changes. This will provide full and continuous crypto management and control as you move toward modernizing encryption standards.
Enterprise data is only safe if encryption is working. When you’re able to discover risks, assess threats and validate security policies, you’ll be better prepared to defend when the adversary eventually enters your network.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here