Answers to these five questions will help security teams defend against attackers in the post-quantum computing era. In October 2019, Google announced it had achieved "quantum supremacy" in a Forbes article entitled "Quantum Computing Poses An Existential Security Threat, But Not Today." The Google team had developed a quantum computer that could complete a computation in just over three minutes instead of the 10,000 years it would have taken on a traditional computer. While large-scale commercial quantum computers today are still probably years away from achieving this landmark quantum benchmark, it's worth noting that cybercriminals with access to a sufficiently capable quantum computer can harness the technology to crack encryption protecting companies' data. The following questions and answers will help you get ready for the coming post-quantum computing (PQC) era. Question 1: How can my organization prepare for quantum computing?It's impossible to know where to go without knowing where you currently stand. Measuring your organization's current PQC level of maturity (knowledge of the threat plus action taken so far to mitigate it) is an important start to developing an action plan. Some companies have little to no knowledge and haven't prepared much, if at all, to address the threat, while those at the other end of the spectrum have made major strides in both areas. In between are organizations that have a vast knowledge of the future threat but haven't taken action yet, those that have some knowledge and have taken some action, and those with advanced knowledge and the beginnings of a plan. Knowing where your organization stands will guide your company's future strategy. One of your most important first steps, once you're familiar with the threat, is to find all the places where cryptography is used within your organization. This allows you to evaluate and prioritize these uses, and develop a plan to replace them. Question 2: Do my partners and vendors share my mindset?Get the buy-in of people within your organization, including the executive team, in your quantum computing preparedness efforts, but look beyond your organization as well. Your vendors, partners, and third parties could inadvertently put you at risk if they haven't properly prepared for quantum threats themselves. All the time you've spent quantum-proofing your organization could be undone if the companies you partner with aren't secured against quantum attacks. Don't trust your data and information with these companies until learning if they share your perspective. Question 3: Are you following encryption management best practices?Effective encryption management offers insights into all your networks. Look for an encryption management platform that offers comprehensive reporting to ensure current systems are correctly configured and updated. Other useful features include digital certificate automation and full visibility into what's happening with your company's network and connected devices. Question 4: Does your organization understand — and possess — crypto-agility?Cryptographic agility, or crypto-agility, doesn't mean using different algorithms for encrypting and other essential functions. Instead, it involves understanding where encryption is used in your organization, how these encryption technologies are deployed, and how to identify and solve problems. This will put you in the right place to act fast when the time comes to replace outdated cryptography using an automated certificate manager. Question 5: Does your company use Hardware Security Modules?Hardware Security Modules (HSMs) — often in the form of a plug-in card or external device connected to a computer — have secure crypto processor chips. They protect and manage digital keys and enable companies to create custom keys. Opt for HSMs that can be upgraded to quantum-safe encryption. Estimates vary on when cybercriminals will begin using quantum computing to challenge today's cryptography. It's clear, though, that software devices and encrypted data developed and used today will still be around when the quantum threat emerges. Tightening data encryption is going to be critical. Timothy Hollebeek has 19 years of computer science experience, including eight years working on innovative security research funded by the Defense Advanced Research Projects Agency. He then moved on to architecting payment security systems, with an emphasis on encryption and ... View Full Bio Recommended Reading: More Insights
About adminThis author has not yet filled in any details.
So far admin has created 29 blog entries.
By making a commitment to a unified approach to security, then doing what's necessary to operationalize it, organizations can establish a better security model for the next normal. Whether you see COVID-19 as forcing an abrupt shift in the way organizations operate or merely accelerating trends that were already underway, it's clear that the future is unlikely to resemble much of the past. From the surge in remote work to the rapid embrace of cloud and automation technologies, the changes that have been made are enabling new levels of operational flexibility that organizations won't want to give up moving forward. What does this mean for security? That's a question that professionals throughout the industry have been trying to figure out. If you're not sure yet, you're not alone. First, here's a little context for the changes and their implications. What Security Professionals Saw Coming — and What We Didn'tDigital transformation didn't exactly take security professionals by surprise. DevOps, orchestration, infrastructure as code, security as software, developer-driven security — all of this has been in the works for years. Not every organization was fully on board yet, but we all knew it was on the horizon. In one sense, the biggest impact of COVID-19 has been to speed things up, compressing three to five years of digital transformation into a single spring and summer. But the pandemic has also thrown us an unanticipated curveball. Every organization has a plan for disaster recovery and business continuity, but few of these scenarios accounted for employees not being able to go into an office at all for extended periods of time, or for not being connected to a data center at all. For many organizations, the cloud suddenly became the only way to scale remote access quickly enough for a work-at-home workforce. With the Internet as the new corporate network, we opened huge new areas of risk for applications that were never built for externalization. As organizations tried to get this new model working, they couldn't afford to sacrifice performance with a nonscalable VPN, or to hairpin traffic through legacy infrastructure to get to the cloud. Direct-to-cloud was the simplest way to keep people productive, especially given the simplicity of cloud-native apps. The downside: giving up control over the network — and exposing a vast attack surface across your apps and endpoints. Here are a few ways to think about securing our business and the way we work now. Developing a Collaborative Culture Among Operations, Dev, and SecurityThe hardest part of the current paradigm shift isn't technical — it's cultural. In the old model, operations teams, developers, and security worked within their own silos, communicating with each other only through IT tickets. Each group had its own agenda — often competing with the others — and tended to view the other groups more as a source of trouble than anything else. Security blocked innovation; developers threw security to the wind; and operations just tried to keep things running in spite of the others. But that model won't work in the fast, ever-changing world of DevOps and transient architectures. To maintain the speed of innovation without leaving security behind, these teams must move forward together, understanding what it means to manage risk in a dynamic environment. One emerging approach has been the creation of so-called digital transformation teams, a model designed to break barriers and get different stakeholders around the table together. Of course, these teams are only as good as their members — and sometimes a person who's effective at leading their own group isn't quite as successful in a cross-departmental context. The members of the digital transformation group should be core members of their own teams but also have the flexibility to understand that their role is part of a larger shared purpose. To avoid counterproductive turn battles, everyone must be willing to envision transformation holistically, as a unified organization. Making Security Accessible to DevelopersBringing technology into the picture, the shift to a more collaborative culture needs to take into account the tools that will make it successful. This is an opportunity to rethink the classic security tools you've deployed. Can they support that shift, or were they designed with only siloed teams in mind? How can you empower DevOps and network teams to play a meaningful role in security as well? No one expects developers to become hackers — they've got more important priorities — but they're entirely capable of understanding security fundamentals, the implications of gaps, and how to ensure security across the stack. Armed with security knowledge and visibility, they can take on more responsibility in a unified security approach. Automating Security into the DevOps CycleThe development speed and efficiency available through DevOps and cloud are too valuable to undermine with traditional timelines. Building an effective automation pipeline can reduce the workload on security teams by sparing them the need to double-check minor production changes or perform manual tests. When development ran on 12-month cycles, having an application security team spend eight weeks on testing — and sending bugs back for weeks-long remediation processes — didn't seem as bad. In the age of continuous delivery, security needs to be close to real-time. Automation now makes it possible to test an app, flag failures, fix them, and resubmit the code in a single day. Understanding the value of automation, and finding strategic ways to deploy it, should be a top-level discussion. Ultimately, organizations need to understand that these broad changes in culture, process, and technology can take time to fully implement. The evolution begins with a clear vision and strong partnerships across departments. By making a commitment to a unified approach to security, then doing what's necessary to operationalize it, organizations can establish a better security model for the next normal — and never look back. Justin Tibbs is the CSO of the National Security Practice for Presidio. Previously, Justin was the CSO at Red Sky Solutions, which was acquired by Presidio in 2018. With more than 20 years of experience in the network and security industry, he is responsible for the strategic ... View Full Bio Recommended Reading: More Insights
One of the best ways to keep employees from falling victim to these social-engineering attacks is to teach them the signs.
Ethical use will require some combination of consistent reporting, regulation, corporate responsibility, and adversarial technology.
Debunking the myths surrounding the implementation of proactive cyber controls in operational technology.
One cybersecurity failure can result in a successful ransomware attack or data breach that could cause tremendous damage. There's no need to panic, but neither is there time to ignore the issue.
The IoT industry remains fragmented with a lot of players, big and small, churning out a lot of products.
The US counterintelligence lead joins a former Europol cyber chief to discuss modern election threats and the benefits of public-private collaboration.
Here's how CISOs and IT security operations teams can best address key challenges to network monitoring that could increase malware dwell time.