With the rise of mobile and cloud computing across the globe, our attitude towards cybersecurity has undergone a major change. Organizations are finally beginning to understand how important it really is to be in control of their cybersecurity. As cyber threats evolve at a rapid pace, organizations must prioritize preventing all manners of cyber horrors, not only the most evident ones.
Indeed, the threats that are not easily seen can be the most dangerous to organizations. Cybersecurity measures like firewalls, endpoint security, identity access management (IAM) tools, and others are nowhere near foolproof in a world in which cyberthreat actors have jumped lightyears ahead. And our greatest countermeasure is one that is rarely spoken about. Stealthy and silent, cryptography is the unsung defender that is protecting us against the evolving threat landscape.
Cryptographic Capabilities
Cryptography offers effective defense against the most common threats we face today. By encrypting sensitive files, and properly protecting the associated encryption keys, we take a huge step towards preventing attackers from gaining access to our crown jewels. If we encrypt to the highest industry standard, we ensure that even attackers that exfiltrate personal, payment, or IP data will not be able to use that information. So, cryptography mitigates the risk of extortion in ransomware campaigns.
Cryptography, with robust key-management policies, can also protect against advanced persistent threats (APTs). Indeed, key-management policies ensure key rotation and guide employees on best practices when generating and issuing keys. Practices like these lay the groundwork for more secure authentication and authorization because they enable time-limited and granular access to resources and data. This practice protects services, data at rest, and data in transit, all of which are key in the context of APTs.
But as with all great tools, cryptography must be used properly to effect positive results. Despite its many benefits, encryption and authentication mechanisms remain largely overlooked by allies. This oversight has led to fragmented and poorly managed, or not managed at all, cryptographic ecosystems, and most global organizations today would likely be unaware of the precise state of their cryptographic assets. This leads to regular outages, high governance and risk mitigation costs, and a state of vulnerability in an area where most organizations consider themselves secure. Many business executives believe encryption to be a straightforward, box-ticking exercise and are not aware of the spectrum of quality that pertains to it, nor of the associated direct and indirect losses resulting from low quality approaches.
Leverage it Effectively
Any plan must begin with a status audit. How does the organization use cryptography? What keys are live and in service, how are they secured, and how are they allocated? Care must be taken to specify the frequency of key rotation and to understand, in detail, the potential business impacts of compromise for every key in service. And when vulnerabilities are discovered, what then? A plan of action is required for such discoveries. The same scrutiny must apply to vulnerabilities in cryptographic libraries, to urgent key rollovers, and to the cryptographic algorithms that underpin it all.
Continuous and (partially) automated auditing is thus key. However, it can lead to significant technical debt that some enterprises may struggle to manage effectively. Implementing cryptographic agility can help reduce this burden by allowing systems to adapt to new cryptographic standards, or repair issues, more easily and cost-effectively. My colleagues and I think of it as the ability to effectively manage risk related to the changing needs of cryptographic systems. Gartner tells us that crypto-agility plays a major role in defending against a fluctuating threat landscape. In 2017, the analyst firm said those organizations with an established crypto-agility plan would suffer 60% fewer breaches that could be tied back to encryption failures. So, there is a measurable incentive to get it right.
Every enterprise wants to be technologically agile. This must also apply to our most silent sentinels. While giant, wooden horses may be a thing of the past, crypto-agility can protect us from the thousands of would-be infiltrators that try to tunnel into our digital estates daily. If we take it seriously.
About the Author
Carlos Aguilar Melchor is Chief Scientist, Cybersecurity at SandboxAQ, a B2B company delivering AI solutions that address some of the world’s great challenges. Carlos has been working within the Post-Quantum Cryptography (PQC) domain as an academic for 20 years across numerous universities, including the very prestigious Institut Supérieur de l’Aéronautique et de l’Espace (ISAE-SUPAERO). He was also a consultant for 10 years, working for companies such as Airbus and supporting two of the teams present in the third round of NIST’s PQC standardization. He is the co-inventor of a patent covering many of the existing PQC key exchanges, and the author of nearly 100 publications cited more than two thousand times. Carlos can be reached online at LinkedIn and at SandboxAQ.