My “Military Grade” Encryption is Junk, It’s Obsolete
Lately, I’ve been thinking about threat response and new ways an adversary can threaten my environment. I keep asking myself a few simple questions, and I ask them all the time. What am I seeing now? Where will the next attack come from? What’s next?
My typical approach is to focus on my assets rather than attack vectors to take a step back. Although critical to understand, individual attack vectors are not helpful to guard against. Vectors are not quantifiable because they are unlimited. Resources available to me are limited, however. There will always be something new that I may not have thought of, but my adversary did. After all, I have to be correct, and the bad actor has to be exemplary only once.
Assets are a finite quantity. Assets I can understand, define, enumerate, qualify and quantify. They hold value to my organization and me. I can use various techniques and methodologies to protect them. I’ve successfully layered defenses, diverted attacks, obfuscated access to my assets, deceived attackers, micro-segmented my networks using accurate Zero Trust models, prediction, monitoring and automated responses, threat hunting, and, importantly, user education and validation that it “took.” Therefore, I can state with a high degree of confidence that I can successfully guard my assets.
My adversaries continue to evolve their tools and techniques. They are intelligent, dedicated, and well incentivized. I look for ways to out-evolve my adversary and onboard new tactics. It’s worked well in the past. My Deep Learning defenses were there six years ago and saved my networks from unknown threats before AI became a buzzword. Zero-trust protection was there for me, too, as had Identity Management and MFA. So what’s next?
I no longer think that my “military-grade” encryption is good enough. Brute force is a new threat. I’ve seen GPU machines that can break hashed credentials in a few hours to a week. I understand that Shor’s, Grower’s, and QAOA algorithms can be used to break encryption using quantum machines, and GANs are pretty good at it too. You don’t need a powerful general-purpose quantum computer like Google’s one; you can do it on a D-Wave or a Fujitsu annealer. I have whitepapers where math checks out that give you a blueprint on the tactics. It’s time to move to post-quantum cryptography, and it’s time to do it yesterday.
#technology, #cybersecurity, #cyberdefense #ciso, #quantumcomputing, #cyberattacks, #quantum, #cto, #cisos, #technologynews, #quantumtechnology, #quantumphysics, #cybersecuritythreats, #ctos, #quantumtechnologies, #cyberresiliency, #quantumtech, #quantumsecurity, #quantumcommunication, #quantumsoftware, #quantumiscoming