CS Mar-Apr 2020

More documents

Recommendations

Info

encryption systems THE QUANTUM CRYPTO REVOLUTION COMMERCIALLY AVAILABLE ENCRYPTION SYSTEMS ARE ALREADY WITH US AND THEIR POTENTIAL IS HUGE, ALTHOUGH THE TECHNOLOGY STILL HAS MANY ISSUES THAT MUST BE OVERCOME Imran Shaheem, Cyberis: quantum computers provide benefits in cryptographically significant ways. Quantum computing technology will "force a change to the landscape of cryptography," according to Imran Shaheem, cyber security consultant at Cyberis. It has come a long way since scientific and mathematical interest erupted in the 90s. "Quantum computers have serious consequences for classical cryptography and the future standards for secure communication," he states. Successful trials of quantum cryptography to secure communication through quantum physics have been undertaken already and progress in quantum technologies has been swift over the last decade, he points out. "Quantum Key Distribution (QKD) systems have been tested by banks and governments, while similar systems were deployed as far back as the 2010 FIFA World Cup in South Africa. In 2017, researchers held a QKDprotected video conference between China and Austria, using the quantum satellite Micius." Admittedly, while quantum computers won't be able to change everything, they provide benefits in cryptographically significant ways. One of these is factoring large numbers. "This is a technique central to the security of several algorithms, such as RSA, in which prime factors of large numbers underpin the encryption. As a consequence, RSA's security and other algorithms employing similar techniques, will be compromised by introducing disruptive quantum computers. This leaves a space within classical cryptography that its quantum counterpart attempts to solve," adds Shaheem. The benefits are numerous. "Information cannot be unknowingly intercepted, due to quantum principles, including the 'no cloning' theorem and quantum superposition, which provides natural resistance to eavesdropping. The security provided stems from underlying physical properties. It's baked into the universe and therefore isn't something that can be cracked through quantum computing power. As security is on the physical layer, quantum cryptography can secure the end-to-end connection, without needing an SSL or VPN," he points out. However, there are some issues, the cyber security consultant concedes. "It's expensive, because this is at cryptography's cutting edge. R&D costs are high, as are the fabrication costs of specialist components. There is also a costly requirement for an independent infrastructure capable of supporting quantum cryptography. Many of these issues will be overcome in time as the technology matures." It's easy to think that quantum technology and its effect on current infrastructure is distant. However, there are already commercially available encryption systems, including ID Quantique's Cerberus3 system for key distribution. Many of these systems are based on the popular protocol, BB84. "Whilst there is still life in classical methods, the focus is shifting to next-generation technologies addressing solutions to tomorrow's problems. These don't always come with a quantum flavour, but post-quantum cryptography is seen as the answer to quantum computers' potential for massive changes and the associated cryptographic problems. "With the solutions we have now, quantum or classical, the biggest hurdle is their deployment," says Shaheem. "Poorly thoughtthrough implementations leave these systems vulnerable, as seen through the light injection attack, for example, which can defeat certain applications of BB84. Like modern-day systems, testing surrounding configuration will be crucial against inherent and implementation flaws." Companies should think seriously about how the transitionary process to quantum-secure systems will affect their business, he advises. "The time is now to look to the future and ensure tomorrow's world doesn't break today's encryption and expose sensitive data." 28 computing security Mar/Apr 2020 @CSMagAndAwards www.computingsecurity.co.uk
masterclass BATTLING THE BREACHES A GLUT OF BREACHES ACROSS THE UK IS PROMPTING MANY ORGANISATIONS TO SEEK CYBER ESSENTIALS AUDITS According to the 2019 DCMS Cyber Security Breaches Survey, around a third of UK businesses fell victim to a cyber breach or attack over the previous year and, of those, nearly half had identified at least one breach or attack per month. This persistent threat may explain the surge in companies asking Xcina IS, an information services company based near Cardiff, for Cyber Essentials audits. Instigated by the UK Government's National Cyber Security Centre, the Cyber Essentials scheme evaluates participants' processes against five cyber security controls: boundary firewalls and internet gateways, secure configuration, access control, malware protection and patch management. Correctly deployed, these will protect against most common cyber threats, based on commodity capabilities available on the internet. Cyber Essentials certification has, since 2014, been mandatory for suppliers bidding for public sector contracts involving the handling of sensitive and personal information, and provision of certain technical products and services. It also reassures clients, both current and prospective, that security considerations have been built into systems and processes. Certification is awarded on successful completion of a verified self-assessment questionnaire, but Xcina IS also offers an assisted version, as many SMEs lack the technical expertise to complete the process on their own. According to Chris Benson, Technical Director at Xcina IS: "A lot of people just don't realise that security patching needs to go beyond desktops and servers, for example. Hackers can exploit any device that provides a link between your network and the internet. That could include printers, VPN appliances, firewalls, switches, access points - anything that can run code, basically. And once someone has found a way into your network through one of these, they can exploit other internal security issues and, before you know it, you've got a ransomware attack on your hands," he says. Benson and his experienced team of engineers also conduct site visits to run the system scans required for clients wishing to take the next step: Cyber Essentials Plus certification. This more stringent audit builds on the foundations of Cyber Essentials and includes both internal and external scans to identify any areas requiring attention, as well as a series of on-site malware tests and an inspection of handheld devices. As an IASME-accredited certification body, Xcina IS also works with companies looking to achieve the IASME Standard, an information-security standard designed for SMEs. Two levels of assessment are offered: IASME Verified Self-Assessment, involving a questionnaire relating to cyber security, security governance and GDPR compliance, and IASME Gold, which requires an additional onsite audit. The increase in requests for these services may arise from increased awareness of the risks of lax cyber security. Media stories about the latest big name to suffer a data breach come thick and fast. Maybe the penny is finally dropping. The number of companies reporting breaches or attacks in the DCMS survey is still significant, but it does represent a considerable drop on numbers in previous years. The survey also indicates that companies are increasingly prioritising cyber security, with more written cyber security policies, greater provision of cyber security training for staff and regular updates to senior management on actions taken around cyber security. Organisations which understand that cyber security complements existing strategic priorities (by protecting reputation and finances, and keeping key services running, for example), rather than competing with them, are likely to be in a far better position to anticipate, identify, prevent and deal with potential attacks. As Benson says: "Ultimately, if you're serious about protecting your assets, you'll employ a company like us." For further information about Cyber Essentials, Cyber Essentials Plus and the IASME Standard, call Xcina IS on 02922 671564 or visit https://is.xcina.co.uk/ www.computingsecurity.co.uk @CSMagAndAwards March/April 2020 computing security 29
Page 1: Computing Security Secure systems,
Page 4 and 5: Secure systems, secure data, secure
Page 6 and 7: editor's focus RICH VEIN OF POSSIBI
Page 8 and 9: expert insights WHY CYBERSECURITY P
Page 10 and 11: 2020 predictions MORE 20/20 VISIONS
Page 12 and 13: 2020 predictions Mike Riemer, Pulse
Page 14 and 15: expert view CEOS IN THE FIRING LINE
Page 16 and 17: data management THE PLOT THICKENS W
Page 18 and 19: data management All of this potenti
Page 20 and 21: cybersecurity and ISPs WORLD-WIDE M
Page 22 and 23: fraud & cybercrime CYBERCRIME FIGUR
Page 24 and 25: Coronavirus scam SPOOF ATTACK UNLEA
Page 26 and 27: GDPR BREACHED - AND TOTALLY UNAWARE
Page 30 and 31: expert insights THE INTELLIGENT APP
Page 32 and 33: product review CLOUD PROTECTION FOR
Page 34 and 35: expert insights ESSENTIAL BUILDING
Page 36: Shearwater Group plc is an award-wi

CS Mar-Apr 2020

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?