Latest news with #MitM
Forbes
29-04-2025
- Business
- Forbes
How Companies Can Secure Machine Identities For A Post-Quantum World
Dino DiMarino, CEO of AppViewX, has more than 20 years of experience in cybersecurity with Qualys, Snyk, Mimecast, EMC and RSA. Quantum computing represents an existential threat to modern cryptographic defenses, particularly for non-human identities—machines, IoT devices, workloads, applications, services and APIs—which rely on public-key cryptographic protocols for authentication, authorization and secure encrypted communication. In response, post-quantum cryptography (PQC) readiness is focused on transitioning to quantum-resistant encryption algorithms to ensure trust and safeguard digital identities ahead of quantum threats. However, transitioning to PQC is complex, requiring organizations to balance security, scalability and compatibility with existing infrastructure. While the National Institute of Standards and Technology (NIST) has now standardized the first set of PQC encryption algorithms and established timelines and guidance, other industry-specific regulatory bodies will soon introduce mandates that put even more pressure on enterprises to be PQC-ready. Conventional cryptographic protocols such as RSA, ECC and Diffie-Hellman rely on the computational difficulty of mathematical problems like integer factorization and discrete logarithms to provide security. However, quantum algorithms—specifically, Shor's algorithm—will render these encryption schemes obsolete by solving these problems exponentially faster than classical computers. For machine and non-human identities, this creates immediate risks: • Digital Certificate Compromise: Certificates enable trusted identities, and attackers will be able to compromise these identities and manipulate authentication mechanisms. • Quantum-Enabled Man-In-The-Middle (MitM) Attacks: Encrypted internet transactions, machine-to-machine communications and API integrations, once considered secure, could be retroactively decrypted. • 'Harvest Now, Decrypt Later' Attacks: Adversaries are already stockpiling encrypted data with the expectation that quantum decryption capabilities will emerge within a decade. Given the typical lifecycle of enterprise cryptographic infrastructure—often exceeding 10 years—CISOs must begin planning for PQC migration today to prevent future vulnerabilities. NIST's post-quantum cryptography standardization efforts have yielded candidate encryption algorithms designed to resist quantum-enabled attacks. The selected schemes— such as CRYSTALS-Kyber (for key encapsulation) and CRYSTALS-Dilithium and SPHINCS+ (for digital signatures)—are fundamentally different from RSA and ECC. These lattice-based cryptographic techniques offer strong security guarantees but introduce new operational challenges. For machine and non-human identity management, PQC adoption will reshape: • Certificate Lifecycle Management: X.509 certificates must transition to quantum-resistant alternatives while preserving compatibility and performance. • API Security Protocols: REST and GraphQL APIs reliant on Transport Layer Security (TLS) need upgraded key exchange mechanisms to counter quantum-enabled MitM threats. • Workload Encryption: Microservices and containerized environments will require quantum-secure mutual authentication mechanisms. • IoT And Edge Device Security: Many lightweight devices currently rely on ECC due to its efficiency; transitioning to quantum-resistant cryptographic schemes with minimal overhead will be a significant challenge. The shift to PQC is more than just an algorithmic upgrade; it introduces significant challenges related to performance, scalability and interoperability. One of the most pressing concerns is key management overhead. Quantum-resistant certificate keys are considerably larger than their classical counterparts, increasing the demands on storage, bandwidth and transmission efficiency. Additionally, signature verification in lattice-based cryptography requires greater computational resources, which can pose challenges for constrained environments such as IoT and edge computing. Beyond key management, the impact on infrastructure performance is another critical consideration. Quantum-safe key exchanges—such as those based on Kyber—add latency to TLS handshakes, which could negatively impact encrypt/decrypt use cases, degrade API performance and slow database connections. Multi-cloud and hybrid environments must also accommodate hybrid cryptographic models, allowing classical and quantum-resistant algorithms to coexist without disrupting existing authentication and encryption mechanisms. The transition to PQC extends beyond authentication and key exchange, affecting the security of software supply chains. Digital signing mechanisms, particularly in containerized environments that rely on Kubernetes admission controllers and similar frameworks, must be adapted to quantum-secure signatures while preserving backward compatibility. Given these challenges, security teams must validate PQC performance under real-world conditions before deploying at scale. Rigorous testing is essential to assess the impact on performance and ensure a seamless transition. Organizations cannot afford a disruptive rip-and-replace approach. Instead, a phased migration strategy is required, balancing immediate security needs with long-term infrastructure readiness. Here are some best practices: • Start with comprehensive certificate discovery and visibility to build and maintain a certificate inventory to begin to prioritize the PQC migration project by criticality to the business. • Map all dependencies on public-key cryptography across digital certificates, identity providers, API authentication mechanisms and secure communications. • Identify long-lived cryptographic assets (e.g., code-signing certificates) that require immediate prioritization. • Adopt a crypto-agile approach, allowing systems to support a hybrid approach with classical and quantum-resistant algorithms in parallel. • Deploy hybrid TLS configurations to maintain secure interoperability during the transition. • Ensure identity federation solutions (e.g., SAML, OpenID Connect) support hybrid cryptographic models without breaking authentication workflows. • Set up isolated test environments that replicate production-like conditions to evaluate PQC performance. • Benchmark PQC-resistant certificates based on the NIST-selected encryption algorithms against enterprise workloads to assess their impact on authentication speed, API latency and cloud services. • Implement automated certificate lifecycle management to handle the transition to PQC-based certificates seamlessly. • Align with evolving regulatory frameworks, including NIST PQC guidelines, ISO cryptographic standards and sector-specific compliance requirements (e.g., financial services and healthcare). • Design security architectures that anticipate cryptographic transitions by implementing crypto-agility, ensuring flexibility for future post-quantum updates. • Leverage hardware security modules (HSMs) and trusted platform modules (TPMs) that support quantum-safe algorithms. The quantum threat is not a distant possibility—it is in plain sight. Given the disruptive nature of this transition, organizations should act now to start planning and executing their migration to quantum-resistant security measures. By adopting a calculated, phased approach, security leaders can protect machine identities, maintain operational resilience, meet compliance and regulatory mandates and ensure long-term cryptographic integrity in a post-quantum world. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Time of India
24-04-2025
- Business
- Time of India
Pune company loses Rs 6.5 crore to Man-in-the-Middle cyber attack
Pune: Police fear it may be one of the biggest cases of cyber fraud to ever strike Pune. The director of a Mohammedwadi-based firm, involved in IT services and imports of dry fruits, ended up transferring Rs 6.49 crore to crooks in a Man-in-the-Middle (MitM) cyber attack on March 27. MitM is a type of cyber fraud in which an attacker intercepts and relays communication between two parties, making it appear as if they are communicating directly with each other. The attacker can eavesdrop on the conversation, steal sensitive data, or even impersonate one of the parties. According to the police, the 39-year-old company director was at his home in the NIBM Road area when he received an email on the company ID from another firm he did business with about a payment request. He then initiated the transaction believing the email request was legitimate and even told the bank to clear the payment. But later, when he contacted officials of the other firm, they denied receiving the amount. The company director then checked the email he had received and discovered fraudsters had made two slight alterations - they had changed one letter in the other company's email address and its bank account number. The victim failed to spot both changes, cyber police said. Senior inspector Swapnali Shinde of Cyber Police told TOI the company was set up a few years ago. She said: "It has two divisions, one for IT services and another for importing dry fruits. The company director would import the dry fruits from different countries, including the United States and those in the Middle-East. On March 27, he received a payment request from an exporter of dry fruits based in the US. The email demanded payment of nearly Rs 6.5 crore. The victim, thinking it was for the almonds he'd recently imported, initiated the transaction." Shinde said by the time the company director discovered the changes in the US exporter's email ID and bank account details, it was April 17. On April 23 (Wednesday), he filed an FIR with city cyber police. "Officials from his bank called him to verify the transaction, but he told them to proceed. The amount was across in five transactions," Shinde said, adding that the online ledger of the other company had only the first few letters of its name and the account number. "The victim did not realise that the account number of the company, with whom he had regular business with, was changed. He just clicked on the button and initiated the transactions," Shinde said. Investigators said they were now analysing the accounts the money went to. "The cash went to several accounts. We're still trying to establish a trail. As of now we can say that about Rs 3 crore is yet to reach the suspects. We will try our best to salvage the money," Shinde said.
