To say that the Romans most of the time, were ahead of the times, is not entirely out of place. At least where military matters go. Julius Caesar, seized of the need to ensure the sanctity of his military communications to his commanders spread over a vast Roman empire, is credited with creating the Caesar Cipher. It was a simple yet effective code that defied analysts for over 800 years before it was cracked. Using a simple substitution technique, the communication was crafted with each successive Roman alphabet in the communication being replaced by another alphabet with a ‘pre-decided frequency’.
What it is
Derived from the Greek (crypt translates as secret, and graphy means writing), Cryptography – like Caesar’s Cipher – is all about writing confidential data in a manner that only the recipient understands it. A key or keys are used by the sender to write (encrypt or encode) the data, and at the recipient’s end to read (decrypt, decipher or decode) it.
Cryptography is of two kinds (1).
- Symmetric-key or single-key encryption involving algorithms that generate a ‘block cipher’ which conceals a hidden key known to both sender and recipient. Mandated by the US Government, this encryption method is used largely in the private sector and is preferred for bulk encryption tasks
- Asymmetric-key or public-key encryption involves the use of two separate keys that need each other to work together. One key is known to the sender and is used to encrypt the message, while the second key is ‘private’ to the recipient and is used to decrypt the message
Why organizations need cryptography
For organizations, the need for cryptography arises from their need to protect their sensitive data. Increased sophistication in technology and hacking methods has meant that organizations have to evolve in terms of their ‘crypto strategy’. It is no longer a given that what was secure yesterday will not be compromised today. Mature, dynamic, and robust crypto strategies are the need of the hour.
Cryptography meets the data security objectives of organizations by ensuring confidentiality, integrity, and authentication of data, and preclusion of denial on the part of groups involved.
Cryptographic attacks
A cryptographic attack (2) is an attempt by a threat actor to circumvent the cryptosystems of an organization by exploiting vulnerabilities in the cipher or cryptographic protocol. This circumvention is also called “cryptanalysis.”
Based on the intent of the attack, cryptographic attacks are classified (3) as either:
- Passive attacks that attempt to merely gain access to confidential data using such methods of interception as eavesdropping or monitoring communications. Traffic analysis is one of the most common types of passive attacks
- Active attacks that attempt to alter or destroy data, once the cipher has been breached. They are effected via masquerade (user identity, IP address, email, or fake website), modification of data, repudiation of transaction or message, and Denial of Service (DoS)
Increasing attack trends
Forbes (4) reports that organizations with poorly managed public key infrastructure and the absence of cryptography defense mechanisms often experience attacks leading to business disruption, data breaches, and brand erosion. The Ponemon Institute found less than half of companies have a crypto strategy applied consistently across the entire enterprise, with as high as 13% of respondents lacking an encryption strategy completely. The report put the average cost of a crypto attack at USD 8.6 million, with mega breaches passing USD 1 billion.
Though cryptography attacks are common, attacks on cryptocurrency exchanges are notably higher, with almost 27% of the attacks (5) being directed at them. A study by Crystal Blockchain and Cointelegraph revealed that from 2011 to 2020, crypto exchange hacks amounted to over $15.6 billion, with over 50 exchanges falling victim to these hacks, with several experiencing multiple breaches. In late 2021, Google (6) admitted that 86% of compromised Google Cloud credentials were deployed to launch cryptocurrency attacks.
Quelling the menace
Forbes (4) opines that moving from a ‘set it and forget it’ one-time approach to crypto strategy is a thing of the past, advocating instead the establishment of a strong cryptographic ‘Center of Excellence’, crypto agility, and adoption of best practices in the area of crypto discovery, process and governance. Preparation is key in an organization’s cryptography roadmap, with a long-term view, identifying business-critical applications, ensuring high crypto visibility, setting up of Identity Access Management (IAM) systems, and updating all software, being called for.
Canadian penetration expert Packetlabs (2) suggests organizations follow these steps to blunt cryptographic attacks.
- Keeping crypto algorithms and protocols current and updated
- Zero tolerance policy for data encryption
- Unique encryption keys, with secure location and access
- Adoption of best crypto practices
- Periodic and stringent system vulnerability checks
- Ongoing employee education and awareness
Conclusion
Much has changed from the days of Caesar, the military genius. While its vision and creativity cemented his stature as a military tactician, due cognizance must also be taken of the fact that circumstances were quite different then. The cipher capitalized on the limited literacy of the layman, and Caesar’s reading of the situation. Today’s crypto attacks however are constantly evolving. Hackers continue to potentiate their attacks, using the very same tools like AI and ML that encryptors have at their command. Polymorphing malware is replacing custom and commodity malware, meaning that there is virtually no guarantee to put a complete halt to cryptographic attacks.
For CISOs and SOCs, the task is certainly cut out, for ahead of them is a challenge that can strike at the very core of their business’s data security.
References:
- Challenges for Cybersecurity in a World of Quantum Computers | Aurora (aurorait.com)
- What is a Cryptographic Attack? Your Comprehensive Guide (packetlabs.net)
- Active and Passive attacks in Information Security – GeeksforGeeks
- Building A Strong Cryptography Strategy (Part I): Securing Your Data Assets (forbes.com)
- Inside The World Of Crypto Exchange Hacks (forbes.com)
- Stopping Cryptojacking Attacks With and Without an Agent – Palo Alto Networks Blog
