In popular culture, what’s old is new. Unfortunately, there is a retro trend that is putting many businesses, and the businesses with whom they interact, at great risk. Since 2014, security researchers have found a variety of flaws — in code and implementation — that undermined trust in foundational encryption standards that have been in place since 1998.

Malware Continues to Evolve

Highly publicized vulnerabilities with names such as BEAST, POODLE, POODLE V2, Logjam, Bar Mitzvah, STORM and FREAK have prompted headlines and fervent discussion about the underpinnings of security and privacy. DROWN, or Decrypting RSA with Obsolete and Weakened Encryption, was disclosed earlier this month and is the latest vulnerability to draw attention to this serious issue.

Unfortunately — and unsettlingly — while the call to action was definitive, the reaction was not. Although the industry has responded and removed vulnerabilities in successive (and in some cases multiple) versions, many businesses continue to depend on these outdated encryption standards, putting themselves and the information they handle in danger.

Cybercriminals are predators. They identify and prey on weakness. In some of these cases, they exploited that weakness. Now that the vulnerabilities of numerous standards have been laid bare, it’s only a matter of time before organizations are targeted. If this trend continues, the shortcomings of every aspect of these old encryption standards will be fully exposed.

The Problem With Encryption Standards

A new IBM report detailed the history and evolution of these encryption standards, the efforts to mitigate issues and the recommendations for businesses to modernize their use of encryption standards and lower their overall risk of a data breach. This brief blog endeavors to answer the most prominent questions.

Why Are the 1998 Encryption Standards Problematic?

These old encryption standards were designed for the technology of the systems they were built to protect. Early standards afforded protection because the processing power of computers and networks in the 1990s were not sufficient for an adversary to perform a brute-force attack (trying every key combination to decrypt data) against the encryption algorithms.

As processing power increased, so did the need to update the standards to fortify them against a stronger enemy. Updated versions of these encryption standards, based on more current computing power and parallel processing, were published in 2008.

Why Do Businesses Still Depend on the 1998 Encryption Standards?

The big challenge in moving to more modern encryption standards is that the entire business ecosystem must move to these standards and the platforms that support them. Most software and hardware vendors are supporting the newer encryption standard, but the shift requires businesses to invest in and move to current releases.

Historically, businesses — to avoid high costs and disruption — lag in new platform adoption. This is also an issue for businesses that have updated systems but still need to support older standards to communicate with partners who have not.

What Steps Should a Business Take to Mitigate Risk?

The IBM report provides information and recommendations for a long-term strategy aimed at reducing the risk of a data breach due to outdated encryption. The most obvious action is moving to the 2008 modernized encryption standards available today and supported by most vendors.

The report also provides short-term mitigation strategies and looks briefly at what the community is already doing with regard to the next generation of these encryption standards.

Download the full research report on the risk of outdated encryption standards

More from Threat Intelligence

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today