In popular culture, what’s old is new. Unfortunately, there is a retro trend that is putting many businesses, and the businesses with whom they interact, at great risk. Since 2014, security researchers have found a variety of flaws — in code and implementation — that undermined trust in foundational encryption standards that have been in place since 1998.

Malware Continues to Evolve

Highly publicized vulnerabilities with names such as BEAST, POODLE, POODLE V2, Logjam, Bar Mitzvah, STORM and FREAK have prompted headlines and fervent discussion about the underpinnings of security and privacy. DROWN, or Decrypting RSA with Obsolete and Weakened Encryption, was disclosed earlier this month and is the latest vulnerability to draw attention to this serious issue.

Unfortunately — and unsettlingly — while the call to action was definitive, the reaction was not. Although the industry has responded and removed vulnerabilities in successive (and in some cases multiple) versions, many businesses continue to depend on these outdated encryption standards, putting themselves and the information they handle in danger.

Cybercriminals are predators. They identify and prey on weakness. In some of these cases, they exploited that weakness. Now that the vulnerabilities of numerous standards have been laid bare, it’s only a matter of time before organizations are targeted. If this trend continues, the shortcomings of every aspect of these old encryption standards will be fully exposed.

The Problem With Encryption Standards

A new IBM report detailed the history and evolution of these encryption standards, the efforts to mitigate issues and the recommendations for businesses to modernize their use of encryption standards and lower their overall risk of a data breach. This brief blog endeavors to answer the most prominent questions.

Why Are the 1998 Encryption Standards Problematic?

These old encryption standards were designed for the technology of the systems they were built to protect. Early standards afforded protection because the processing power of computers and networks in the 1990s were not sufficient for an adversary to perform a brute-force attack (trying every key combination to decrypt data) against the encryption algorithms.

As processing power increased, so did the need to update the standards to fortify them against a stronger enemy. Updated versions of these encryption standards, based on more current computing power and parallel processing, were published in 2008.

Why Do Businesses Still Depend on the 1998 Encryption Standards?

The big challenge in moving to more modern encryption standards is that the entire business ecosystem must move to these standards and the platforms that support them. Most software and hardware vendors are supporting the newer encryption standard, but the shift requires businesses to invest in and move to current releases.

Historically, businesses — to avoid high costs and disruption — lag in new platform adoption. This is also an issue for businesses that have updated systems but still need to support older standards to communicate with partners who have not.

What Steps Should a Business Take to Mitigate Risk?

The IBM report provides information and recommendations for a long-term strategy aimed at reducing the risk of a data breach due to outdated encryption. The most obvious action is moving to the 2008 modernized encryption standards available today and supported by most vendors.

The report also provides short-term mitigation strategies and looks briefly at what the community is already doing with regard to the next generation of these encryption standards.

Download the full research report on the risk of outdated encryption standards

more from Threat Intelligence

Hive0117 Continues Fileless Malware Delivery in Eastern Europe

Through continued research into the ongoing cyber activity throughout Eastern Europe, IBM Security X-Force identified a phishing email campaign by Hive0117, likely a financially motivated cybercriminal group, from February 2022, designed to deliver the fileless malware variant dubbed DarkWatchman. The campaign masquerades as official communications from the Russian Government’s Federal Bailiffs Service, the Russian-language emails […]