Network Security Basics

Last week #NIST released three post-#quantum #encryption standards. Why is this significant? Put simply, from a practical standpoint: risk management and compliance. First, on risk management: experts now say that quantum computing is less than a decade away. Quantum computers are expected to have the power to search large keyspaces very quickly, which means they will be able to decrypt current encryption. Moreover, it is entirely plausible that encrypted information recorded today is being stored for decryption when quantum computing becomes available. If you speculatively apply quantum-resistant encryption to your data now, you will reduce the risk of an adversary being able to successfully exploit your data when they have access to quantum computing. Second, on compliance: NIST is the governing body for standards in the USA, and many other nations take their encryption standards from NIST, as they do not have resources at the same scale as NIST. You can be certain that NIST-approved post-quantum algorithms will start being mentioned in various compliance checklists, as is the case currently with algorithms such as AES-256 and SHA-256. Note well that these algorithms have #FIPS numbers associated with them - meaning "Federal Information Processing Standard". Briefly, the approved algorithms are: 🔒 ML-KEM, for encrypted key exchange, as FIPS 203 🔒 ML-DSA, for digital signatures, as FIPS 204 🔒 SLH-DSA, for stateless hash-based digital signatures, as FIPS 205 There is a fourth algorithm, FN-DSA, also used for digital signatures, that is expected to be released in the next year.

HSBC's report on 'Asset Tokenisation in the Quantum Age: Future-proofing gold tokens with post-quantum security' 1. HSBC Leads with World-First Quantum-Secured Gold Tokenisation - HSBC became the first global bank to offer tokenised physical gold to both institutional and retail investors via its Orion digital asset platform. - In collaboration with Quantinuum, they’ve successfully trialled the world’s first quantum-secure tokenisation of gold, marking a pioneering move in post-quantum finance. 2. $16 Trillion Opportunity Meets Quantum Threat - Asset tokenisation is on track to become a $16 trillion market by 2030 (Boston Consulting Group (BCG), revolutionising how people invest in gold, real estate, bonds, and art. - But here's the catch: quantum computing threatens the cryptographic backbone of this entire ecosystem—forcing institutions to act now to secure digital assets for the future. 3. Post-Quantum Cryptography Without the Pain - HSBC deployed Post-Quantum Cryptography (PQC) via a PQC-secured VPN- offering a cost-effective, low-latency way to secure DLT networks without redesigning the entire system. - Their proof-of-concept showed no performance loss with transaction speeds hitting 40 TPS, and latency staying below 3.1 seconds. 4. Quantum Keys > Random Keys - Enter Quantum Random Number Generators (QRNGs): a next-gen security layer where randomness isn’t guessed—it’s quantum-proven. - HSBC’s solution boosts key strength and data unpredictability by integrating QRNGs that inject entropy directly into the Linux kernel, making encryption truly future-proof. 5. Interoperable, Cross-DLT, Retail-Ready - HSBC’s gold tokens can now move securely across blockchains, including conversion into ERC-20 tokens, enabling wider distribution across wallets and platforms. - Their system supports fractional gold ownership, opening doors for retail investors while maintaining institutional-grade security. So What? - Tokenisation is the future of finance—but quantum is a material risk - HSBC’s work sheds light on a possible - This potentially sets a new standard for digital asset infrastructure and serves as a blueprint for every financial institution looking to future-proof their tokenisation strategy. Great work Prashant Malik, Philip Intallura Ph.D, Duncan Jones, Kimberley Fewell, Mark Williamson, Del Rajan, Ben Merriman

Worried about the threat of quantum computers breaking the encryption of your web traffic? Cloudflare has announced that they are testing a new 𝙥𝙤𝙨𝙩-𝙦𝙪𝙖𝙣𝙩𝙪𝙢-𝙘𝙧𝙮𝙥𝙩𝙤𝙜𝙧𝙖𝙥𝙝𝙮 protocol called CRYSTALS-KYBER, which is designed to resist attacks from quantum computers. What is #postquantumcryptography? It is a branch of #cryptography that aims to develop #secure #algorithms that can withstand the power of #quantum computers, which are expected to be able to break many of the current #encryption schemes, such as RSA and ECC. Post-quantum cryptography is based on mathematical problems that are believed to be hard for both classical and quantum computers, such as lattice-based, code-based, multivariate, or hash-based problems. Cloudflare has implemented CRYSTALS-KYBER, a lattice-based key encapsulation mechanism (KEM), as an option for their customers to encrypt their traffic between Cloudflare’s edge servers and their origin servers. This means that even if a #quantumcomputer can break the TLS 1.3 handshake between the browser and Cloudflare, it will not be able to decrypt the traffic between Cloudflare and the origin server, which is protected by CRYSTALS-KYBER. Cloudflare claims that CRYSTALS-KYBER is fast, secure, and compatible with existing systems. They have benchmarked the performance of CRYSTALS-KYBER on various platforms and found that it is comparable to or faster than existing encryption schemes. They have also followed the recommendations of the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography Standardization project(https://lnkd.in/eJyS9p48), which is an ongoing effort to select and standardize post-quantum algorithms for public use. Moreover, they have made CRYSTALS-KYBER available as an #opensource project, so anyone can use it or contribute to it. I think this is a very exciting and innovative experiment by Cloudflare, as they are one of the first companies to offer post-quantum encryption to their customers. This shows that they are proactive and forward-thinking in addressing the challenges and opportunities of the quantum era. 👏 👏 I applaud their efforts and hope that more web security and performance companies will follow their example and adopt post-quantum cryptography in the near future. 👏 👏 https://lnkd.in/ev94m8a9

Your home and office devices can be used in cyberattacks. Here’s what to do. The US government disrupted a Chinese hacking operation that utilized compromised small office and home office network equipment, including routers, firewalls, and VPN hardware to route their traffic.  But employing simple cyber hygiene we will discuss below can keep your home, your business and/or your company safe. How Hackers Invaded: Hackers exploited vulnerabilities in outdated devices, especially those nearing "end-of-life" status and no longer receiving security updates. They then used known weaknesses to gain control and reroute their malicious traffic through these devices, making it harder to detect their real targets. Why They Do It: These compromised devices act as "stepping stones," hiding the hackers' tracks and making it harder to pinpoint their true intentions. It's similar to the 2016 attack on internet provider Dyn, when hackers launched a massive internet outage affecting websites such as Amazon, PayPal, Walgreens, Visa, CNN, Fox News, Wall Street Journal, and the New York Times. At that time, hackers took control of routers, cameras, Printers, and other devices by using the default password coming out of the factory. 🛡 Simple Steps to Secure Your Home and Office: ➡️ Update, Update, Update: Regularly update your router, firewall, VPN, and all connected devices with the latest security patches. Most devices offer automatic updates - enable them! ➡️ Ditch the old tech:  If your router or other devices are nearing end-of-life, invest in newer, secure models. ➡️ Password Power: Set strong, unique passwords for all your devices and enable two-factor authentication wherever possible. Hackers love easy prey, make them work for it! ➡️ Firewall Fortitude: Enable your firewall and anti-virus and configure both to detect and block suspicious activity. Think of it as a security guard for your digital life. For Companies: While the above advice works for both individuals and companies, companies should assume they will be hacked and be prepared.  The preparation must include at least: ♦︎ Off-network backup, ♦︎ Incident response action plan ♦︎ Disaster recovery plan What are you doing to keep your home equipment and your company secure? #cyberdefence #cybersecurity #levelUpYourLi _______________ ➡️ I am Talila Millman, a fractional CTO,  a management advisor, a keynote speaker, and an executive coach. I help CEOs and their C-suite grow profit and scale through optimal Product portfolio and an operating system for Product Management and Engineering excellence.  📘 My book The TRIUMPH Framework: 7 Steps to Leading Organizational Transformation will be published in Spring 2024. You can preorder a signed copy on my website Image credit: Bing AI powered by DALL-E3

The biggest threat to your data isn’t happening tomorrow. It happened yesterday. If you haven’t heard of HNDL (Harvest Now, Decrypt Later), your long-term data strategy has a massive blind spot. Here is the reality: State actors and cybercriminals are capturing your encrypted data today. They can’t read it yet, so they’re storing it in massive data vaults, waiting for the "Qday"—the moment quantum computers become powerful enough to break current encryption. If your data needs to stay private for 5, 10, or 20 years, it’s already at risk. What’s on the line? ↳ Intellectual Property (IP) and trade secrets. ↳ Government and identity data. ↳ Long-term financial records and contracts. ↳ Sensitive customer health data. How do we solve it? 🛠️ We cannot wait for quantum supremacy to react. The fix starts now: ↳ Inventory: Identify which data has a long shelf-life. ↳ Crypto-Agility: Move toward systems that can swap encryption methods without a total overhaul. ↳ Hybrid PQC: Implement Post-Quantum Cryptography alongside classical methods to ensure traffic captured today remains a mystery tomorrow. The transition to quantum-resistant security is a marathon, not a sprint. Are you tracking HNDL on your current risk register? Let’s discuss in the comments. 👇 P.S. If you want help mapping your exposure or building a PQC migration plan, drop me a message. ♻️ Share this post if it speaks to you, and follow me for more. #QuantumSecurity #PQC

Quantum computing is moving from "science fiction" to "business reality" faster than most predicted. Two recent papers have fundamentally shifted the timeline for when we need to care about Quantum-Safe security: 1️⃣ The "10,000 Qubits" Milestone: New research shows that we can execute Shor’s algorithm—the math that breaks today’s encryption—with far fewer resources than previously thought. By using reconfigurable atomic qubits, the hardware requirements for cracking RSA-2048 have dropped by nearly 20x. 2️⃣ The "9-Minute" Crypto Warning: Google’s latest whitepaper highlights a terrifying reality for digital assets. Under advanced quantum scenarios, the encryption protecting a cryptocurrency wallet could be cracked in under 10 minutes. This puts billions in "dormant" assets at immediate risk of "at-rest" attacks. The Bottom Line: The "Q-Day" window is shrinking. It’s no longer about if a quantum computer can break your encryption, but when your current migration timeline will run out. How do we respond? We can't just flip a switch on "Q-Day." For many organizations, becoming quantum safe is a multi-year journey. This is where Palo Alto Networks Quantum-Safe Security comes in. Instead of a manual, multi-year overhaul, we provide a path to Agentic Resilience: - Continuous Discovery: It automatically maps your "cryptographic bill of materials" (CBOM), identifying exactly where vulnerable RSA and ECC algorithms are hiding in your network. - Risk Prioritization: It correlates your encryption strength with business criticality, telling you exactly which high-value assets need to move to Post-Quantum Cryptography (PQC) first. - Real-Time Remediation: For legacy systems that can’t be easily upgraded, a "Quantum-Safe Proxy" re-encrypts vulnerable traffic into post-quantum algorithms (like ML-KEM) at the network edge. The transition to a quantum-safe future is a marathon, but the starting gun has already fired. Learn how to take your first steps at the link in the comments.

#Risk Assessment is the process of identifying potential hazards, analyzing what could happen if a hazard occurs, and evaluating the risks involved in any activity or situation. It is commonly used in industries like manufacturing, construction, healthcare, and project management to ensure safety and minimize potential losses. --- 🔍 Basic Steps of Risk Assessment: 1. Identify Hazards What could cause harm? Example: Sharp tools, toxic chemicals, electrical equipment, slippery floors. 2. Assess the Risks Who might be harmed and how? What is the likelihood and severity of harm? 3. Evaluate and Control Risks What precautions are already in place? What further actions are needed to reduce risks? 4. Record Findings Document hazards, risk levels, and mitigation steps. Keep records for audits and legal compliance. 5. Review and Update Regularly Update after accidents, near misses, or major changes in the workplace. --- 🧮 Risk Matrix (for evaluation): Likelihood Severity Low Medium High Low Minor injuries Low Medium Medium Medium Serious injury Medium High High High Fatal or multiple injuries High High Critical --- ✅ Examples of Risk Control Measures: Engineering controls: Guards, ventilation, machine enclosures. Administrative controls: SOPs, safety training, signage. PPE: Helmets, gloves, goggles, ear protection. Maintenance: Regular inspection and servicing of equipment. #Riskassesment

Dear Risk manager, 𝗜𝗱𝗲𝗻𝘁𝗶𝗳𝘆𝗶𝗻𝗴 𝗿𝗶𝘀𝗸 in an organization involves systematically evaluating potential threats that could affect the achievement of objectives, impact operations, or harm stakeholders. Here are key steps to identify risks: 1️⃣ 𝗖𝗼𝗻𝗱𝘂𝗰𝘁 𝗮 𝗥𝗶𝘀𝗸 𝗔𝘀𝘀𝗲𝘀𝘀𝗺𝗲𝗻𝘁 𝗣𝗿𝗼𝗰𝗲𝘀𝘀: √ Define Risk Criteria √ Identify Key Objectives: Understand the organization's strategic, operational, and financial goals to determine what risks could potentially prevent their achievement. 2️⃣ 𝗥𝗶𝘀𝗸 𝗜𝗱𝗲𝗻𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗧𝗲𝗰𝗵𝗻𝗶𝗾𝘂𝗲𝘀: √ Brainstorming Sessions: Involve teams from different departments to generate a list of potential risks. √ SWOT Analysis: Analyze the organization's strengths, weaknesses, opportunities, and threats to uncover both internal and external risks. √ Interviews and Surveys: Engage key stakeholders (executives, managers, employees) to get their perspectives on what risks they foresee. √ Historical Data Review: Examine past incidents or similar organizations’ cases to identify recurring or likely risks. √ Checklists: Use industry-specific risk checklists to ensure that common risks are not overlooked. 3️⃣ 𝗥𝗶𝘀𝗸 𝗠𝗮𝗽𝗽𝗶𝗻𝗴: √ Categorize Risks: Group risks into categories, such as financial, operational, technological, legal, environmental, strategic, or reputational risks. √ Risk Matrix: Assess the likelihood and impact of each identified risk to determine its severity and prioritize mitigation actions. 4️⃣ 𝗨𝘀𝗲 𝗼𝗳 𝗥𝗶𝘀𝗸 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗧𝗼𝗼𝗹𝘀: √ Risk Registers: Create a central repository to record identified risks, their causes, potential impacts, and the actions taken to address them. √ Risk Management Software: Implement tools to track and analyze risks more effectively. 5️⃣ 𝗔𝗻𝗮𝗹𝘆𝘇𝗲 𝗘𝘅𝘁𝗲𝗿𝗻𝗮𝗹 𝗘𝗻𝘃𝗶𝗿𝗼𝗻𝗺𝗲𝗻𝘁: √ Regulatory Changes: Monitor changes in laws, regulations, and industry standards that could introduce new risks. √ Market Trends: Stay updated on shifts in the market or competition that could pose strategic risks. √ Technology Advancements: Assess how new technologies might create cybersecurity risks or operational disruptions. 6️⃣ 𝗥𝗲𝗴𝘂𝗹𝗮𝗿 𝗠𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 𝗮𝗻𝗱 𝗥𝗲𝘃𝗶𝗲𝘄: √ Continuous Monitoring: Keep a regular check on internal and external factors that might change, leading to new or altered risks. √ Audit and Inspections: Regular internal audits, inspections, and compliance checks can uncover risks early. 7️⃣ 𝗦𝗰𝗲𝗻𝗮𝗿𝗶𝗼 𝗣𝗹𝗮𝗻𝗻𝗶𝗻𝗴: √ What-if Analysis: Test various scenarios of risk occurrences (e.g., economic downturn, data breach) and assess their potential impact. √ Stress Testing: Simulate extreme conditions (financial crisis, supply chain failure) to assess organizational resilience. By using these methods and continuously reassessing the environment, organizations can identify and mitigate risks effectively.

🚨 Mastering IT Risk Assessment: A Strategic Framework for Information Security In cybersecurity, guesswork is not strategy. Effective risk management begins with a structured, evidence-based risk assessment process that connects technical threats to business impact. This framework — adapted from leading standards such as NIST SP 800-30 and ISO/IEC 27005 — breaks down how to transform raw threat data into actionable risk intelligence: 1️⃣ System Characterization – Establish clear system boundaries. Define the hardware, software, data, interfaces, people, and mission-critical functions within scope. 🔹 Output: System boundaries, criticality, and sensitivity profile. 2️⃣ Threat Identification – Identify credible threat sources — from external adversaries to insider risks and environmental hazards. 🔹 Output: Comprehensive threat statement. 3️⃣ Vulnerability Identification – Pinpoint systemic weaknesses that can be exploited by these threats. 🔹 Output: Catalog of potential vulnerabilities. 4️⃣ Control Analysis – Evaluate the design and operational effectiveness of current and planned controls. 🔹 Output: Control inventory with performance assessment. 5️⃣ Likelihood Determination – Assess the probability that a given threat will exploit a specific vulnerability, considering existing mitigations. 🔹 Output: Likelihood rating. 6️⃣ Impact Analysis – Quantify potential losses in terms of confidentiality, integrity, and availability of information assets. 🔹 Output: Impact rating. 7️⃣ Risk Determination – Integrate likelihood and impact to determine inherent and residual risk levels. 🔹 Output: Ranked risk register. 8️⃣ Control Recommendations – Prioritize security enhancements to reduce risk to acceptable levels. 🔹 Output: Targeted control recommendations. 9️⃣ Results Documentation – Compile the process, findings, and mitigation actions in a formal risk assessment report for governance and audit traceability. 🔹 Output: Comprehensive risk assessment report. When executed properly, this process transforms IT threat data into strategic business intelligence, enabling leaders to make informed, risk-based decisions that safeguard the organization’s assets and reputation. 👉 Bottom line: An organization’s resilience isn’t built on tools — it’s built on a disciplined, repeatable approach to understanding and managing risk. #CyberSecurity #RiskManagement #GRC #InformationSecurity #ISO27001 #NIST #Infosec #RiskAssessment #Governance

🚨 Two major new research papers just dropped that dramatically accelerate the quantum threat to crypto. Google Quantum AI optimized Shor’s algorithm down to roughly 1K logical qubits, potentially allowing private keys to be cracked in minutes on advanced superconducting hardware. A follow-up from Oratomic then brought neutral-atom implementations down to just 26K physical qubits with a runtime of around 10 days. This makes Q-Day feel much closer, within just a few years of being reachable. This year at Satoshi Roundtable the mood around quantum computing wasn’t very enthusiastic. We openly discussed how a powerful enough quantum computer could break ECDSA signatures (secp256k1) used across Bitcoin, Ethereum, and most protocols, exposing massive on-chain value including dormant and early-mined coins. The big question was: how do we prepare, and prepare well? Crazy times to be living through. Honestly, teams working in encryption and blockchain should seriously consider stopping everything else and prioritizing this now. It’s time to start integrating quantum-resistant encryption algorithms into modern protocols. No matter if a cryptographically relevant quantum computer arrives in one year or in five, adversaries are likely already collecting encrypted traffic and on-chain data today waiting to decrypt everything the day quantum power crosses that threshold. The shift is real: migrating to post-quantum cryptography is no longer optional. It’s urgent infrastructure work for wallets, bridges, staking, exchanges, and every system holding long-term value. https://lnkd.in/dGUR24xH