Quantum Xchange has
conducted research exposing the widespread use of old, outdated cryptographic
protocols by enterprises in finance, healthcare, higher education, retail, and
manufacturing. The research underscores how cryptography is largely taken for
granted - rarely evaluated or checked - a practice that could have devastating
consequences for businesses as attack surfaces continue to expand, the cost of
a data breach rises year-over-year, and the age of quantum computing nears.
Mining data from CipherInsights' users, examining more than 203 terabytes of network
traffic, the analysis looked at the relationships, sessions, and traffic for
ciphersuites, plaintext, TLS 1.3, TLS 1.2, TLS 1.1, TLS 1.0, and SSL v3. The
total sum of all packets, for all connections, between all pairs found up to 80
percent of network traffic had some defeatable flaw in its encryption and 61
percent of the traffic was unencrypted. See infographic for full results.
Findings indicate that
healthcare and higher education are slow to change with a significant presence
of TLS 1.1 and 1.0 in use. More alarming still, up to 92 percent of all traffic
on a hospital network uses no encryption at all. This suggests a laissez faire
attitude and general reluctance to update "working" systems that are in
production.
87 percent of encrypted,
host-to-host relationships still use TLS 1.2, demonstrating that a large
migration to TLS 1.3 is still forthcoming - not a trivial upgrade given the
significant differences between versions.
"These findings serve as a snapshot of
what's taking place within enterprise systems worldwide," said Vince Berk,
Chief Strategist at Quantum Xchange. "Zero trust is meaningless if your
encryption is not bulletproof. We're trying to bring awareness to the
here-and-now problem with cryptography so that organizations can shore up these
weaknesses and better protect their systems from everyday cybersecurity risks
and yet-to-be-discovered threats."
Launched in June 2023, the real-time cryptographic risk,
discovery, and assessment tool CipherInsights acts as a passive listener on the
network. Unlike scanning tools that can only inspect certificates and
cryptographic libraries that are installed on endpoints, CipherInsights
performs analysis on traffic as it passes by, identifying and classifying the
encryption, both sanctioned and unsanctioned, that is in use on the network.
This gives users near-immediate insights into how encryption is operating, not
just how it is deployed, which is a requirement for the new standards such as
PCI-DSS 4.0, as well as many cyber insurance policies.
With CipherInsights users
can:
- Identify the use of outdated protocols like TLS
1.1, SSL 3.0, MD5 or SHA-1.
- Satisfy the encryption inventory requirements for
the new PCI-DSS 4.0, H.R. 7535, and others.
- Spot weakly signed, untrustworthy, wildcarded,
self-signed, or expired certificates.
- Alert on communications such as user
authentication and database traffic that should be encrypted but appear in
clear text.
- Discover, catalog, and prioritize cryptographic
risk based on the zero-trust framework.
- Generate detailed reports that can be directly
submitted to regulatory bodies or used for internal audits.
- Enforce policies and manage organizational
progress toward crypto-agility.
- Be better prepared for the next phase of
computing and whatever threats lie ahead.