US Agencies Issue Quantum-Readiness Recommendations

A successful post-quantum cryptography migration will take time to plan and conduct, states the quantum-readiness fact sheet jointly issued by CISA, NSA, and NIST.

The Quantum-Readiness: Migration to Post-Quantum Cryptography (PQC) (https://www.cisa.gov/sites/default/files/2023-08/Quantum%20Readiness_Final_CLEAR_508c%20%283%29.pdf) fact sheet includes recommendations for creating a quantum-readiness roadmap, preparing a useful cryptographic inventory, as well as understanding and assessing your supply chain.

The US agencies are urging organizations "to begin preparing now by creating quantum-readiness roadmaps, conducting inventories, applying risk assessments, and engaging vendors."

"Early planning is necessary as cyber threat actors could be targeting data today that would still require protection in the future (or in other words, has a long secrecy lifetime), using a catch now, break later or harvest now, decrypt later operation," the fact sheet says.

In other quantum computing news, Google recently announced (https://security.googleblog.com/2023/08/toward-quantum-resilient-security-keys.html) a quantum-resilient FIDO2 security key implementation, released as part of OpenSK, the organization's open source security key firmware.

"As progress toward practical quantum computers is accelerating, preparing for their advent is becoming a more pressing issue," the announcement says. "In particular, standard public key cryptography, which was designed to protect against traditional computers, will not be able to withstand quantum attacks."

Bitwarden Secrets Manager Now Available

Bitwarden has released Bitwarden Secrets Manager (https://bitwarden.com/products/secrets-manager/), a new "open source, end-to-end encrypted solution" tailored for IT pros, developers, and DevOps teams.

According to a 2022 Bitwarden survey (https://bitwarden.com/blog/password-decisions-survey-2023/), 60 percent of global IT decision makers reported cyberattacks on their business in the past year, and "nearly a quarter of developers operate without secure workflows."

Secrets Manager, which aims to help secure credentials and protect against unauthorized access, offers:

• scalable and centralized secret management based on least privilege access;
• rapid deployment with a simple, intuitive solution and comprehensive help documentation; and
• enhanced developer productivity with secure collaboration and ease-of-use.

Plans and pricing (https://bitwarden.com/products/secrets-manager/#pricing) are available in three tiers: free, teams, and enterprise.

IBM X-Force Releases Detection and Response Framework for Managed File Transfers

IBM's Security X-Force has announced a common framework for detection and response for managed file transfers (MFTs) in an effort to prevent mass exploitations.

The framework, available on GitHub (https://github.com/TactiKoolSec/MFT-Detect-Response), includes the following components:

• MFTData – Details the key software components of MFT solutions.
• MFTDetect – Scripts that leverage the MFTData to automatically generate detections.
• MFTRespond – Scripts and tools that can aid in responding to incidents involving an MFT server.
• MFTPlaybook – MFT incident response playbook template that can be used as a starting point for incident responders.

The framework also includes "a sample of 13 different detection and response frameworks for the most common and exposed MFT solutions that we analyzed," says John Dwyer in the announcement (https://securityintelligence.com/posts/x-force-releases-detection-response-framework-managed-file-transfer-software/). "This effort is meant to offload some of these learnings from defenders, to not only significantly reduce time required for defenders to stop an attack, but to also help prevent future mass exploitation."