A logo for the open web application security program.

Reducing the Risk of Cryptographic Failures

Considered the “first line of defense against emerging threats, encryption protects everything we do online, from web browsing to messaging, and plays a critical role in helping organizations meet government and state data security and privacy regulations, from General Data Protection Regulation (GDPR) in Europe to the California Privacy Rights Act (CPRA) in the U.S. Encryption not only serves as a business-enabler tool, but also as the foundation for our digital society.

As a result, it’s critical that we continue to implement modern encryption tools and processes to protect against cryptographic failures that can put your business – and its employees, customers, partners, and other third-parties – at risk.

When encryption fails

Cryptographic Failures ranks second on OWASP’s Top 10 List. Previously known as Sensitive Data Exposure, it focuses on failures related to cryptography (or lack thereof); these failures include transmitting sensitive data via HTTP, FTP, SMTP, etc. or storing it in clear-text (database, files, etc); using old or weak cryptographic algorithms; and using weak or default encryption keys or re-using compromised keys.

One of the most notorious breaches due to cryptographic failures included the 2019 Facebook data breach when Facebook stored user passwords in plain text. Recently, Microsoft made headlines when it was revealed that a China-backed hacking group had stolen a cryptographic key from the company’s systems, which enabled attackers to access cloud-based Outlook email systems for 25 organizations, including multiple US government agencies. Without proper encryption, hackers could access and steal thousands of records in seconds. The cost of data breaches due to cryptographic failures can cost organizations millions of dollars.

Improve your security posture

Encryption itself is not a single solution; instead, it is key to any security-in-depth approach. To reduce the risk of cryptographic failures and strengthen your security posture, take the following steps:

Identify and classify sensitive information: Organizations first need to identify and classify the data that they are trying to store, from passwords to credit cards to intellectual property and other sensitive, confidential information. Equally important – don’t store sensitive data unnecessarily. As OWASP astutely reminds us in its helpful list of preventive steps to avoid cryptographic failures, “Data that is not retained cannot be stolen.”

Encrypt with secure protocols such as TLS 1.3 or higher: Invest in and implement modern encryption like TLS (Transport Layer Security), a cryptographic protocol that provides end-to-end security of data sent between applications over the Internet. Starting September 2023, Microsoft began disabling TLS v1.0 and v1.1 by default in Windows 11 Insider Preview, followed by a broad deactivation on future Windows versions and advised companies that they should be migrating their systems to TLS v1.2 or 1.3. 

Using outdated security protocols can significantly put your business at risk.  According to a recent research study conducted by Enterprise Management Associates (EMA) on SSL/TLS Certificate Security, only 21% of servers on the internet utilize TLS 1.3, meaning 79% of SSL certificates in use today are still subject to man-in-the-middle attacks.

Pass the salt: Hashing and encryption can keep sensitive data safe, but in almost all circumstances, passwords should be hashed, not encrypted. Organizations should not use outdated security protocols such as MD5 or SHA-1, which was retired by NIST last year. And be sure to salt your passwords. Password salting is a technique to protect passwords stored in databases by adding a string of 32 or more characters and then hashing. To reduce vulnerability to brute force attacks and other risks, NIST recommends organizations use PBKDF2 as the preferred password hashing algorithm.

Prepare for Advanced Encryption Methods: Remember, encryption methods and protocols are constantly evolving to protect against the latest threats. Post-quantum cryptography (PQC) is increasingly becoming a priority to help organizations prepare to withstand post-quantum threats and attacks. In fact, several months ago, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and National Institute of Standards and Technology (NIST)  issued a report that warned that cyber actors could target our nation’s most sensitive information now and leverage future quantum computing technology to break traditional non-quantum-resistant cryptographic algorithms.

According to the report, CISA, NIST, and NSA urge organizations to start preparing for the implementation of post-quantum cryptography by doing the following:

  • Establish a Quantum-Readiness Roadmap
  • Engage with technology vendors to discuss post-quantum roadmaps.
  • Conduct an inventory to identify and understand cryptographic systems and assets.
  • Create migration plans that prioritize the most sensitive and critical assets.

As we look ahead to 2024, we can expect cryptographic failures to remain a top security risk and remain at the top of the OWASP Top 10. Be sure to incorporate these fundamental steps into your overall security program.