Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Quantum Readiness

Quantum Readiness

Section titled “Quantum Readiness”

5 automated security scanners

Critical Data Quantum Exposure

Section titled “Critical Data Quantum Exposure”

Purpose: This scanner analyzes quantum exposure for long-lived encrypted data by examining retention policies and encryption standards used within an organization. It aims to identify potential risks associated with holding sensitive information in environments that may be vulnerable to future quantum computing advancements.

What It Detects:

  1. Retention policies that are indefinite or exceed 10 years, indicating long-term storage of potentially sensitive data.
  2. Encryption standards that are known to be vulnerable to attacks on the post-quantum era, such as RSA and ECC algorithms.
  3. The presence of quantum-vulnerable encryption practices within an organization’s information security framework.

Inputs Required:

  1. Domain: The target domain for analysis, which is used to gather data about retention policies and encryption standards.
  2. Company Name: Identifies the specific company or entity being analyzed, aiding in context-specific reporting.

Business Impact: The improper handling of sensitive information can lead to significant legal, financial, and reputational damage for organizations. This includes potential fines, loss of customer trust, and exposure of confidential data that could be exploited by malicious actors.

Risk Levels:

  • Critical: When retention policies exceed 15 years and are associated with quantum-vulnerable encryption, indicating a high risk of data exposure to future quantum computing threats without mitigation strategies in place.
  • High: Retention periods exceeding 10 years coupled with the absence of any post-quantum cryptography migration plan, highlighting significant vulnerabilities that could be exploited by advanced cyber threats.
  • Medium: Short retention periods combined with minimal information security measures or a lack of awareness about quantum computing’s potential impact on data security.
  • Low: Organizations demonstrating short retention periods and having implemented robust post-quantum cryptography strategies to mitigate risks effectively.
  • Info: Informal findings related to minor deviations from best practices that do not significantly impact the overall risk profile but are still recommended for improvement in a secure information handling environment.

Example Findings:

  1. A company holds financial records with RSA encryption, which is known to be vulnerable post-quantum, indicating potential risks for future data security challenges.
  2. An organization’s medical records retention policy exceeds 15 years without any mention of transitioning to quantum-safe algorithms, posing a significant risk in the event of quantum computing advancements.

Quantum-Safe VPN Assessment

Section titled “Quantum-Safe VPN Assessment”

Purpose: The purpose of this scanner is to assess the quantum vulnerability of VPN configurations by analyzing their endpoints, TLS versions, cipher suites, and key exchange methods. It aims to identify weaknesses that could be exploited in future quantum computing advancements.

What It Detects:

  • This scanner detects whether VPN endpoints are reachable from public infrastructure.
  • It identifies the type and vendor of VPN used.
  • It checks for TLS versions, cipher suites, and key exchange methods that may be vulnerable to quantum attacks.
  • It evaluates the support for post-quantum key exchange groups and assesses the risk level based on findings.

Inputs Required:

  • domain: The main domain name of the organization.
  • url: The URL or specific endpoint within the VPN configuration, typically used for SSL/TLS analysis.

Business Impact: This assessment is crucial as it helps organizations understand their exposure to future quantum computing threats in their remote workforce traffic. Weak configurations can lead to significant security vulnerabilities that may be exploited by advanced adversaries.

Risk Levels:

  • Critical: The VPN configuration lacks any form of encryption or does not support post-quantum key exchange groups, leading to complete lack of protection against future attacks.
  • High: The VPN uses quantum-vulnerable cipher suites or key exchange methods without a clear migration plan to mitigate risks associated with quantum computing advancements.
  • Medium: The configuration shows some signs of vulnerability but has implemented mitigation strategies that may not be sufficient for long-term security.
  • Low: The VPN configuration is relatively secure, using modern encryption standards and supporting post-quantum key exchange groups effectively.
  • Info: Informal findings indicating potential improvements or areas for optimization in the current VPN setup without significant impact on overall risk.

If the README doesn’t specify exact risk levels, infer them based on the scanner’s purpose and impact:

Example Findings:

  1. A critical vulnerability was detected where the VPN configuration does not support any encryption, leaving all traffic exposed to potential attacks.
  2. The organization uses an outdated TLS version that is known to be vulnerable to quantum attacks, with no plans for upgrade or replacement.

Email System Quantum Security

Section titled “Email System Quantum Security”

Purpose: This scanner evaluates the quantum security posture of an email system by assessing its adherence to modern cryptographic standards and identifying potential vulnerabilities related to post-quantum cryptography. It checks for support of Transport Layer Security (TLS) versions, cipher suites, and S/MIME certificates for RSA keys that may be susceptible to quantum attacks. Additionally, it examines retention policies and encryption methods used in email archives for signs of vulnerability to future quantum computing advancements.

What It Detects:

  • Email System Compatibility with TLS Versions: The scanner identifies whether the SMTP server supports modern TLS versions like TLSv1.3 that are resistant to attacks from quantum computers.
  • Cipher Suites and Their Vulnerability: It detects which cipher suites are in use, particularly those based on algorithms known to be vulnerable to quantum computing attacks (e.g., RSA).
  • S/MIME Certificates for RSA Keys: The scanner checks the encryption standards used in S/MIME certificates that could be affected by future quantum threats.
  • Retention Policies and Encryption Methods: It evaluates how long emails are retained and what cryptographic methods are applied to these archives, especially those using legacy or potentially compromised algorithms.

Inputs Required:

  • <domain>: The domain name of the email service provider (e.g., example.com).
  • <mx_host>: The mail exchange server host that handles emails for the specified domain.

Business Impact: The security and integrity of digital communications are paramount, especially as quantum computing capabilities advance. Organizations rely on secure communication channels to protect sensitive information from potential breaches. This scanner helps identify weak points in email infrastructure that could be exploited by adversaries using future-proof cryptographic techniques not yet available but theoretically possible with quantum computers.

Risk Levels:

  • Critical: If the SMTP server does not support any TLS version or all supported versions are vulnerable, and there is no mitigation strategy for legacy encryption methods.
  • High: Use of RSA-based cipher suites in S/MIME certificates or legacy TLS ciphers that do not offer adequate security against quantum threats.
  • Medium: Inadequate retention policies for emails using potentially compromised cryptographic standards without a clear plan to transition to post-quantum secure systems.
  • Low: Minimal use of vulnerable algorithms with short retention periods and minimal exposure, but still at risk if the environment does not evolve with technology.
  • Info: Informal findings about compliance with current security practices that do not directly impact critical operations or sensitive data handling.

Example Findings:

  1. The email system uses TLSv1.2, which is known to be vulnerable and lacks support for more secure versions like TLSv1.3.
  2. S/MIME certificates are issued using RSA-2048, a key size that becomes highly susceptible to quantum attacks when the computing power of quantum computers increases.

Hardware Security Module Strategy

Section titled “Hardware Security Module Strategy”

Purpose: This scanner analyzes the quantum readiness strategy of hardware security modules (HSMs) by examining publicly available documentation to detect any HSMs used for critical applications and their vulnerability to quantum computing attacks. It evaluates the presence of HSMs, their vendors, use cases, support for algorithms vulnerable to quantum attacks, and planning for post-quantum cryptography.

What It Detects:

  • HSM Deployment Detection: The scanner identifies if any hardware security modules are mentioned in the public documentation of a company’s website or other publicly accessible resources.
  • Vendor Identification: By analyzing the text and mentions of HSM vendors, the scanner can list which specific brands or models of HSMs are used by the company.
  • Use Case Classification: The scanner categorizes the purpose for which the HSM is being used, such as PKI root CA management or financial transaction processing, to understand potential risks associated with these use cases.
  • Algorithm Vulnerability Assessment: It identifies if the algorithms supported by the HSMs are known to be vulnerable to quantum attacks and lists those that are potentially risky.
  • Post-Quantum Cryptography (PQC) Readiness: The scanner checks whether there is a plan or roadmap for migrating to post-quantum cryptographic algorithms to mitigate future risks from quantum computing advancements.

Inputs Required:

  • Domain: The target domain name (e.g., “example.com”) that you want to scan. This helps in targeting the correct website for analysis.
  • Company Name: The official or recognized name of the company whose HSM deployment and strategy are being evaluated. This contextualizes the findings within a specific organization’s environment.

Business Impact: Understanding the quantum readiness of your hardware security modules is crucial as quantum computers, if sufficiently large and powerful, could break many of today’s cryptographic systems, including those used for securing financial transactions, government communications, and other critical infrastructure sectors. This scanner helps in identifying potential gaps that need to be addressed through strategic planning and migration to post-quantum cryptography solutions.

Risk Levels:

  • Critical: If the HSM is detected as being used in a root CA management role with algorithms known to be vulnerable for more than 15 years, this represents a critical risk because it could lead to immediate loss of cryptographic integrity and security.
  • High: Use of multiple critical use cases (e.g., PKI root CA management, financial transaction processing) on infrastructure that does not support post-quantum algorithms or has no timeline for migration is considered high risk as it exposes the organization to significant potential damage from quantum attacks in the future.
  • Medium: The risk level is medium if there are indications of vulnerability but a clear mitigation plan (like having identified alternatives or timelines) exists, balancing immediate risks with longer-term strategies.
  • Low: If no HSMs are detected or all used algorithms are resilient to quantum attacks and migration plans are well underway, the risk is considered low as there’s currently minimal exposure to potential future threats from quantum computing.
  • Info: This category includes findings that provide informational value but do not directly impact security posture significantly, such as noting the absence of firmware update capabilities for algorithm migration without immediate risks identified.

Example Findings:

  • “Detected use of RSA keys in PKI root CA management which are vulnerable to quantum attacks and have a 15+ year validity period.”
  • “Multiple critical use cases (PKI, financial transactions) on HSMs with no disclosed plans for post-quantum algorithm migration.”

PKI Quantum Transition Plan

Section titled “PKI Quantum Transition Plan”

Purpose: This scanner analyzes the quantum readiness of a PKI (Public Key Infrastructure) by assessing the transition plan for moving away from quantum-vulnerable algorithms. It evaluates the depth of the CA hierarchy, the validity of root CAs, and the presence of long-lived certificates to determine the risk level associated with quantum vulnerability.

What It Detects:

  1. CA Hierarchy Depth: The scanner identifies how many levels deep the CA hierarchy is on the domain.
  2. Root CA Type and Validity: It determines whether the root CA is a private enterprise CA and its validity period.
  3. Algorithm Distribution: By analyzing the certificates, it counts the number of quantum-vulnerable algorithms in use.
  4. Long-lived Certificates: The scanner detects any long-lived certificates that could be harvested for attacks.
  5. Certificate Automation: It checks if there is an automation infrastructure to facilitate rapid algorithm migration.
  6. Quantum Vulnerability Readiness: It evaluates the overall quantum readiness by considering the CA hierarchy, root CA validity, and certificate algorithms.

Inputs Required:

  • domain: The domain name of the organization being assessed.
  • company_name: The legal name or brand of the company associated with the domain.

Business Impact: Assessing the quantum readiness of a PKI is crucial as it directly impacts the security posture of an organization’s digital infrastructure. Quantum computers, if they become widely available and accessible in the future, will be able to break many cryptographic algorithms used today, rendering them vulnerable. By identifying and addressing these vulnerabilities proactively, organizations can protect their sensitive information from potential theft or manipulation.

Risk Levels:

  • Critical: If a private root CA is valid for more than 15 years without a post-quantum transition plan, it poses a critical risk as it could lead to significant data exposure over time.
  • High: A deep CA hierarchy (more than 3 levels) that requires a multi-year migration without automation infrastructure or numerous long-lived certificates using quantum-vulnerable algorithms are considered high risks.
  • Medium: Medium risk is assigned when there is a mix of quantum-vulnerable algorithms and no clear transition plan, indicating potential exposure but not as severe as critical.
  • Low: When the CA hierarchy is shallow, root CAs have sufficient validity, and few long-lived certificates exist, the risk level is considered low.
  • Info: Informational findings are given when there are no significant quantum vulnerabilities or lack of automation infrastructure; these indicate areas for improvement but do not pose immediate risks.

Example Findings:

  1. “Private root CA valid until 2045 with no post-quantum transition plan” suggests a critical risk as it implies long-term exposure without mitigation strategies.
  2. “8 long-lived certificates vulnerable to harvest attacks” indicates a high risk due to the potential for unauthorized access through harvesting of sensitive data stored in these certificates.