Articles / A Remedy for Bad Crypto

on 20 Nov 2018

Albert Street in Ottawa looks like a nice place to work (see pic above). And I can confirm that Sheppard Avenue and Battery Street are also pleasant locations. Hardturmstrasseand Kizilirmak Mah both sound harsh, but knowing the Swiss and Turks, I’ll bet both are also quite lovely. These five street locations belong to a fine cyber security company called InfoSec Global, and if you read on, I promise to explain why the names of these locations might matter.

InfoSec Global offers a solution that, in my opinion, wins the prize for the highest value activity with the least sufficient attention from CISOs. And I do not make this award lightly. Specifically, InfoSec Global finds your cryptography and helps you upgrade or replace it if necessary. It is hard to imagine any organization that would not benefit immensely from such treatment, but it’s also hard to locate many CISOs who’ve addressed this task as seriously as they should.

“While it’s popular to discuss the looming threat to cryptography from quantum computing,” explained Tyson Macaulay, Chief Product Officer for the company, “most cyber practitioners are now finally starting to focus more generally on an emerging security discipline known as cryptographic lifecycle management, which involves detecting the presence of bad crypto on target systems, and then supporting sensible mitigation of that risk with crypto agility.”

ISG’s lifecycle management offers value to enterprise security teams in four related areas. First, it provides proactive detection of cryptographic threats; second, it enables a means for seamless swapping-in of improved crypto via an SDK and cryptographic engine; third, it includes a secure VPN to support required network communications; and finally, it offers support for strong keys and management.

“Use of our solution begins with the deployment of AgileScan agents to automatically scan your IT network infrastructure, including servers and applications, for evidence of cryptographic use,” explained Macaulay. “If any cryptographic vulnerabilities are detected, perhaps deeply hidden and embedded in your software, then AgileScan supports development of a plan to remedy the situation.”

In cases where vulnerabilities require remediation, InfoSec Global offers an SDK with support to introduce strong cryptographic algorithms including AES, RSA, DH, SHA-2, SHA-3, and many others. The company offers a unique means to remotely monitor and manage the upgrading of this cryptography after deployment. This enables features such as country-specific sovereign and customized cryptography assurance.

Network cryptography of the resulting ecosystem is done through the InfoSec Global VPN management system and GUI-enabled dashboard. This system supports the setup and management of VPNs and associated appliances. It provides real-time topological views and information and connection status and locations of connected VPN nodes. It also allows security administrators to easily select and deploy desired cryptographic algorithms.

There is so much more detail involved that is simply beyond the scope of this article to describe. Macaulay took me through the specifics, for example, of their key management systems, cipher vault capability, side channel countermeasure support, performance optimizations, and on and on. This is an impressive platform, providing a scan-and-fix capability that seems not just optional, but essential – especially with quantum looming on the horizon.

You’d expect that with the relatively low profile of this company – I had not known them before we met in Ottawa – that their principals would also be low profile. But the reality is that InfoSec Global is stocked with expert, capable leaders with decades of relevant experience. Their board includes people like Taher Elgamal and Vincent Rijmen (co-designer of AES), and their advisors include luminaries such as Robert Rodriguez, Brian O’Higgins, and Edna Conway.

So, with such an amazing platform, great management, and an exceptional board – why would you expect this fine company to not be among the best recognized brands in our industry? Well, I have a theory – and it’s this: It’s their name. In my opinion, ‘InfoSec Global’ conjures images of a small consultancy in Florida (see InfoSec Services) or a major conference (see InfoSec World). And this brings me to my recommendation for the company:

Why not rename the company using one of your street locations? How about Albert Street? I checked and the domain is available. Your new slogan can be: Cryptographic Risk Management Solutions from Albert Street. That sounds so good, it makes me want to say it with a British accent. (All right, I’ll promise to settle down with all this renaming stuff, but I really do think it would be a good idea – and as an analyst, it’s my job to say things like this.)

Regardless of what this wonderful house decides to do with its name, I strongly recommend that you be in touch with them immediately. Do not fall into the trap of not wanting to know your crypto risk. Auditors will get their hands on this tool shortly, and if you want them to find your risk before you do, then go ahead and wait. And yes, the looming threat of quantum computing provides additional justification to call InfoSec Global – er, Albert Street.

As always, after you speak with Macaulay and his team, please share your learnings with the rest of us.