You can now submit a report of a private key compromise quickly and automatically get a revocation, if needed, with ������’s Certificate Problem Reporting tool.

Responding to certificate problem reports and certificate revocation are key responsibilities of a certificate authority, and they are important aspects of ensuring online trust.

As part of our ongoing commitment to making the internet a safer space, ensuring the integrity of our certificates and continuously improving our processes, ������ recently released a new Certificate Problem Reporting Tool for compromised private keys, available to the general public.

How it works

The process for reporting compromised keys previously involved contacting the ������ support team. This new process enables faster responses and action. The reporting tool accepts evidence of compromised private keys and systematically verifies whether evidence provided is sufficient proof of compromise. If confirmed, the system schedules the impacted certificates for revocation.

Anyone can submit a problem report, including security researchers, customers and the general public. The new tool is available at problemreport.digicert.com.

How to use the Certificate Problem Reporting Tool

Note: if you own the affected certificate, you should use your CertCentral account to revoke and reissue it.

To submit a report of a compromised private key, follow these steps:

1. Go to
2. Select either “Use this form” or “Use API to report”
3. Provide evidence of the compromised private key
a. You must provide either a CSR with a common name of
“Proof of Key Compromise for ������” or the private key itself
4. Provide your email address so that we can follow up on your report

To report other certificate problems, including certificate misuse, fraud or inappropriate conduct, send an email to revoke@digicert.com detailing the issue and the certificate details.

Once you have submitted your problem report, ������ will investigate the issue within 24 hours and determine appropriate action, including revocation, in-line with CA/B Forum Baseline Requirements and industry standards.

Learn more

For more information on certificate revocations and the process ������ uses, see our blog “A Guide to TLS Certificate Revocations.”

]]> /digicert-certcentral-wins-best-in-biz-award-for-simplifying-tls-certificate-management/ Tue, 15 Dec 2020 16:43:41 +0000 /?p=48403 ������ is honored to be named a Best in Biz winner in the 2020 Enterprise Product of the Year in Security Software category for CertCentral. At ������, we prioritize creating customer-centric solutions to simplify digital certificate management while maintaining online trust, and the Best in Biz award highlights that we are doing just that. “For […]]]>

������ is honored to be named a Best in Biz winner in the 2020 Enterprise Product of the Year in Security Software category for CertCentral. At ������, we prioritize creating customer-centric solutions to simplify digital certificate management while maintaining online trust, and the Best in Biz award highlights that we are doing just that.

“For nearly two years, CertCentral has brought together the best features and scalability that the world’s leading enterprises expect from us, and it addresses their common pain points in an intuitive way,” said Jeremy Rowley, ������’s EVP of product. “It’s an honor — and a tribute to our team — to be recognized by Best in Biz.”

While the recognition is an honor, more importantly, it matches what we are hearing from you, our valued customers and partners, about your experience with CertCentral. ������ was founded nearly 20 years ago with a mission to improve the customer experience and provide personal customer support, and this award recognizes that we are still continuing that legacy today.

With many of you being long-time CertCentral users, and many others having just migrated this year, our top priority is giving you the tools you need to successfully deploy and manage your certificates. We track your feedback closely and are very happy about the high ratings we’ve received, while acknowledging there is much more left for us to do to regularly improve your CertCentral experience.

We have even more exciting things planned in 2021 and we look forward to bringing more innovation and exciting features to you soon. Keep watching our blog and social media for the latest updates. Thanks to all our valued customers and partners for your continued support.

About Best in Biz

Best in Biz is the only independent business awards program judged each year by prominent editors and reporters from top-tier publications in North America. Winners in Best in Biz Awards have been determined based on scoring from independent judging panels assembled each year from some of the most respected newspapers, TV and radio outlets, and business, consumer, technology and trade publications in North America.

About CertCentral

�����ٰ��Գٰ�����® is designed to help you manage all your TLS/SSL certificates throughout the certificate lifecycle. It can help you save time by automating key management tasks and centralizing your certificates in one place.

CertCentral brings all your TLS certificates in one place, a step up from using spreadsheets to track certificates and expirations. Administrators can easily monitor, inspect, reissue, revoke, renew and order new certificates all within CertCentral. The Discovery tool in CertCentral is a favorite feature of many enterprises. It enables IT staff to track where legacy certificates were acquired, regardless of which Certificate Authority issued it. CertCentral also automates tracking certificates to ease the burden on admins and free up time to focus on essential projects.

It is also flexible so that you can customize your options, and you can manage from a single certificate to millions, at whatever scale your business needs. You have the control to create divisions and sub-accounts, as well as role-based accounts. Of course, �����ٰ��Գٰ�����® is also a secure option with encryption and analytics that enable you to fortify your website security.

If you don’t use it yet, learn more about �����ٰ��Գٰ�����® and see if it’s right for your business.

]]> /2020-quantum-advances-and-2021-predictions/ Fri, 04 Dec 2020 20:16:51 +0000 /?p=48279 This year quantum computing is reaching a turning point. Quantum computing has made significant progress in 2020, and we predict the advancements in 2021 will bring it closer to reality than ever before. However, preparing for post-quantum computing will likely take longer than you expect and you need to start preparing now to protect your […]]]>

This year quantum computing is reaching a turning point. Quantum computing has made significant progress in 2020, and we predict the advancements in 2021 will bring it closer to reality than ever before. However, preparing for post-quantum computing will likely take longer than you expect and you need to start preparing now to protect your organization.

We’ve rounded up some of the significant quantum advances of 2020 and prepared our predictions for what you can expect going into 2021.

2020 advances

A lot happened in 2020, and while many of us transitioned to work from home, quantum development continued to push forward. Here’s a timeline of some of the quantum advances in 2020.

March

• Researchers at the created a quantum sensor to detect communications over the entire radio frequency spectrum.

June

• Scientists made history by successfully

July

• to develop quantum computing applications for finance, materials development and business.

August

• Dr. Robin Harper, a postdoctoral researcher at the University of Sydney Nano Institute, and colleagues overcame one of the main obstacles to large-scale quantum computers by developing a system (AKA interference or instability).
• ETSI also released new strategies and recommendations for migrating to quantum-safe schemes.
• found a way to make quantum states last 10,000 times longer.
• Austrian and Chinese scientists partnered to for the first time.

September

• by stimulating a chemical reaction with their quantum computer, opening the path to quantum chemistry and more possible discoveries/inventions.
• predicting that they will complete a 1,000-qubit quantum computer by 2023.

October

• with 32 perfect, low-error qubits, which has an expected quantum volume (or how powerful the machine is) at over 4 million.
• they were dropping their IT services to focus on cloud and quantum computing.
• The issued a new standard for public-key cryptography use of digital signatures.
• The U.S. published a report on the

November

• Scientists at the successfully tested quantum mechanics to a level nearly twice as accurate as previously available using hydrogen spectroscopy. Their successful test is a step towards solving the proton size puzzle.

2021 predictions

Given the many advances made this year toward achieving practical, large-scale quantum computers, the easiest 2021 prediction is that these advances will continue. And that prediction will almost certainly be correct. One of these companies will likely announce in 2021 that they have used a quantum computer to successfully solve a practical problem that cannot be solved by conventional supercomputers.

Solving a problem with quantum unsolvable by conventional supercomputers is the next major milestone in the evolution of commercially viable quantum computers. On its own, it doesn’t mean that encryption methods like RSA or ECC are at risk, since breaking encryption algorithms requires fairly large quantum computers, and those will not exist in 2021. But the ability to solve practical problems will drive additional investment in developing better quantum computers. That is the same virtuous feedback loop that led to Moore’s law, where classical computers became exponentially more powerful every year.

Cryptographic transitions take time, often decades, so organizations will have to start preparing now if they want to be ready when sufficiently large quantum computers exist. Standards organizations and security experts are busy working on laying the groundwork for those transitions. The National Institute for Standards and Technology (NIST) recently held a workshop on Considerations in Migrating to Post-Quantum Cryptographic algorithms, and NIST will likely select a few algorithms for standardization in late 2021. This will hopefully jumpstart the efforts to get these algorithms deployed.

All the progress made in 2020 puts us that much closer to a quantum reality. 71% of IT professionals believe that quantum computing will be an extremely large threat in the near future. If your organization is not preparing now, you will begin to get left behind in 2021.

Prepare now

If your organization has not started preparing for quantum computing, make it a New Year’s resolution to learn more and prepare for quantum computing. Quantum computing is likely to become a reality within the next five to ten years, and even though scientists have been saying that for a few years, it’s more true now than ever.

While quantum computing could easily take a decade to arrive mainstream, it’s not a race that you can afford to lose. Essentially, you are in a race between your organization and the computers in which you do not have any slack time.

To help you get started, ������ is working with industry experts to create a quantum-safe public key infrastructure (PKI) ecosystem prepared to face future threats. ������ has also created a post-quantum crypto (PQC) toolkit so you can test hybrid PQC/RSA certificates against quantum algorithms.

������’s PQC test kit includes:

• Hybrid RSA/PQC TLS certificates
• A modified Apache webserver/ISARA catalyst server
• Custom Firefox browser

Read more of our predictions for 2021 and the future in our new year’s security predictions blog.

]]> /simplify-code-signing-around-the-holidays-and-always/ Wed, 25 Nov 2020 22:57:09 +0000 /?p=48133 Code signing is a critical part of your DevOps process to ensure that code cannot be tampered with. During the holidays, typically there are fewer people in the office and most are busier, so automation and extra security are even more important to simplify workflows. Additionally, with a remote working environment, having a flexible solution […]]]>

Code signing is a critical part of your DevOps process to ensure that code cannot be tampered with. During the holidays, typically there are fewer people in the office and most are busier, so automation and extra security are even more important to simplify workflows. Additionally, with a remote working environment, having a flexible solution that does require keys stored on FIPS-compliant devices and other hardware can simplify code signing.

Using a code-signing-as-a-service solution can help simplify getting code signed, make it quicker and easier to keep code secure and free up your team’s bandwidth. This holiday season, code-signing-as-a-service may just be the best gift for your software engineering team, and the benefits will last long past the new year.

Challenges of traditional code signing

Traditionally, code signing often involves storing keys on desktops, key sharing and no visibility over signing activities. If not managed carefully, this traditional code signing can lead to misuse and even malware signing. Mismanagement of key storage and key sharing can be overlooked or difficult to trace if you are not tracking all of your code signing activities. Furthermore, unsigned code or exposed private keys can be detrimental to your reputation and cause significant financial loss.

that over half of IT security professionals are worried about cybercriminals stealing or forging certificates to sign code or applications, yet less than a third consistently enforce code signing policies. Additionally, in September 2020, the charged two Malaysians and five Chinese hackers with hacking over 100 U.S. companies. The attackers were charged with the theft of source code, code signing certificates and even customer and business data. Code signing has a significant threat environment and can be a large stressor for your software engineering team.

Furthermore, during the holiday season there is a risk of needing an emergency push of new code while working remote. With traditional code signing, this can be difficult to pull off. But with a code signing management system a developer could safely be granted access to needed signing keys during the holidays.

Hackers don’t rest during the holidays. But your IT team still deserves a holiday break. To protect your code and still give your DevOps team more time this holiday season (and always), consider a code-signing-as-a-service solution.

Gift of more time

First, a code-signing-as-a-service solution can give your developers the best gift of all this holiday season: time. Find a code signing solution that will require easy management and automation. You cannot delay development processes waiting on code signing. With a code-signing-as-a-service solution, your team can manage code signing quicker, even with a smaller or remote-working staff, easily fitting within your development workflows. A code signing manager offers automated signing using built in API integration and you can pre-plan and approve signature windows for secure releases and updates.

Gift of security

Not only does a code signing manager help give back time, it also makes your code more secure to give you more peace of mind. A code signing manger or solution gives you visibility and insight over any red flags to simplify checking for potential problems. Thus, if a problem does surface you can respond quickly and efficiently to maintain security. Additionally, a code signing manager helps you comply with code signing requirements at minimal cost. Admins can control permission-based access, with visibility into who is allowed to sign with what signing private keys and certificates. This can enforce accountability over signing users and activities and prevent code signing keys from being shared.

Reduce the risk of key theft and misuse, eliminate the need for your own HSM and have peace of mind during the holidays with a code signing manager. ������ has developed Secure Software Manager, a modern solution for code signing that integrates into Continuous Integration/Continuous Delivery (CI/CD) processes and allows you to monitor everything in one dashboard.

About Secure Software Manager

Secure Software Manager is a modern way of managing code signing by enabling automated security across Continuous Integration/Continuous Delivery (CI/CD) pipelines with portable, flexible deployment models and secure key management.

Sign code binaries rapidly, easily, and at scale with Secure Software Manager. Additionally, keys are generated in the cloud, so when not in use they are in offline mode to ensure that they do not get shared, lost or stolen.

Secure Software Manager supports all major file types, including:

• OpenSSL
• Java
• Authenticode
• Android
• GPG
• RPM
• Debian
• Nuget
• ClickOnce

Using Secure Software Manager, enterprises integrate code into their product development processes easily while delegating cryptographic operations, signing activities and management in a controlled, auditable way. With tracking, reporting and audit trails for forensics and accountability, Secure Software Manager enables enterprise to comply with corporate and industry security policies.

Secure Software Manger, built on ������ ONE

Secure Software Manager is built on ������ ONE, the most modern PKI management platform on the market. ������ ONE was developed with cloud-native architecture and technology as the PKI infrastructure service for today’s security challenges.

Released in 2020, ������ ONE offers multiple management solutions and is designed for all PKI use cases. Its flexibility allows it to be deployed on-premises, in-country or in the cloud to meet stringent requirements, custom integrations and airgap needs. It also deploys extremely high volumes of certificates quickly using robust and highly scalable infrastructure. ������ ONE delivers end-to-end centralized user and device certificate management, a modern approach to PKI to provide trust across Kubernetes clusters and dynamic IT architectures.

For more information on Secure Software Manager, visit digicert.com/secure-software-manager.

]]> /top-3-features-of-digicert-secure-site-pro/ Fri, 20 Nov 2020 21:05:31 +0000 /?p=48116 ������ conducted a survey with Secure Site and Secure Site Pro customers from August to September 2020. According to current customers, here are the top three most popular features in Secure Site and Secure Site Pro Top features in both Secure Site and Secure Site Pro: Priority validation Priority validation allows you to receive certificates […]]]>

������ conducted a survey with Secure Site and Secure Site Pro customers from August to September 2020. According to current customers, here are the top three most popular features in Secure Site and Secure Site Pro

Top features in both Secure Site and Secure Site Pro:

1. Priority validation

allows you to receive certificates quickly with expedited validation service. Priority validation is available to all Secure Site and Secure Site Pro users. It’s always active to customers on those plans and ensures that their certificates get priority attention by our validation teams for the fastest possible turnaround times.

2. Priority support

With priority support, Secure Site and Secure Site Pro customers receive a special call-in number for support and their emails/messages jump to the front of the line. ������ offers award-winning, five-star support with concierge phone, email and chat line available 24/7, including localized service in your organization’s region and language.

Here’s what customers are saying:

“SSL heaven. These guys are just so fast and professional that it makes all other competition look tiresome.” – Arve B.

“Spectacular reactivity. Very good support and the best reactivity I’ve ever seen.” – Archraf G.

“Not enough stars for this company! By far the most hassle free way to get your site certificates.”– Peter P.

3. Choice of trust marks

������ Secure Site Pro includes the use of one of two iconic site seals: 1) the from the most trusted CA on the internet 2) or the Norton Powered by ������ seal, which is still one of the most recognized trust seals online. In fact, 90% of people recognize a ������ seal and 93% of customers continue to check out when they see the ������ seal during checkout.

Additional features in Secure Site Pro:

Besides the top three listed, Secure Site Pro has some powerful features for your website security, like vulnerability assessment, CT log monitoring and a post-quantum computing (PQC) test kit.

Keep your business and customers safe by identifying website vulnerabilities that are commonly used in cyberattacks. After scanning your public-facing web pages, web-based applications, server software and network ports, you can view an actionable report organized by threat level, so you can quickly address the most urgent vulnerabilities by priority. You can also customize the scan by choosing which TLS/SSL server issues to look for. Vulnerability assessment reduces your team’s workload to automatically point out ways to strengthen network security, all while helping you remain PCI compliant.

Certificate Transparency (CT) is an open framework of logs, monitors and auditors created to help domain owners oversee digital certificates issued for their brands. CT logs help domain owners protect their brand by providing an easy process for discovering mis-issued or rogue certificates.

CT log monitoring allows you to see public CT logs in real time to watch for TLS certificates issued for the domains on your Secure Site Pro certificates. This means you can ensure that only company-approved certificates are issued for your domain.

And in the case that an unapproved certificate is issued for your domain, CT log monitoring will alert you so you can quickly remediate the issue and revoke any unwanted certificates. With Secure Site Pro CT log monitoring, you can enable email notifications for a Daily CT log digest and any urgent notifications that require immediate attention.

Additionally, if you have a .gov domain, CT log monitoring is required for all U.S. government sites, due to the policy change in January 2019.

Quantum computing will likely arrive sooner than expected, with some predicting it could arrive as soon as the next five years. 71% of IT professionals believe that quantum computing will be an extremely large threat in the near future. Companies need to prepare now to be ready for these threats to their environment.

The PQC Test Kit allows you to prepare post-quantum security strategies now and test hybrid PQC/RSA certificates to see how it impacts other applications on your network.

������’s PQC test kit includes:

• Hybrid RSA/PQC TLS certificates
• A modified Apache webserver/ISARA catalyst server
• Custom Firefox browser

Find out more about preparing for PQC at www.digicert.com/post-quantum-cryptography/.

What is Secure Site Pro?

Secure Site Pro is an advanced, all-in-one website security solution. Using Secure Site Pro, admins can configure, monitor and respond to threats. As such, Secure Site Pro is the TLS certificate of choice for brands to protect against the web threats of today and tomorrow. Top brands, including 89% of the Fortune 500 and 97 of the 100 top global banks, trust ������ products for their website security.

Certificate expiration and outages cost $11.1 million on average. To help prevent certificate mismanagement, ������ Secure Site Pro is designed for the highest assurance of trust with easy, intuitive management and award-winning support. Secure Site Pro has a number of security features to bring you peace of mind and provide a comprehensive website security solution in one modern TLS certificate offering.

Manage Secure Site/Secure Site Pro features in ������ CertCentral

You can manage all these features in CertCentral. CertCentral offers advanced TLS management features at scale in a simple, intuitive workflow. It can also be automated to notify you of renewal dates and prevent certificates from expiring with auto-renewal or automate your entire certificate lifecycle with any of our free automation options.

Today certificate automation is more important than ever. ������ recognizes this and makes all our automation options free. ������ provides multiple ways to automate your entire certificate lifecycle so you can find the method that best fits your organization’s needs. Choose the automation option that allows you to work the way you want to work.

Learn more

Secure Site Pro is the TLS certificate of choice for organizations that take security seriously. It includes all the tools brands need for website security. Secure Site Pro is built on the world’s most trusted roots and a modern PKI infrastructure to give you everything you need to protect your site. If you’re interested in learning more about Secure Site or Secure Site Pro, email resellers@digicert.com.

]]> /setting-global-standards-for-secure-email-certificates/ Thu, 12 Nov 2020 23:50:36 +0000 /?p=47999 S/MIME Certificate Working Group of the CA/Browser Forum takes on writing a baseline standard for S/MIME email certificates By Stephen Davidson, Governance, Risk and Compliance at ������ and Chair of S/MIME Certificate Working Group The S/MIME Certificate Working Group (SMCWG) is the newest specialist subgroup of the CA/Browser Forum, focused on creating the first global […]]]>

S/MIME Certificate Working Group of the CA/Browser Forum takes on writing a baseline standard for S/MIME email certificates

By Stephen Davidson, Governance, Risk and Compliance at ������ and Chair of S/MIME Certificate Working Group

The S/MIME Certificate Working Group (SMCWG) is the newest specialist subgroup of the CA/Browser Forum, focused on creating the first global requirements for the Certification Authorities (CAs) that issue the digital certificates used in email to

• create digital signatures to protect the integrity of the email contents or to assert their origin or authenticity. Sometimes, the signature is used to express agreement or content commitment.
• provide encryption to protect confidentiality.

Formed in August 2020, the SMCWG already has 37 members who represent major CAs from around the world, certificate consumers (including important providers of email software and cloud services, including enterprise email gateways), compliance bodies such as WebTrust and the European Accredited Conformity Assessment Bodies Council, and industry experts.

Why do we need a global S/MIME baseline?

Part of the challenge faced by the SMCWG is that S/MIME certificates may be deployed in many ways, which differs from other certificate types, like TLS/SSL certificates. For example, keys may be generated and held by a user locally in software, on a mobile device or on a cryptographic token. Equally, they may be held in the cloud in an email service or enterprise key management system or email gateway. Sometimes S/MIME is an added capability for certificates used for authentication or signing. And due to data retention requirements, some industries seek to escrow the private keys used for encryption for circumstances when emails may require archival treatment.

At the same time, most existing standards for S/MIME certificates are specific to an industry, platform or public sector program. As a result, historically most email software applications have been permissive in their processing of certificates, allowing the S/MIME functions to work as long as they had no deal-breaker flaws in their cryptography.

The SMCWG is chartered to create the first global baseline standard for S/MIME certificates, integrating the existing technical standards, as well as best practices from current industry requirements, including those from Mozilla, Gmail, the U.S. Federal PKI and ETSI. Although targeted for publicly-trusted certificates, the resulting S/MIME baseline requirements will equally be of interest for privately trusted S/MIME deployments, such as enterprises that are seeking to establish interoperability with other groups.

What will the S/MIME baseline requirements cover?

The SMCWG has laid out a roadmap of work, with the goal of first creating baseline certificate profiles for issuing CAs and leaf certificates. In its initial version, this would focus on documenting the core requirements and best practices in current use to bring a useful standard forward as expediently as possible. Future versions will focus on raising the bar, for example, by identifying aspects of the certificate that may assist relying parties in assessing the risk of a certificate.

In addition, the S/MIME baseline requirements will define the core processes allowed for CAs to verify control over email addresses, either for an individual email box or for an enterprise controlling all mailboxes under a domain.

The S/MIME baseline requirements will also cover familiar ground found in the CA/B Forum’s Baseline Requirements for topics such as key management, certificate lifecycle and CA operational practices, including physical/logical security.

The SMCWG has decided to address the subject of identity validation for natural persons and legal entities later in its process. In part this will allow the group to gather information on the SubjectDN fields in use and their rationale, as there is no certificate transparency to provide such insight.

Improved S/MIME security for email

Other CA/B Forum baselines have had a notable impact in improving security for other certificate types, like TLS/SSL and codesigning across the entire CA ecosystem, by clearly documenting specific requirements in such a way that they can be enforced via root store programs and independent audits. With the always-growing interest in data privacy, we believe the eventual S/MIME baseline requirements will bring increased security to email communications.

]]> /digicert-2021-security-predictions/ Wed, 11 Nov 2020 00:32:21 +0000 /?p=47918 2020 has brought about a lot of change. Who would’ve imagined watching our favorite sports teams on TV and stadiums without spectators, or the one-year postponement of the Tokyo Summer Olympic games? But isn’t it nice that some things don’t change, like our annual exercise of predicting what cybersecurity challenges we expect in 2021 and […]]]>

2020 has brought about a lot of change. Who would’ve imagined watching our favorite sports teams on TV and stadiums without spectators, or the one-year postponement of the Tokyo Summer Olympic games? But isn’t it nice that some things don’t change, like our annual exercise of predicting what cybersecurity challenges we expect in 2021 and beyond?

With all the uncertainty that 2020 presented us, no one knows with 100% certainty what will happen. However, we can be reasonably certain about our predictions based upon the changes to infosecurity brought upon us by the pandemic and other events of 2020 and the way it will likely shape 2021. First and foremost, in our thoughts are the impacts of vastly increased remote working and digital transformation that have both been accelerated by the pandemic and the difficulty of in-person gatherings. So, with these events in mind, our team of cybersecurity experts gathered (virtually of course) to debate and formulate their list of 2021 cybersecurity predictions. This team consisted of Dean Coclin, Avesta Hojjati, Tim Hollebeek, Mike Nelson and Brian Trzupek.

The envelope please…

Prediction: Social engineered attacks will get more complex

According to , social engineering is a top attack vector for hackers, and we expect threat actors to leverage current events to unprecedented levels. Consider the following:

• Unemployment fraud: , we will see an even larger increase in 2021, as pandemic-focused unemployment programs from governments have lowered the barriers to collecting benefits and security methods have not been able to keep up. Should we see additional stimulus funding from governments to provide relief for the effects of the pandemic, this will only make this a richer channel for fraudsters.
• COVID-19: Free COVID-19 tests will be leveraged heavily by threat actors in the New Year. Scammers will utilize social engineering to dupe users into providing a mailing address, phone number and credit card number with a promise to charge 25 cents to verify their information and qualify for a free COVID-19 testing offer.
• More COVID: The offer of fake, “government-approved” cutting-edge technologies to fight COVID and take the temperature of those in proximity will trick users into downloading malicious apps on their smart devices that can be leveraged for nefarious activities by threat actors.
• Tax deadlines: With the fluctuation of tax filing deadlines in 2020, expect threat actors to leverage this to their advantage in 2021. Phishing around tax season will drastically increase.

Prediction: Shortcomings in data security are going to cause a slowing effect on telehealth organizations due to an increase in targeted attacks

Telehealth providers are opening themselves up to cyberattacks on an unprecedented scale. Prior to the pandemic, telehealth comprised only a small fraction of medical visits. However, beginning in March 2020, to the telehealth model, aided by the federal government’s temporary relaxation of HIPAA restrictions on telehealth. The is high, and this will become a growing target for fraudsters looking to take advantage of this situation. It’s a perfect storm. Healthcare providers are rushing to set up systems and keep up with exploding telehealth appointments, while hackers are looking for soft, high-value targets. As news of successful attacks spreads, this will result in eroding patient trust.

Prediction: The “new normal” will be under attack

We predict that individuals and businesses alike will adjust to a new normal sometime in 2021. This new normal will result in an increase of travel, a reduction in unemployment and a transition for workers to return to the office, leading to threat actors’ attacks on the following:

• Travel: Fraudsters looking to take advantage of the new normal will target vacation-starved travellers looking for good deals online or via email. Phishing attacks will be the tool of choice and will be leveraged successfully by fraudsters.
• Back to the office: As workers return to the office, there will be a steady crescendo of applications offered by threat actors with the promise of increased productivity tools to ease the transition to the office. Tools such as apps that provide ambient sounds will be leveraged in these attacks. Expect new attack vectors to emerge not only for social engineering, but also attacks targeting common home devices that are used at home for workers splitting time working at home and the office that can be used to compromise an individual and allow for lateral movement into a business. Workers splitting time between the home and the office will only exasperate this transition period, causing confusion and an increase in security risk for business.
• Data Breach News: News of data breaches will increase in 2021 as the public learns of exploits on companies that haven’t done a good job securing their remote workforce.

Prediction: 2021 will bring increased focus on automation and efficiency solutions in the security market

• As organizations work to keep the lights on and scrutinize the bottom line, there will be a resulting push for efficiency in security technologies.
• Security teams will be asked to do more with even fewer resources. 2021 will bring an emphasis on technologies that allow organizations to do more with less, and automation will play a significant role in terms of security innovation in the New Year. According to a , 12% of respondents had no security automation in 2019. In 2020, that dropped to 5%. We predict the level of automation in 2021 will increase exponentially.
• A consolidation of security vendors will take place in 2021 as businesses look to reduce the number of vendors within their environments. Trusted vendors with leading global technology and local resources where their customers live will be valued, as will be their emphasis on automation of security tasks.
• As security investments focus on immediate value, Quantum Computing will continue to move forward. We will see the effect of Moore’s law on Quantum Computing. As Quantum Computing allows for tasks to be more efficient, organizations will prioritize its continued development. Improvements and efficiency are recession-resistant.

Prediction: Staying safe online

Identity and consumer accountability of their permissions and controls over their data will lead to a new interest in how to stay safe online and with connected devices. Concerns over contact tracing and other government invasions of personal privacy will lead to a new desire by the public for ways to identify organizations with which they connect online and for better assurances of the security of the connected devices in their everyday lives, including connected cars, homes, buildings, websites, emails, etc.

Predictions 5-10 years in the future

Always looking to exceed expectations, our experts also looked beyond 2021 and into their crystal ball for the next 5-10 years for what security innovations will await us.

• Holographic teleconference to minimize travel: Each generation brings a new technology which “shrinks” the globe. In the early part of the 20th century, steam ships allowed people to make trans-Atlantic crossings in about a week. Then propeller airplanes shortened it to two days (with stopovers). Once commercial jets became viable, the same trip which took one week on a ship took less than 10 hours on a plane. With the advent of the Internet and email, instant communication was made possible. Fast forward to today, where everyone is using video teleconference tools to communicate, which have in many cases, eliminated the need to travel. In the next 10 years, expect holographic teleconference or sophisticated telepresence devices, where participants can view others in 3D without the need for special glasses. Holographic projectors located on the back of cameras will project the image in front of you, which will give a more lifelike experience to conferencing. This will further reduce the need to travel across the globe to meetings. To make this a reality, a backbone of high speed, secure communications pathways will be required. In addition, on the hardware side, a migration to higher capacity processors and higher resolution cameras and projectors will be needed. For the software, codecs that can operate in 3D with the appropriate encryption controls are a must. While this technology will start with businesses, it will easily expand to consumer use cases as families will be able to “visit” each other using this holographic method.
• Data privacy: The data “given away” by the current generation of children in the home will come back to haunt this generation in the future, inspiring a new generation to carry infosec securely into the future. Children being forced into online learning at home will instill in some a discovery and passion for technology. This newfound passion for technology among this virtual learning generation will inspire new technology and security solutions and will inspire a new generation of innovators.

And there you have it. Here at ������, we look to the future, so we can offer the best protection in the present. Bring on 2021.

]]> /how-to-secure-quantum-computing-in-the-cloud/ Fri, 06 Nov 2020 20:34:26 +0000 /?p=47849 Quantum computing will likely arrive sooner than expected. 2020 has seen many leaps in the advance of quantum computing, including IBM announcing they will have a quantum processor available by the end of 2023. Enterprises need to prepare now for the potential threat of quantum computing, no matter how soon it arrives. And with quantum […]]]>

will likely arrive sooner than expected. 2020 has seen many leaps in the advance of quantum computing, including IBM announcing they will have a Enterprises need to prepare now for the potential threat of quantum computing, no matter how soon it arrives. And with quantum likely relying heavily on the cloud, securing against quantum attacks will take similar measures to securing the cloud.

Why the cloud for quantum?

Quantum services will be almost 100% deployed in the cloud, as it offers more flexibility and scalability for the technology. Additionally, quantum computers are capital intensive to install and require low temperatures to operate. Since they can only operate within refrigerators, their footprint takes up a large physical space. Consequently, most organizations will access quantum computing services via the cloud.

Several organizations, including IBM and Google, have already connected a quantum computer to the cloud for use with simple programs. We will likely see more accessible quantum cloud computing-as-a-service popup within the next five to 10 years. In fact, Bill Gates, in answering a query in Reddit in 2016 said, “There is a chance that within 6-10 years that cloud computing will offer super-computation by using quantum. It could help use solve some very important science problems including materials and catalyst design.” Considering that Gates’ prediction was four years ago, it’s no surprise that we are already seeing the beginnings of that prediction with IBM’s cloud quantum computer.

Security threats to cloud quantum computing

With quantum computing services in the cloud, attackers won’t even need a quantum computer to attack your organization. In the early days, they are likely to do one of two things: steal the credentials that protect your connection to cloud quantum services, so those services can be altered or compromised, or use cloud quantum computing resources to compromise legacy infrastructures that are not quantum safe.

As people will be remotely accessing quantum computers, organizations will need secure communication between the cloud and apps and strong network authenticity. Traditional networks have a physical parameter that virtual deployments do not, so network authenticity is even more important in cloud environments. It’s also important to encrypt any data stored in the cloud.

At the end of the day, securing cloud quantum computing will require similar practices to securing other technologies and data in the cloud. According to the the number one threat to cloud security is data breaches. These breaches in the cloud are most commonly due to poor authentication standards, weak passwords or poor certificate management. And when organizations scale their use of cloud services, it becomes even more difficult to manage. Enterprises need a security solution to protect cloud quantum computing with strong authentication, to provide visibility and scale, and to simplify certificate management to prevent breaches.

To protect against cloud quantum computing resources being used against your organization’s legacy cryptography, it is important to have a plan to move away from vulnerable cryptographic algorithms and protocols before available cloud computing resources are capable of compromising traditional algorithms like RSA. A good place to start is by inventorying the cryptography that is in use within your organization and starting to prepare a plan to transition to quantum-safe algorithms within the next few years.

PKI can secure quantum computing in the cloud

Public key infrastructure (PKI) has secured websites for decades, and it can also secure cloud connections. PKI provides integrity and can authenticate users and encrypt data in the cloud. As organizations need to provide strong network authenticity to access quantum cloud computing, PKI can authenticate access to the cloud and provide mutual authentication.

And if organizations need to scale their use of quantum computing services in the cloud up or down, PKI is flexible enough to keep up with the expanding infrastructure.

To manage PKI, the ������ Enterprise PKI Manager is fast and flexible enough to control all your systems and users, and it can help enterprises simplify management of PKI for securing cloud quantum computing.

Enterprise PKI Manager built on ������ ONE simplifies PKI management

Enterprise PKI Manager is built on ������ ONE, a PKI management platform built with a new architecture and software to be the PKI infrastructure service for today’s cloud migration challenges. With Enterprise PKI Manager, you can manage billions of certificates and remain compliant with PKI standards and audit requirements.

Released in 2020, ������ ONE offers multiple management solutions and is designed for all PKI use cases. It is flexible to be deployed on-premises, in-country or in the cloud to meet stringent requirements, custom integrations and airgap needs. It also deploys extremely high volumes of certificates quickly using robust and highly scalable infrastructure. ������ ONE delivers end-to-end centralized user and device certificate management, a modern approach to PKI.

Want to learn more about why PKI can help secure quantum computing in the cloud? Visit digicert.com/digicert-enterprise-pki-manager or email pki_info@digicert.com.

]]> /election-security-secure-voter-data-and-avoid-phishing/ Mon, 02 Nov 2020 22:20:02 +0000 /?p=47773 Be smart with websites and emails about elections With the U.S. elections quickly approaching, we’ve been talking about various aspects of election security. In previous posts we explained why elections are not administered online and discussed secure voting methods. Today we’ll dive into trust indicators for election communications, including how to avoid phishing and secure […]]]>

Be smart with websites and emails about elections

With the U.S. elections quickly approaching, we’ve been talking about various aspects of election security. In previous posts we explained why elections are not administered online and discussed secure voting methods. Today we’ll dive into trust indicators for election communications, including how to avoid phishing and secure voter data.

Democracy depends upon trust in the electoral process. Trust is essential to ensuring voter confidence and securing elections. This includes trusting that voter registration data, election websites and emails are safe and secure for users.

Recently, the U.S. Justice Department charged with a connection to global cyberattacks, including interference in the 2016 U.S. election, the French presidential election in 2017 and the 2018 Winter Olympics. In this threat environment, it is more important than ever to secure your site because hackers will take advantage of any vulnerabilities they can find. And attacks not only leave government and voter information vulnerable but also destroy voter confidence.

Here are a few measures both voters and government entities can take to secure voter data and information during elections.

Secure voter data

Imagine the consequences if voter registration databases were hacked or altered, preventing voters from their legal right to vote. Just recently, on the last day of voter registration. And Florida’s voter registration site has been overwhelmed, causing it to since the site went live. In other cases, voter information has been exposed to hackers, including from a database error in 2018.

Voter registration sites must invest in security to protect the integrity of elections and to keep their sites available to voters. Additionally, any voter data collected must be encrypted at rest and in transit to protect personal information. Users are increasingly concerned with their privacy and using encryption can help secure their data. Public key infrastructure (PKI) provides encryption and authentication of users and devices, and also ensures integrity of communication. PKI has been used for decades to secure user data, and it can be applied to voter data as well.

Avoid phishing/misinformation campaigns

Phishers will use any excuse to try and steal personal information or spread malware, and elections hold prime real estate in the public’s attention, so phishing is bound to increase around elections. Even the most professional-looking emails may be trying to harvest personal data or spread misinformation.

“Elections are a perfect backdrop for criminals to phish people by playing on their emotions and fears related to the elections,” explains CEO of BH Consulting and former Europol Special Advisor on Cybersecurity. “Criminals will use lures relating to the election, such as using a sensational fake story relating to a candidate to get the person to click on a link to get more details, or by pretending to be a request from their favorite candidate’s campaign looking for a donation, or faking an email claiming they have been removed from the electoral roll and need to re-register to vote.”

an infosec writer for IBM and TripWire, explains that some fraudsters will try to influence a voter’s ability to cast their ballot with misinformation. “This is especially relevant for attack campaigns that might try to lure users with announcements of changed polling places or modified voting hours,” he says. “If they have questions about how to vote, people should look up their local Board of Elections and/or contact officials in their town government directly.”

Voters should take steps, including the following, to avoid phishing and misinformation campaigns:

• Inspect emails for trust elements: inspect the URL to make sure it is correct and check websites for a padlock, which is proof of TLS/SSL encryption.
• Keep software up to date.
• Enable two-or multi-factor authentication on their accounts.
• Use an anti-malware solution.
• When in doubt, don’t click on any links or share personal information.

Organizations and governments can also implement best practices in their email use, like enabling S/MIME, a method for sending digitally signed and/or encrypted messages, and working towards Domain-based Message Authentication, Reporting and Conformance (DMARC), which ensures that only authorized emails can be sent from your domain so that your entities’ emails can’t be spoofed.

Bisson says that local and state elections officials need to invest in security. “Local and state elections offices should invest in email security controls that help to blacklist suspicious domains, block unnecessary file attachments and flag external emails in the fight against phishing. They might also want to consider conducting phishing awareness training and simulations with their elections administrators.”

Secure campaign sites

All campaign and government election sites should be secured by a TLS/SSL certificate to ensure that information is encrypted and help prevent man-in-the-middle attacks.

As a website visitor, you should look for trust indicators like the padlock and never enter personal information unless you are confident that the site is secure and your data will be encrypted.

Unfortunately, many election sites lack basic security measures. McAfee conducted a survey of U.S. county election sites and found that most don’t have a .gov domain or HTTPS. “the majority of these websites lacked official U.S. government ‘.GOV’ website validation and HTTPS website security measures to prevent hackers from launching fake websites disguised as legitimate county government sites.”

This is unacceptable for election security. Government entities should invest in their site security by installing TLS and enabling HTTPS to keep voters safe and prevent fakes.

Stay alert to potential problems

Especially since the U.S. elections results may take extra time to be released, voters need to stay alert for any information that might be false and trying to steal their information. Voters and governments need to actively watch for potential phishing campaigns, and governments need to secure their voter registration databases and election websites. These steps will help ensure trust in the election process and can help prevent fraud.

]]>