In today’s ever-evolving threat landscape, cyberattacks aren’t getting any slower or weaker. Quite the opposite - adversaries are blending familiar and emerging techniques to compromise key systems and capture critical data.
According to the “State of Ransomware 2022” report published by Sophos in April 2022, ransomware attacks impacted 66% of businesses in the past year - a nearly 80% increase since the last year’s report. Beyond the recurring new vulnerabilities posing supply-chain risks, such as the Polkit privilege escalation flaw CVE-2021-4034, Cisco’s Talos Intelligence Group has also reported on the resurgence of the Emotet botnet to underpin new ransomware efforts.
With ransomware on the rise, there is an increasing need for strong security hygiene, particularly when it comes to encryption. One of the most common — and effective — forms of encryption leverages what’s known as public key cryptography to help streamline communication without compromising security. First used more than 40 years ago, public key infrastructure (PKI) remains critical to the protection of both public Internet use and private company communications.
For cybersecurity professionals, understanding the ins and outs of PKI can help them bolster current defenses and reduce the risks of future compromise. Not entirely confident with PKI? Here are six courses worth considering.
Why Does PKI Matter?
PKI provides a way for two or more parties to securely exchange information. To accomplish this, one uses a public key and a private key to create what is known as asymmetric encryption.
Consider oft-cited digital message senders, Alice and Bob. If Alice sends Bob a message in plaintext, it could be intercepted and read by Tom, our attacker. If she sends an encrypted message along with the key needed to decrypt it, Tom could once again compromise the data.
However, using PKI enables Alice to send a secure message. First, she uses Bob’s public key to encrypt the message, then sends it. When Bob gets the message, he decrypts it using his private key. Since the message was created using his public key, only his private key can decrypt it — and since Tom can’t get his hands on the private key, the data is of no use to him.
Alice can also send a digital signature in her message to verify her identity. If she encrypts the data using Bob’s public key and her private key, it can only be decrypted when Bob uses his own private key and Alice’s public key, in turn confirming her role as the sender. This once again leaves attacker Tom frustrated; while he can easily obtain Alice’s public key, he can’t decrypt the message without Bob’s private key.
Five Courses Worth Considering to Help Build Public Key Infrastructure
The asymmetric nature of PKI makes it a critical component of effective security, but not every cybersecurity professional has the same level of comfort with this framework. Here are six courses that will help build your confidence.
- Cybersecurity for Beginners (Cybrary)
This course provides a broad overview of key roles in cybersecurity including network administrators, incident responders, cybersecurity managers, and penetration testers. It’s a great way to get a handle on basic concepts around data encryption, transmission, and storage and the role of PKI in this process.
- Public Key Infrastructure (Infosec Institute)
If you’re looking to dig deeper into PKI concepts and impacts, this course is for you. It offers an introduction to the concept of PKI in the real world, covering how the infrastructure works, which parties are involved, and how it impacts message security.
- Certified Ethical Hacker (EC-Council)
To defeat digital adversaries, you should learn to think like one. The CEH course teaches you the tools and techniques you’ll need to test company systems and see if their PKI is up to par. Armed with information about common attack vectors and potential encryption risks, this course is for professionals looking to move up in their organization or considering a role as an IT security consultant.
- MITRE ATT&CK Training (Cybrary)
Cybrary’s MITRE ATT&CK training course takes students through 12 core areas of competency including access, execution, privilege escalation, discovery, and lateral movement to provide a comprehensive view of potential IT threats. This allows security professionals to focus their PKI efforts on IT tools and components that are likely targets of attack.
- Certified Information Systems Auditor (ISACA)
CISA-certified IT professionals are among the most in-demand and highest-paid worldwide, in large part thanks to their in-depth knowledge of IT auditing, control, monitoring, and assessment. This course can help experienced IT staff extend their knowledge of PKI. They can develop custom-build encryption approaches that deliver robust data security no matter howe users exchange critical information.
Protecting What Matters Most
Effective public key infrastructure and cryptography remain the core of robust digital defense. But with malicious actors combining new and old threat vectors to circumvent protective perimeters, PKI can’t stay static. Cybersecurity professionals need hands-on experience and practical training to ensure they’re prepared to deliver on PKI potential and protect key data sources.