The Cybersecurity and Infrastructure Security Agency (CISA) recently released guidance on best practices for securing mobile communications. This comes in response to identified cyber espionage activity by actors linked to the People’s Republic of China (PRC) government. These actors are targeting commercial telecommunications infrastructure to steal call records and compromise communications of high-profile individuals, such as those in senior government or political positions.

If you would rather listed to an AI generated podcast summarizing the findings you can find that here:

While anyone can benefit from implementing these best practices, CISA specifically urges highly targeted individuals to immediately review and apply these measures. It’s important to understand that all communication between mobile devices and internet services is potentially at risk. This includes both government-issued and personal devices.

Key Recommendations for Everyone

The guidance emphasizes several key best practices for enhancing mobile security:

1. Prioritize End-to-End Encrypted Communication:

• Adopt messaging apps like Signal that guarantee end-to-end encryption for secure communication. This provides a layer of protection against interception.

2. Enable Phishing-Resistant Authentication:

• Utilize FIDO (Fast Identity Online) for the strongest form of multifactor authentication (MFA). Hardware-based FIDO security keys like Yubico or Google Titan are most effective, with FIDO passkeys being an acceptable alternative.
• Take inventory of valuable accounts (email, social media) and enroll them in FIDO-based authentication. Prioritize accounts like Microsoft, Apple, and Google. Disable less secure forms of MFA once FIDO is enabled.
• Gmail users should enroll in Google’s Advanced Protection Program (APP) for enhanced protection against phishing and account hijacking.

3. Move Away from SMS-Based MFA:

• Avoid using SMS for authentication, as messages are not encrypted and can be intercepted.
• Use authenticator apps like Google Authenticator, Microsoft Authenticator, or Authy for less important accounts, but remember that they are still vulnerable to phishing.
• Disable SMS for each account once enrolled in authenticator-based MFA to eliminate this exploitable fallback mechanism.

4. Employ a Password Manager:

• Utilize password managers such as Apple Passwords, LastPass, 1Password, or others to securely store and manage passwords. Many offer features like weak password alerts and authenticator code generation.
• Protect your password manager’s primary password with a strong, unique passphrase and ensure all stored passwords are also strong, unique, and random.

5. Set a Telco PIN:

• Enable an additional PIN or passcode for your mobile phone account with your telecom provider. This adds a layer of security against SIM swapping attacks.
• Combine this with MFA on your mobile carrier account and update your account password using a password manager.

6. Update Software Regularly:

• Keep mobile device operating systems and applications updated. Enable automatic updates for timely patching.

7. Use the Latest Hardware:

• Opt for newer phone models that support the latest security features.

8. Avoid Personal VPNs:

• Personal VPN services can increase your attack surface by shifting risk to the VPN provider. Many also have questionable security and privacy policies.

Device-Specific Recommendations

In addition to the general recommendations, the guidance offers specific advice for iPhone and Android users:

iPhone:

• Enable Lockdown Mode: This feature restricts certain apps, websites, and features to reduce your attack surface.
• Disable “Send as Text Message” in Message Settings: This ensures messages are only sent via iMessage, which offers end-to-end encryption between Apple users.
• Protect DNS Queries: Use encrypted DNS services like Cloudflare’s 1.1.1.1 Resolver, Google’s 8.8.8.8 Resolver, or Quad9’s 9.9.9.9 Resolver.
• Enroll in Apple iCloud Private Relay: This service enhances privacy and security by masking IP addresses and using secure DNS.
• Review and Restrict App Permissions: Regularly review and limit app access to sensitive data like location, camera, and microphone.

Android:

• Prioritize Secure Phone Models: Choose models from manufacturers with strong security track records and long-term security update commitments. Look for devices that offer hardware-level security features and commit to at least five years of security updates.
• Use RCS Only with End-to-End Encryption: Ensure end-to-end encryption is active when using Rich Communication Services.
• Configure Android Private DNS: Use trusted, high-privacy DNS resolvers like those mentioned above for iPhone.
• Enable “Always Use Secure Connections” in Chrome: Ensure all website connections default to HTTPS for increased security.
• Enable Enhanced Safe Browsing Protection in Chrome: This provides an additional layer of security against malicious websites and downloads.
• Confirm Google Play Protect is Enabled: This feature detects and prevents malicious apps. Exercise caution when using third-party app stores.
• Review and Restrict App Permissions: Minimize the access apps have to sensitive permissions like location, camera, or microphone.

By following these recommendations, you can significantly enhance the security of your mobile communications and protect yourself against the evolving threats posed by state-sponsored actors and other cybercriminals.

The National Cyber Incident Response Plan (NCIRP) is a crucial document outlining the U.S. government’s strategy for addressing cyber incidents. It serves as a blueprint for collaboration between federal agencies, private entities, and state, local, tribal, and territorial (SLTT) governments in the face of increasingly sophisticated cyber threats.

If you’d rather, here is a AI generated podcast summarizing the paper:

Key Objectives of the NCIRP

• Establish a coordinated national response to significant cyber incidents.
• Provide a framework for the roles and responsibilities of various stakeholders in incident detection and response.
• Outline the coordinating structures, key decision points, and priority activities throughout the cyber incident lifecycle.
• Promote a unified approach to incident response, ensuring efficient and effective action.

Four Lines of Effort

The NCIRP outlines four key Lines of Effort (LOEs) to manage cyber incidents:

• Asset Response: Led by the Cybersecurity and Infrastructure Security Agency (CISA), this LOE focuses on protecting assets, mitigating vulnerabilities, and minimizing incident impact.
• Threat Response: Spearheaded by the Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI), this LOE involves investigating, attributing, and disrupting malicious cyber activity.
• Intelligence Support: Led by the Office of the Director of National Intelligence (ODNI) through the Cyber Threat Intelligence Integration Center (CTIIC), this LOE focuses on building situational awareness, analyzing threat trends, and identifying knowledge gaps.
• Affected Entity Response: This LOE involves managing the impact of a cyber incident, including maintaining operational continuity, protecting privacy, and complying with regulations. The lead agency varies depending on whether the affected entity is a federal agency or a private organization.

Cybersecurity Incident Response Phases

The NCIRP outlines two primary phases for incident response:

• Detection Phase: This phase involves continuous monitoring and analysis of cyber activity to identify potential incidents. Key decisions and activities in this phase include:
  • Determining the severity of the incident based on its potential impact on national security, the economy, and public health and safety.
  • Deciding if CISA should convene an incident-specific group of stakeholders through the Joint Cyber Defense Collaborative (JCDC) to coordinate asset response activities.
  • Assessing the need for a Cyber Unified Coordination Group (Cyber UCG) to enhance interagency coordination.
• Response Phase: This phase focuses on containing, eradicating, and recovering from an incident. Key decisions and activities in this phase include:
  • Identifying key private sector stakeholders to contribute to solution development and implementation.
  • Establishing shared priorities for response efforts based on the scope and impact of the incident.
  • Determining the appropriate timing and methods for implementing response activities.
  • Evaluating resource needs and considering whether to utilize the Cyber Response and Recovery Fund (CRRF).
  • Defining the criteria for concluding the incident response phase.

Coordinating Structures

The NCIRP leverages existing coordinating structures to enhance incident response, including:

• Cyber Response Group (CRG): Responsible for policy and strategy development and implementation regarding significant cyber incidents.
• Cyber UCG: The primary operational coordination mechanism for federal agencies during significant cyber incidents.
• Sector Risk Management Agencies (SRMAs): Provide sector-specific expertise and support to the Cyber UCG and affected entities within their respective sectors.
• Joint Cyber Defense Collaborative (JCDC): Fosters public-private partnerships to address cyber incidents through planning, information sharing, and development of mitigation guidance.

Preparedness and Implementation

The NCIRP emphasizes continuous preparedness and ongoing implementation efforts to ensure national readiness for cyber incidents. CISA plays a crucial role in these efforts, leading activities such as:

• Developing supplementary plans: CISA creates additional documents addressing specific issues and stakeholder communities to enhance national preparedness.
• Updating the NCIRP: CISA regularly updates the NCIRP to reflect changes in the cyber threat landscape, laws, and lessons learned from past incidents.
• Facilitating nationwide activities: CISA works with stakeholders to implement actions outlined in Annex B of the NCIRP, which focuses on preparing for cyber incidents.

The NCIRP is a living document, constantly evolving to address the ever-changing cyber threat landscape. It serves as a vital resource for all cybersecurity enthusiasts, providing insights into the nation’s strategic approach to managing cyber incidents.