Full Report
The US Cybersecurity and Infrastructure Security Agency recommended users turn on phishing-resistant MFA and switch to Signal-like apps for messaging
Analysis Summary
# Best Practices: Encrypted Communication and Phishing-Resistant Authentication
## Overview
These practices are derived from CISA guidance issued following the Salt Typhoon APT group's cyber espionage campaign targeting US telecommunication firms. The focus is on mitigating risks associated with unencrypted communication channels (SMS) and improving user authentication mechanisms, particularly for high-risk individuals (senior government/political roles).
## Key Recommendations
### Immediate Actions
1. **Stop Using Unencrypted SMS for Sensitive Communications:** Highly targeted individuals (senior government/political positions) must immediately cease using standard, unencrypted Short Message Service (SMS) for sending potentially sensitive information.
2. **Adopt End-to-End Encrypted (E2EE) Messaging:** Immediately migrate sensitive conversations from SMS to an established E2EE messaging application, such as Signal.
3. **Enable MFA on Critical Services:** Ensure Multifactor Authentication (MFA) is enabled across all essential online services, specifically targeting social media, Microsoft, and Google/Apple accounts.
4. **Deploy Mobile Device Passcodes:** Set an additional PIN or passcode specifically for the mobile phone account (SIM lock/device lock) to provide immediate physical access control.
### Short-term Improvements (1-3 months)
1. **Implement Phishing-Resistant MFA:** Systematically replace SMS-based MFA methods with phishing-resistant options, prioritizing FIDO2-enabled standards.
2. **Enroll in Advanced Protection Programs:** For users of Gmail, enroll immediately in Google’s Advanced Protection Program (APP) to enhance defenses against sophisticated phishing and account hijacking attempts.
3. **Mandate Password Manager Usage:** Require or strongly encourage the use of a reputable password manager to generate and store complex, unique credentials for all accounts.
4. **Establish Regular Patch Management:** Implement a recurring schedule to ensure all software and applications on all endpoints (especially mobile devices) are kept up-to-date.
### Long-term Strategy (3+ months)
1. **Procure and Deploy FIDO2 Hardware Authenticators:** Strategically plan the rollout and adoption of FIDO2-compliant hardware security keys across the user base, especially for roles with elevated access or risk profiles.
2. **Develop Secure Communication Protocols Policy:** Formalize an organizational policy dictating the approved and required communication channels for different classifications of data, mandating E2EE tools where appropriate.
3. **Review and Restrict Personal VPN Usage:** Develop a clear policy regarding the use of personal VPNs. If organizational access requires a VPN client, ensure only organizationally approved, vetted corporate VPN solutions are used, and educate users on the inherent risks of consumer/free VPNs.
## Implementation Guidance
### For Small Organizations
- **Focus on E2EE Migration:** Prioritize the immediate switch of key personnel (executives dealing with external parties) to Signal or similar E2EE apps for urgent communication needs.
- **Use Consumer MFA Defaults:** Ensure all major cloud services (Google Workspace, Microsoft 365) have MFA enabled using the strongest available method that is quickly deployable (e.g., Authenticator apps first, then progressing to FIDO2).
### For Medium Organizations
- **Establish Phishing Training:** Integrate phishing-resistant MFA deployment with targeted security awareness training focusing on SMSishing and vishing techniques.
- **Inventory Public-Facing Accounts:** Conduct an inventory of all primary accounts (social media, executive emails) and enforce MFA enrollment using FIDO2 or strong Authenticator apps across the board.
### For Large Enterprises
- **Phishing-Resistant MFA Rollout:** Initiate a structured, phased rollout of FIDO2-enabled MFA across the entire workforce, starting with high-value users and privileged accounts.
- **Network Configuration Review:** Audit network egress points to ensure controls are in place to discourage the use of unvetted personal VPN connections for accessing organizational resources.
- **Implement Mobile Security Baselines:** Develop and enforce mobile security baselines that mandate specific configurations, like advanced security modes and trusted DNS resolvers.
## Configuration Examples
| Setting/Service | Recommendation | Specific Configuration Hint |
| :--- | :--- | :--- |
| **Gmail** | Enroll in App Advanced Protection Program (APP) | Follow Google’s enrollment steps for APP for high-risk accounts. |
| **iPhone Users** | Enable Lockdown Mode | Access Settings > Privacy & Security > Lockdown Mode. |
| **iPhone Users** | Enable Private Relay | Access Settings > [Your Name] > iCloud > Private Relay (Beta). |
| **Android Users** | Enable Google Play Protect | Ensure this is active in Google Play Store settings. |
| **Android Users** | Configure Private DNS | Set Android Settings > Network & Internet > Private DNS to a trusted resolver (e.g., `1dot1dot1dot1dot1.cloudflare-dns.com`). |
| **MFA** | Adopt Phishing-Resistant MFA | Utilize hardware keys complying with FIDO2 standards. |
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF):** Primarily aligns with the *Protect* function (PR.AC-1: User authentication is a primary control; PR.DS-5: Data-in-transit is protected).
- **CIS Critical Security Controls (CIS Controls):** Directly addresses Control 6 (Access Control Management, specifically mitigating credential theft) and emphasizes the use of MFA (Control 5).
- **ISO/IEC 27001:** Relates to A.9 (Access Control) and A.12 (Operations Security, specifically A.12.6 Patch Management).
## Common Pitfalls to Avoid
- **Mistaking Any MFA for Phishing-Resistant MFA:** SMS and voice call-based MFA are vulnerable to interception and social engineering; relying on these alone is insufficient against targeted threats.
- **Trusting All VPNs:** Assuming a personal VPN inherently improves security. Remember that commercial VPNs only shift the data handling risk from the ISP to the VPN provider, whose security posture may be weak.
- **Ignoring Mobile Device Security:** Failing to secure the mobile endpoint itself with device-level PINs or advanced modes (like Lockdown Mode), even if application data is encrypted.
## Resources
- **Encrypted Messaging:** Signal (for E2EE communication)
- **Phishing-Resistant Authentication Standard:** Fast Identity Online (FIDO) Alliance documentation for FIDO2 implementation guidance.
- **Google Security Tool:** Enrollment in Google’s Advanced Protection Program (APP).