CISA Best Practices for Mobile Communications

Recently, The Cybersecurity and Infrastructure Security Agency (CISA) released some best practices for mobile communications. These are the result of the recent exploits attributed to The People’s Republic of China. While the recommendations were targeted at senior government officials, they apply equally well to everyone. Most of us are, of course, of limited interest to nation states but cyber criminals are always looking for a way to infiltrate our accounts and steal our money or personal information.

There’s nothing surprising in the advice but it does serve as a convenient checklist for what we should be doing to protect our privacy and safety.

The advice boils down to:

  • Use only end-to-end encryption. This is probably the most important advice. Even law enforcement has stopped prentending otherwise.
  • Use FIDO for safe identity verification.
  • Avoid SMS for two factor authentication.
  • Use a password manager. I use a combination of 1Password and Apple Passwords app. Whatever you use, it should enable long, random passwords and a single password to access the database.
  • Setup a TELCO pin. This isn’t as obvious but it can help prevent a cyber criminal from taking control of your mobile account.
  • Regularly update your software. The best way to do that is to enable automatic updates. That’s what I do and, at least in the Apple environment, that means that I get notified of each update and have the opportunity to upgrade or not.
  • Avoid personal VPNs. This is the hardest to understand of the recommendations but the idea is that it only hides your identity, not the content of your communications. For that, you need an end-to-end VPN, which personal VPNs don’t typically offer.

We can be reasonable sure this is good advice because it’s being directed to government officials. When they start offering advice to protect their own information, you can be sure it’s good information.

This entry was posted in General and tagged . Bookmark the permalink.