By Bryon Miller
I think all of us, at one point in our childhood, received an encoded message from a friend or belonged to a club or group that provided a decoder ring received in the mail. This was likely our first exposure to communication security. As we grew older, our experience with communication security, or COMSEC, was likely much more sophisticated, such as advanced electronic mathematical algorithms created for securing satellite communications thousands of miles away in space. Regardless of the way you are exposed to COMSEC, the truth of the matter is that, in some shape or form, it is a part of our lives – and perhaps a much bigger part than we fully realize.
Communications security is a set of integrated policies, procedures, and technologies used to protect sensitive information. In a more general sense, communications security is the prevention of unauthorized access to communication’s traffic. It’s imperative that every organization effectively secures information transmitted, transferred, or communicated at all costs. One does this by maintaining the three information assurance pillars of confidentiality (ensuring information goes undetected or unseen), integrity (making sure information is unchanged), and availability (ensuring the information is accessible).
To help you improve your organizational communications security, consider the following tips:
- Implement network security controls. Network security should be managed and controlled to protect your organization from threats that may originate externally or internally. Your organization should maintain security controls for information systems and applications that use the network. This includes the protection of information that is in transit. Procedures that include appropriate roles and responsibilities should be established for the management of equipment on the network, including equipment in user work areas.User functionality, including user interface services, should be separated from system management functionality. Unauthorized information transfer via shared systems resources should be prevented using appropriate controls. Network diagrams that show how information flows over the network should be maintained and updated at least annually. Network diagrams should document all connections to systems that store, process, or transmit information. This includes all approved wireless networks.
Firewalls should be implemented between any wireless networks and the organization’s internal network. Firewall configurations should be implemented to restrict connections between untrusted networks and any systems in the protected information environment to only what is necessary. Firewall rules should be audited, verified, and updated at least semi-annually.
- Protect the exchange of information. Your organization should ensure that exchange agreements are established and implemented to address the transfer of information or software to or from external parties. Formal procedures should be defined that require the encryption of data in transit, including the use of strong cryptography protocols to safeguard information during transmission over non- trusted or open public networks.Encryption of data at rest should also be addressed in exchange agreements. Sensitive information, such as personally identifiable information (PII), protected health information (PHI), controlled unclassified information (CUI), federal contract information (FCI), and personal account numbers (PANs), should be protected by ensuring they are never sent by end-user messaging technologies (e.g., instant messaging, SMS, chat, etc.). This can be supported by data leakage prevention (DLP) tools or network configuration procedures.
Additionally, the remote activation of collaborative computing devices to manage sensitive information should be prohibited in accordance with acceptable use requirements adopted by your organization.
- Ensure email, messaging, and Internet protection. Information involved in email, messaging, and Internet use needs to be protected with appropriate controls. This includes performing online transactions, as well as posting information on social media. Controls should guard against fraudulent activity, incomplete transmission, or the misrouting of information.Your organization should also ensure controls are in place to prevent unauthorized message alteration, disclosure, duplication, or replay. Only fully supported email clients, messaging applications, and web browsers should be authorized to operate within your organization’s environment. Whenever possible, only the latest version of these productivity tools provided by the vendor should be used. Plugins or add-on applications should be uninstalled or disabled unless they have been specifically authorized for use. Only authorized scripting languages should be permitted to run in email clients, messaging applications, and web browsers.
Additionally, only approved social media platforms should be accessible. Any approved access to social media platforms should be limited to only authorized personnel. URL filters should be configured and deployed to limit the ability of systems to connect to websites that have not been approved by your organization. This filtering should be enforced for each system, whether they are physically in your organization’s facility or not. Your organization should subscribe to URL categorization services to ensure you remain up to date with the most recent websites category definitions available. Uncategorized sites should be blocked by default.
Email attachments entering the email gateway should be blocked if the file types are unnecessary for the organization’s business. For example, it is strongly recommended to block executable files (e.g., .exe files) from being delivered via email. Sandboxing should be used to analyze and block inbound email attachments with unauthorized file types, malicious characteristics, or dangerous payloads.
- Set cryptography controls and encryption. Cryptographic keys should be established and managed in accordance with documented policy requirements for key generation, distribution, storage, access, and deactivation. Cryptographic controls should address the use of encryption for the protection of sensitive information transported by mobile or removable media, devices, or across communication lines. Supporting cryptographic procedures should be implemented to address the required level of protection, such as the type and strength of the encryption algorithm required. These procedures should include the specifications for the effective implementation of encryption whenever it is needed throughout your organization.
Public key certificates should be required to be issued under an organization-defined certificate policy or public key certificates should be obtained from an approved service provider. Encryption of data at rest and in transit should be implemented as determined by your organization’s data classification schema and risk assessment. All sensitive, non-public, and confidential data should be encrypted while in transit and at rest. Your data backups should be encrypted whether they are maintained by your organization or a third party.
- Protect publicly available information. Your organization should designate individuals that are authorized to post information onto a publicly accessible information system. This includes any public web sites of your organization. Authorized individuals should be trained to ensure they are able to verify that publicly accessible information does not contain any non-public data.
Proposed content should be reviewed prior to posting onto publicly accessible systems to ensure non-public information is not included. Additionally, the content on publicly accessible systems should be reviewed for non-public information on a quarterly basis. Evidence of these reviews should be retained as evidence to support control compliance.
Publicly available information does not require the same level of controls as more sensitive or regulated data. However, would it cause embarrassment for your organization if this type of data is misrepresented? This is the “red-face test.” Not only does your organization need to ensure non-public data is not released on a publicly available system, but any public data you provide needs to be accurate. An incorrect press release, typographical errors in a job posting, or errors in email delivery are just a few examples that have the potential to cause embarrassment for your organization.
These are just a few tips to assist you and get you started. Your organization should ensure that comprehensive Communications Security controls are developed and implemented consistently across the organization as part of your overall Security Program.
Organizations that do not could potentially overlook a pivotal security function or leave a threat unaddressed. By developing comprehensive Communications Security controls, supported by all stakeholders, organizations can avoid key operational pitfalls for an effective overall Security Program.
Bryon Miller is co-founder and CISO at ASCENT Portal, a leading Software-as-a-Service (SaaS) platform for comprehensive security and continuous compliance management. An expert in security and compliance best practices, Miller is also the author of the book, “100 Security Program Pitfalls and Prescriptions to Avoid Them,” available on Amazon.