Category: View All

What it means for enterprise secure communications

Secure by Design and Secure by Default are both terms coined by the UK National Cyber Security Centre (NCSC), and used in different contexts.  Sometimes they are used interchangeably, however, they do have slightly different meanings, which are important for enterprise security in general, and for secure communications in particular.

Secure by Design

Broadly speaking, Secure by Design means that software products and services are designed to be secure from the ground up.  Every layer is considered from a security and privacy standpoint and starts with a robust architecture design.  Secure by Design incorporates strategies such as forcing patterns of behaviour, for example, strong authentication, and the use of best practice protocols such as least privilege access.

More specifically, Secure by Design is part of the Government’s National Cyber Security Strategy. The Department for Digital, Culture, Media & Sport (DCMS) and the NCSC conducted a review into how to improve the cyber security of consumer Internet of Things (IoT) products and associated services, and as a result published various documents regarding the security of smart devices.

Secure by Default

Secure by Default builds on the premise of Secure by Design.  According to NCSC Secure by Default is about taking a holistic approach to solving security problems at the root cause rather than treating the symptoms. It covers the long-term technical effort to ensure that the right security attributes are built into software and hardware. As well as ensuring that security is considered at every stage when developing products and services, it also includes ensuring that products are delivered to the end-user in such a way that the default settings enforce good security practices, while balancing usability with security.

In short, when you turn on your device and turn on your Armour Mobile app you are immediately configured to be secure. This protects against human error, where an end-user may not realise that they need to turn on encryption or security.  After all, if a product is too difficult to use, people will simply find a workaround, meaning that security ends up being compromised anyway.

Secure by Default principles prescribed by NCSC are:

• • security should be built into products from the beginning, it can’t be added in later;
  • security should be added to treat the root cause of a problem, not its symptoms;
  • security is never a goal in and of itself, it is a process – and it must continue throughout the lifetime of the product;
  • security should never compromise usability – products need to be secure enough, then maximise usability;
  • security should not require extensive configuration to work, and should just work reliably where implemented;
  • security should constantly evolve to meet and defeat the latest threats – new security features should take longer to defeat than they take to build;
  • security through obscurity should be avoided;
  • security should not require specific technical understanding or non-obvious behaviour from the user.

 

Armour’s Secure by Design and Secure by Default principles are intended to help organisations safeguard and control data, privacy, and whatever secrets they need to protect, whether that’s government, military, financial, legal, medical, intellectual property, strategic or competitive.

Armour Mobile complies with Secure by Design AND Secure by Default

At Armour Comms we have been working with NCSC since our inception in 2014 to ensure that our products are designed with best practice security protocols in place. Our initial products were CPA certified to demonstrate they adhered to these security principles; when that scheme finished (for all products with the exception of smart meters) we focused on ISO27001 and Cyber Essentials Plus certification as externally audited proof of our strong security practices, and targeting NCSC’s latest Principles Based Assurance (PBA).

Our products are approved for use up to OFFICIAL-SENSITIVE, NATO Restricted and for Higher Assurance requirements and are already deployed at these levels, as well as being suitable for handling Corporate Confidential information. Our innovative developers work hard to deliver products that strike the balance between providing a user experience that mimics consumer-grade apps, while delivering the security credentials required for higher assurance use.  Armour Mobile is in use in numerous areas of Government departments and the MoD, as well as to commercial customers who understand the value of securing their sensitive communications.

For a more detailed look at the NCSC Secure by Default principles read our blog: The future of NCSC Technical Assurance: https://www.armourcomms.com/2022/01/25/the-future-of-ncsc-technical-assurance/  and for more information about the NCSC Secure by Default principles please read: https://www.ncsc.gov.uk/information/secure-default.

The UK Government’s Secure by Design principles are outlined at: https://www.security.gov.uk/guidance/secure-by-design/  and these principles are recognised internationally, e.g. by the US Cybersecurity and Infrastructure Security Agency (CISA) at  https://www.cisa.gov/securebydesign

NCSC’s Principles Based Assurance is described at https://www.ncsc.gov.uk/information/principles-based-assurance and is discussed in detail in https://armourcomms-25743375.hubspotpagebuilder.eu/register-webinar

How securing your communications channels can help

The National Cyber Security Centre has recently updated its Cyber Threat Report for the UK Legal Sector. https://www.ncsc.gov.uk/files/Cyber-Threat-Report_UK-Legal-Sector.pdf  Last published in 2018 the report gives a summary of what’s changed during the intervening years, to help firms understand current cyber security threats, and the extent to which the legal sector is being targeted. It also offers practical guidance on how organisations can be more resilient to these threats.

SRA finds 75% of legal firms reported a cyber attack

The Solicitors Regulation Authority (SRA) stated in September 2020 that 75% (30) of the firms that they visited while researching for the report had been the target of a cyber attack. https://www.sra.org.uk/sra/research-publications/cyber-security/  In another 10 cases, clients of firms were targeted directly during a financial transaction.

Serious impacts for clients and reputational damage

There is no doubt that the legal sector is experiencing increasing threat levels from  cyber criminals. This is understandable given that firms are typically handling sensitive client information, for example, relating to criminal cases, or mergers and acquisitions, or handling large financial transactions. Cyber attacks and the compromise of data can have significant implications for clients, not to mention damage to the reputation of a law firm. Indeed, NCSC warns that larger organisations are even being targeted by nation states if they are working on causes with which the state disagrees, for example, human rights or regime change. Some firms have suffered intellectual property theft from state sponsored actors attributed to China. Similarly, firms working in life sciences or energy sectors are seeing increased attacks from hacktivists.

However, it doesn’t end with nation states and organised crime. NCSC also warns that there is a growing threat from ‘hackers-for-hire’ who can be commissioned to carry out malicious activities for people or organisations prepared to pay. This typically involves industrial espionage, and theft of sensitive information that could give an advantage in a legal case and seriously impact your client, for example.

The NCSC report outlines the main types of cyber attacks which include:

• Phishing
• Business email compromise (BEC)
• Ransomware and other malware
• Password attacks
• Supply chain attacks

And gives advice on the best way to tackle each.

A common theme – communications channels

Social engineering – the insider threat

A theme common across all of these attack vectors is the insider threat – i.e. the ability for people to be manipulated by clever social engineering during routine communications, whether this be voice calls, emails, instant messaging or video/conferencing calls. Several of the attacks listed above trick people into actions that can result in malware or other forms of cyber attack infiltrating the business.

BYOD – risk to business data

In addition, if people are using their personal devices (BYOD) for business communications this can open up the firm to additional risks such as compliance and GDPR contraventions, as well as issues around data sovereignty and separating business and personal data on unmanaged devices.

Identity spoofing

Another common theme is that people are tricked into revealing confidential or commercially sensitive information in the mistaken belief that they are communicating with someone they think they know. In other words, identities are hacked or spoofed, either as part of a deepfake scam or business email compromise (BEC).

 

Secure and compliant collaboration

The answer is to provide secure collaboration tools that are easy and intuitive enough for everyday use. Tools that are designed with security in mind from the ground up (with settings which automatically default to a secure configuration without any intervention from the end user) are a crucial part of protecting employees from social engineering attacks, and keeping sensitive client information, and financial transactions, safe.

Providing a secure communications channel can add an extra layer of security to address the risks for when the stakes are high, providing cyber and operational resilience. Large financial transactions, details of on-going criminal cases, mergers and acquisitions, sensitive client information all benefit from the additional security that a Secure-by-Design communications solution can provide.  Using closed-group communications platforms where only known, previously approved users can get access can dramatically reduce the likelihood of phishing, deepfake or BEC attacks.

Such solutions must also provide Archive and Auditing features, so that details of communications are preserved, and available for review at a later date (subject to strict security measures), even if the conversations/documents have been deleted or lost from the original device – thus satisfying legal compliance requirements, public records needs, freedom of information (FOIA), etc.

Securing Communications Channels Buyer’s Guide

Armour Comms has recently published our Securing Communications Channels Buyer’s Guide.  It provides the Top 10 Questions to ask when Securing your Communications and explains:

• Why and when you need secure communications.
• Are consumer apps secure enough? (No, they are not!)
• Who got caught out?
• What exactly you should be looking for

 

Download your copy here: https://armourcomms-25743375.hubspotpagebuilder.eu/buyers-guide-landing-page-2

Or watch our recent webinar: How to deal with the evolving threat to our sensitive communications, which was hosted by The Register.  https://armourcomms-25743375.hubspotpagebuilder.eu/register-webinar

IBM says: “Shadow IT is any software, hardware or IT resource used on an enterprise network without the IT department’s approval and often without IT’s knowledge or oversight.” And according to Randori’s State of Attack Surface Management 2022 report, nearly 7 in 10 organisations have been compromised by shadow IT in the past year. Full details here: https://www.ibm.com/topics/shadow-it#:~:text=Sharing%20work%20files%20on%20a,malicious%20assets%20planted%20by%20hackers.

Shadow IT is the insidious, creeping, adoption of unauthorised applications (or unauthorised devices), often as short cuts, to get the job done, such as the use of consumer apps for business communications. For example, sending a message to a colleague to arrange the logistics for a stop at a coffee shop before a meeting.  This sounds so innocent, yet can be the thin end of the wedge, as the app gradually becomes a ‘de facto’ key application across the organisation and is used for more sensitive corporate scenarios.  The habit is formed, it spreads across the enterprise and people are using these consumer apps to discuss business, putting sensitive corporate data at risk. Here’s how.

How do you separate business and personal data?

If your employees are using their own phones (i.e. BYOD) to send and receive work-related information, it begs the question, who owns those messages?

If it’s work data, then the business owns it, even if it’s held on a personally owned device. But while the business owns it, they don’t control it.  This is an important point because what happens if the data is forwarded to an unauthorised third party? Could there be GDPR issues?  What if the data is misused, causing embarrassment to the business, or harming reputation? Were the WhatsApp messages that ex-Minister Matt Hancock shared with a hostile journalist really his to share? They were on his phone, but discussed matters of state, and involved colleagues.  Our previous blog gives the details of this sorry episode, and the very serious risk that the use of such apps pose to corporate data.  https://www.armourcomms.com/2023/03/20/the-hancock-saga-exactly-how-not-to-manage-sensitive-information/

How do you leverage BYOD safely?

BYOD devices provide benefits to both employee and organisation. No one really wants to carry two phones around, so using personal devices is great for the employee.  However, while utilising the tech that staff already have is a siren call for managers looking to make the most of IT budgets, it does bring with it a range of risks, of which managing data on a device that the organisation doesn’t own is key.  Mitigating the risk to corporate data could be done with any number of mobile device management solutions, but people are extremely resistant to having their personal property controlled in this manner.  The trick is to securely separate work data from home data.

How do you combat the risk of consumer apps in business?

Providing a separate app for all business communications puts you back in control of your data while enabling the use of BYOD devices.

A separate app for business communications means that all work data is ring-fenced in a secure platform.  It avoids data, photos/images, and documents being leaked to other non-managed applications on the phone.  Ideally, it also provides a secure audit facility, meaning that a copy of all communications and associated files are saved and can be reviewed later, subject to the appropriate security processes (crucial in regulated industries). This audit feature needs to work even if the original messages have been deleted from the user’s device (whether through normal use or in an attempt to hide misuse), something that simply can’t be achieved with a consumer app.

Keeping control of data

With a built for purpose, secure by design communications solution, the organisation can retain control of its messages/communications data, even after sending.  Features like Message Burn mean that a message can be set to delete after a set amount of time, either after it has been sent, or after it has been read. This feature should be configurable by the individual sender, or by central administration as part of a group security policy. Furthermore, central administration features should be able to ensure t all messages can be deleted from devices after a set time, say 30 days.

Central administration and a controlled environment also mean that only invited people can join the collaboration/communications group. This significantly reduces the risk from phishing and deep fake scams because people always know who they are communicating with. Only authorised users can access the app, making it much more difficult to spoof an identity.

Secure communications apps such as Armour Mobile are every bit as easy and intuitive for end users, providing a very similar experience to using consumer-grade apps. Not only does using a specific application for business purposes keep your enterprise data under your control, it also fosters a more security-conscious approach to safeguarding data throughout your organisation, and it helps to mitigate one of the biggest risks of shadow IT within the enterprise – the use of consumer apps for business.

For more information about how Armour Comms can help your organisation combat the creep of shadow IT and keep control of business data, even on BYOD devices, contact us today.

From the South East Cyber Resilience Centre

Our friends over at the South East Cyber Resilience Centre (SERCR) recently updated their Cyber Incident Response Plan template.  This document is free for organisations to use, share, adapt and build upon, so long as it is not used for commercial purposes.

The template highlights the importance of communications in the event of a cyber attack with the following statement:

During a cyber security incident either targeting your systems or directed towards an external partner/supply chain, careful consideration should be had surrounding communications capabilities.

There may be a diminished capacity for those affected partners because of the impact from the cyber security incident. Resilient communication options should be considered such as alternative phones. Internally, a successful cyber-attack can affect multiple communication methods. Intranet and internet websites alongside communication avenues such as online contact, or email communication may be lost; effectively isolating the public from accessing your services and the service from using internal communications.

It further notes that: Voice over Internet Protocol (VoIP) telephone and Microsoft Teams are all telecommunications systems which could be lost or compromised.

This is a topic that we cover in more detail in our recent blog: https://www.armourcomms.com/2023/03/31/in-the-midst-of-a-cyber-attack-who-you-gonna-call-and-how/

About SECRE

The SECRC offers a range a membership options depending on what level of support businesses in Hampshire, Surrey, Sussex, Oxfordshire, Berkshire and Buckinghamshire need.

The Core Membership is free and provides businesses with 50 or fewer employees, access to a range of resources and tools to help them identify their risks and vulnerabilities, as well as providing guidance on the steps they can take to increase their levels of protection.

For more information about SECRC and to download the Cyber Security Incident Plan template please visit: https://www.secrc.police.uk/post/cyber-incident-response-plan

Just back from Cyber UK and the tide seems to be turning. The message that consumer grade apps are not secure enough for business and government communications is really starting to resonate.

Holding the event in Belfast a few days after the visit by US President Joe Biden seemed to result in a more strategic audience.  The majority of conversations we had were about the importance of data sovereignty, who owns corporate data and keeping control of where it goes, and, operational and cyber resilience. All key themes that are central to secure communications and keeping mobile data safe – and all issues that cannot be properly addressed by the use of consumer apps.

As well as being busy on the stand throughout both days with more visitors and more follow up meetings booked than ever before, we were also pleased to meet a Major General; Jonathan Berry, the Viscount Camrose, Parliamentary Under Secretary of State (Department for Science, Innovation and Technology); and the following day, Minister of State (Home Office) (Security) Tom Tugendhat. Of the 90+ exhibitors the Minister and Under Secretary visited only about 5 or 6 stands, of which Armour featured for both.   Clearly the recent stories in the press about sensitive messages on phones being compromised is filtering through. (Read more here: https://www.armourcomms.com/2023/03/20/the-hancock-saga-exactly-how-not-to-manage-sensitive-information/) 

If you are looking for a highly usable alternative to consumer messaging apps to reduce cyber risk in your organisation, even on BYOD devices, then contact us today

Enterprise data security is never an A or B option – Good cyber security is far more nuanced

As those that have been in cyber security for any length of time know, protecting data is not a simple process. The dynamic between individual privacy and security of the population at large, whether due to terrorists , paedophiles/abusers or any number of bad actors, is a complicated balancing act that depends on many variables. There has been a recent outcry by some providers of consumer apps regarding the Online Safety Bill (currently going through Parliament) reported by the BBC: https://www.bbc.co.uk/news/technology-65301510 which is said to compromise people’s privacy. In short, some providers of messaging apps are threatening to block UK users should the bill become law.

Citizen’s want to be protected

The bottom line is that the vast majority of citizens want to be protected and for the police and law enforcement agencies to be allowed to fight crime.  In order for this to happen, under certain circumstances, additional measures need to be put in place. Indeed, this isn’t the first time that there has been push-back from interested parties trying to stop new legislation.  The Regulation of Investigatory Powers (RIPA) 2000 witnessed a backlash from journalists (amongst others) at the time.

Consumer apps have no place in business communications

Putting all this into the context of business communications, it really is a big ‘so what’. Or at least, it should be. Business communications should never be conducted over consumer-grade apps for many reasons (which we’ve explained elsewhere numerous times – NCSC also gives advice: https://www.armourcomms.com/2022/05/17/advice-from-ncsc-using-secure-messaging-voice-collaboration-apps/).

Keep business and private data separate

Corporate data is owned by the organisation wherever it may be, including on BYOD devices or a company/organisation supplied phone, and needs to be treated as such at all times. Consumer apps should not be installed on corporate devices (witness the recent banning of Tiktok by several governments (https://www.armourcomms.com/2023/03/23/global-backlash-against-tiktok-grows/).  Such apps pose a business security risk as users may be targeted via these apps, and the apps themselves may be used to send data which will later compromise the organisation. All this emphasizes the need for organisations to control their own data – something that the use of consumer apps simply doesn’t allow.

Choose your secure comms platform carefully

When it comes to enterprise secure comms, organisations should avoid the lure of ‘shadow IT’ – just because people like it and everyone uses it doesn’t make it acceptable, particularly when there are credible alternatives. A built-for-purpose, Secure by Design secure comms platform can provide an equally slick user experience plus the ability to manage and control data and meta-data.  Whether on-premises or a secure hosted solution, an enterprise-grade secure comms platform ensures data sovereignty (your data stays on sovereign soil, i.e. you know where it is being held) and data separation (no mixing of data, be that different classifications of data, or business and personal).

Enterprise secure comms platforms provide additional services such as archive and audit, which enable the review of communications at a later date, to ensure compliance with regulations (GDPR, FOI, for example). None of this is available from consumer apps.

In short, if you rely on a consumer-grade app for any part of your business, you are not only at the whim of the supplier, you are also risking your business reputation.

In the midst of a Cyber Attack who you gonna call – and how?

Don’t rely on the very IP channel that has just been hacked, because your adversaries will be monitoring it!

As the number of organisations suffering major cyber-attacks continues to increase dramatically, the National Cyber Security Centre (NCSC)’s message on building operational and cyber resilience  has never been more pertinent. Indeed, according to the UK Government’s Cyber Breaches Survey 2022, some 39% of businesses reported a cyber-attack, demonstrating the point that its not a case of if, but when, your organisation will suffer a cyber breach.

Building resilience from the ground up

When an organisation succumbs to a cyber-attack or catastrophic IT failure, the first thing is to do, even before assessing the situation fully and putting together a plan for recovery and future mitigation, is to understand exactly how you are going to communicate.  It’s not just the IT department discussing the technicalities, and business continuity managers communicating with the C suite and the board to keep them abreast of events. There is a wide variety of people involved an handling the situation that will need secure, reliable comms.  They will include those with internal roles such as project managers, risk and incident managers, as well as employees with external roles such as customer relationship managers, public relations, legal consul and lawyers.  The last thing you should do is use the very platform that has just been compromised, ie, your corporate network, if indeed you can.

Don’t rely on a compromised system

In layman’s terms, if your email has been hacked, sending an email to your friends asking for help is nonsensical – your email alerts the hackers to the fact you’ve detected their presence.  And, you can’t tell if any of the responses are genuinely from your friends or from the hackers messing with you.

It is very common when hackers have compromised a system for them to watch carefully for the responses from any IT resources that are tasked with countering their attack. Typically this includes watching and subverting any communications channels that IT may be using.  It’s not unusual for hackers to send spoof messages to try and assess just how well the IT team understands the nature of the attack, to capture new passwords or other changes to security, and prevent key messages from being delivered.

During the initial investigation phase of a cyber attack it is difficult to know what systems have been compromised, so it is best not to rely on any of them, if possible.

Secure your emergency communications for key staff

By protecting the communications of the IT and digital forensics team, as well as other key senior members of staff, you are blocking a very useful source of information from being intercepted or modified by the hackers. In addition, by using a secure communications platform, such as Armour Mobile, and having the secure comms hosted by a third party, you are further isolating the senior management and IT team’s comms from the potentially compromised systems that they are trying to recover.

Armour Mobile, which is approved by NCSC and NATO, can be up and running in minutes

For third party ‘blue teams’ brought in to handle such hacking situations it makes perfect sense for them to bring their own secure comms solution with them – and this is a question that you should be asking any would-be supplier when tendering for such services.

Armour works with a number of organisations that can provide specialist technical consultancy and cyber advisory services, from penetration testing and assurance, to incident management and response, and technical security research.

Contact us today for more information about protecting your emergency and sensitive communications and building operational resilience:  sales@armourcomms.com

How Armour Comms can provide a turnkey solution for Zero Trust mobile comms – even on BYOD devices

The UK National Cyber Security Centre (NCSC) defines zero trust as “an architectural approach where inherent trust in the network is removed, the network is assumed hostile and each request is verified based on an access policy.”

This is music to our ears at Armour® where, by their very nature, our products and services have been designed for communicating securely in potentially hostile environments. When a network is hostile, security comes from trusting users, devices and services. This means that user identity and authentication become critically important. Something, which in the secure comms space, we have been working on for many years.

Our flagship product, Armour Mobile® uses MIKEY-SAKKE identity-based encryption to secure multimedia services. This enables secure voice and video calls, voice and video conference calls, one-to-one and group messaging, and sending file attachments. The solution ensures that the parties exchanging calls and data are who they claim to be (hence the term “identity-based”). Armour offers several secure communications products with closed user groups, protecting against fake contacts from external hackers. These systems can run on your own servers for total sovereignty for data and metadata.

The MIKEY-SAKKE protocol, which uses identity-based cryptography and is designed to enable secure, cross-platform communications by identifying and authenticating the end points. It is an efficient, effective and NCSC-accredited protocol for building a wide range of secure multimedia services for government and enterprises.

Guidance from NCSC provides eight design principles for implementing a Zero Trust environment. https://www.ncsc.gov.uk/collection/zero-trust-architecture   The eight principles are as follows:

1. Know your architecture, including users, devices, services and data

2. Know your User, Service and Device identities

3. Assess your user behaviour, devices and services health

4. Use policies to authorise requests

5. Authenticate & authorise everywhere

6. Focus your monitoring on users, devices and services

7. Don’t trust any network, including your own

8. Choose services designed for zero trust

NCSC states that “When choosing the components of a zero trust architecture, you should prefer services with built-in support for zero trust.”  Furthermore, NCSC advises “Using products that utilise standards-based technologies allows for easier integration and interoperability between services and identity providers.”

Moving to a Zero Trust environment will in most cases be a significant undertaking for any organisations. With this in mind, the 8^th principle to choose services designed for a zero trust environment makes obvious sense and avoids re-inventing the wheel.

At Armour we have consistently taken a standards-based approach to all design and development and have achieved; ISO27001:2013 registration for the Armour Communications Information Security Management System covering the development and delivery of Armour Mobile, SigNet by Armour® and white-labelled products; and Cyber Essentials Plus for our whole organisation.

Secure by Design and Secure by Default principles are in our very DNA. We’ve been working with the NCSC since our inception to ensure that our products conform to the appropriate industry standards and are designed with the end user in mind. Armour Mobile is used by some of the most security conscious organisations in the world including Governments, defence organisations and financial institutions, while SigNet is used in many enterprise environments and seen as a secure WhatsApp replacement product.

Contact us today to find out how Armour can empower your organisation with secure mobile comms that comply with Zero Trust requirements sales@armourcomms.com