https://community.isc2.org/t5/Threats/CISA-releases-Mobile-Communications-Best-Practices-Guide/m-p/75754#M1448 <BLOCKQUOTE><HR /><SPAN>The write-up says these practices should be applied to "targeted users", but this list is a good idea for cautious users to consider.<BR /></SPAN><HR /></BLOCKQUOTE><P>Completely agree.&nbsp; We protect all company accounts to a particular baseline using the theory of defense-in-depth.&nbsp; Most everything on this list belongs in the baseline standard (#7 being the primary outlier -- we only require everything be "eligible for support" throughout the duty cycle).</P><P>&nbsp;</P><BLOCKQUOTE><HR /><SPAN>consider avoiding personal VPN services </SPAN><HR /></BLOCKQUOTE><P>As I see it, <STRONG>availability</STRONG> is always harmed.&nbsp; &nbsp;Hair pinning and concentrating traffic at a distant location increases latency and risks throttling, while adding additional failure points (the VPN supplier and their ISP) without removing any (your ISP is still in the mix).<BR /><BR /></P><P><STRONG>Integrity</STRONG>&nbsp;comes into question because they can adversary-in-the-middle you, since they inline your traffic and by having privileged software on your machine, they can inject their own root certificate, DNS servers, etc.</P><P>&nbsp;</P><P><STRONG>Confidentiality</STRONG> might be improved, but only if you trust them and their ISP more than your own ISP.&nbsp; Even without a 'privacy VPN', the trend towards "encrypt everything" means that my ISP knows I used Google, but not what search terms I used.</P> Fri, 20 Dec 2024 14:50:13 GMT denbesten 2024-12-20T14:50:13Z https://community.isc2.org/t5/Threats/CISA-releases-Mobile-Communications-Best-Practices-Guide/m-p/75747#M1447 <P><SPAN>CISA has released their Mobile Communication Best Practices Guide. The write-up says these practices should be applied to "targeted users", but this list is a good idea for cautious users to consider.<BR /><BR />Number eight on the list was a surprise, but after chatting with a colleague it makes sense to consider avoiding personal VPN services that advertise -- and doing business with any VPN service with whom you're unwilling to read the terms and conditions</SPAN></P><P>&nbsp;</P><P><SPAN><A href="https://www.cisa.gov/resources-tools/resources/mobile-communications-best-practice-guidance" target="_blank">https://www.cisa.gov/resources-tools/resources/mobile-communications-best-practice-guidance</A></SPAN></P> Thu, 19 Dec 2024 22:35:22 GMT https://community.isc2.org/t5/Threats/CISA-releases-Mobile-Communications-Best-Practices-Guide/m-p/75747#M1447 ericgeater 2024-12-19T22:35:22Z https://community.isc2.org/t5/Threats/CISA-releases-Mobile-Communications-Best-Practices-Guide/m-p/75754#M1448 <BLOCKQUOTE><HR /><SPAN>The write-up says these practices should be applied to "targeted users", but this list is a good idea for cautious users to consider.<BR /></SPAN><HR /></BLOCKQUOTE><P>Completely agree.&nbsp; We protect all company accounts to a particular baseline using the theory of defense-in-depth.&nbsp; Most everything on this list belongs in the baseline standard (#7 being the primary outlier -- we only require everything be "eligible for support" throughout the duty cycle).</P><P>&nbsp;</P><BLOCKQUOTE><HR /><SPAN>consider avoiding personal VPN services </SPAN><HR /></BLOCKQUOTE><P>As I see it, <STRONG>availability</STRONG> is always harmed.&nbsp; &nbsp;Hair pinning and concentrating traffic at a distant location increases latency and risks throttling, while adding additional failure points (the VPN supplier and their ISP) without removing any (your ISP is still in the mix).<BR /><BR /></P><P><STRONG>Integrity</STRONG>&nbsp;comes into question because they can adversary-in-the-middle you, since they inline your traffic and by having privileged software on your machine, they can inject their own root certificate, DNS servers, etc.</P><P>&nbsp;</P><P><STRONG>Confidentiality</STRONG> might be improved, but only if you trust them and their ISP more than your own ISP.&nbsp; Even without a 'privacy VPN', the trend towards "encrypt everything" means that my ISP knows I used Google, but not what search terms I used.</P> Fri, 20 Dec 2024 14:50:13 GMT https://community.isc2.org/t5/Threats/CISA-releases-Mobile-Communications-Best-Practices-Guide/m-p/75754#M1448 denbesten 2024-12-20T14:50:13Z