Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ericgeater
Community Champion
Thursday
Thursday

CISA releases Mobile Communications Best Practices Guide

CISA has released their Mobile Communication Best Practices Guide. The write-up says these practices should be applied to "targeted users", but this list is a good idea for cautious users to consider.

Number eight on the list was a surprise, but after chatting with a colleague it makes sense to consider avoiding personal VPN services that advertise -- and doing business with any VPN service with whom you're unwilling to read the terms and conditions

 

https://www.cisa.gov/resources-tools/resources/mobile-communications-best-practice-guidance

-----------
A claim is as good as its veracity.
Reply
1 Reply
denbesten
Community Champion
yesterday
yesterday

The write-up says these practices should be applied to "targeted users", but this list is a good idea for cautious users to consider.

Completely agree.  We protect all company accounts to a particular baseline using the theory of defense-in-depth.  Most everything on this list belongs in the baseline standard (#7 being the primary outlier -- we only require everything be "eligible for support" throughout the duty cycle).

 

consider avoiding personal VPN services

As I see it, availability is always harmed.   Hair pinning and concentrating traffic at a distant location increases latency and risks throttling, while adding additional failure points (the VPN supplier and their ISP) without removing any (your ISP is still in the mix).

Integrity comes into question because they can adversary-in-the-middle you, since they inline your traffic and by having privileged software on your machine, they can inject their own root certificate, DNS servers, etc.

 

Confidentiality might be improved, but only if you trust them and their ISP more than your own ISP.  Even without a 'privacy VPN', the trend towards "encrypt everything" means that my ISP knows I used Google, but not what search terms I used.

Reply