The Cybersecurity and Infrastructure Security Agency (CISA) has called on senior officials and public figures to transition to secure, encrypted messaging applications like Signal. This recommendation comes in response to widespread telecommunication breaches across multiple countries, including significant incidents in the United States.
What Prompted CISA’s Recommendation?
In late October, CISA and the FBI confirmed that a series of cyberattacks, attributed to the China-backed threat group “Salt Typhoon,” targeted U.S. telecom providers such as T-Mobile, AT&T, Verizon, and Lumen Technologies. These breaches allowed attackers to access sensitive data for months, exposing critical vulnerabilities in existing systems.
Although the guidance specifically targets individuals with access to sensitive government information, the measures proposed by CISA are practical for anyone seeking to protect their personal data and communications.
Why is Encrypted Messaging Crucial?
CISA warns that mobile device communications are vulnerable to interception or manipulation, especially for individuals in high-risk positions. To counter these threats, CISA highlights Signal as a secure alternative for encrypted communication across mobile and desktop platforms, including iOS, Android, macOS, Windows, and Linux.
What Authentication Measures Did CISA Recommend?
CISA underscores the importance of phishing-resistant multi-factor authentication (MFA), particularly using FIDO-compliant hardware security keys, such as Yubico or Google Titan. These keys enhance account security for platforms like Microsoft, Apple, and Google.
For additional security, CISA suggests enabling advanced protection features like:
- Google’s Advanced Protection Program (APP)
- Apple’s Lockdown Mode
These options safeguard accounts from phishing attacks and unauthorized access.
What Else Did CISA Advise?
- Avoid SMS-Based MFA
SMS-based MFA is susceptible to attacks like SIM swapping. Instead, use a hardware-based or app-based MFA solution. - Adopt Password Managers
Password managers generate and securely store complex passwords, reducing the risks associated with password reuse and weak credentials. - Set PINs or Telecom Passwords
Protect sensitive telecom operations, such as number porting, with PINs or dedicated passwords to prevent SIM-swapping attacks. - Regularly Update Software
Keeping devices and software up-to-date helps address newly discovered vulnerabilities. - Upgrade Hardware
Transition to the latest available hardware to benefit from modern security features unavailable on older devices. - Avoid Commercial VPNs
Many commercial VPNs lack robust security and privacy policies, potentially expanding attack surfaces rather than reducing them.
Why Does This Matter for Organizations?
While the guidance primarily targets public officials, it’s also applicable to organizations aiming to protect sensitive data and mitigate risks from advanced persistent threats (APTs). Adopting robust security measures such as passwordless authentication with FIDO passkeys can significantly reduce vulnerability to breaches.
How Can Secfense Help?
Secfense specializes in delivering passwordless authentication using FIDO standards and passkeys. Without requiring changes to your existing infrastructure, Secfense simplifies the integration of phishing-resistant MFA and ensures compliance with frameworks like DORA, NIS2 GDPR or CCPA.
Get in Touch
Learn how Secfense can enhance your organization’s cybersecurity. Contact a Secfense expert.
Learn More
Watch our webinar on modern passwordless solutions to explore how FIDO and passkeys are revolutionizing security.
