**General Security Practices (Apply to All Users):**
* **Use End-to-End Encryption:** Adopt a secure messaging app like Signal (compatible with iOS & Android).
* **Secure Messaging App Hygiene:**
* Be wary of social engineering attempts (account compromise scams).
* Verify group invitations through separate channels.
* Be suspicious of unexpected security alerts *within* the app.
* Enable message expiration features (check organizational policies first).
* Regularly review and remove unintended linked devices.
* **Enable FIDO Authentication:** Use phishing-resistant MFA (hardware keys like Yubico/Google Titan preferred, passkeys acceptable) for valuable accounts (email, social media, etc.). Disable less secure MFA methods after enabling FIDO.
* **Migrate Away from SMS MFA:** Do *not* use SMS for two-factor authentication. Use authenticator apps (Google Authenticator, Microsoft Authenticator, Authy) as a better alternative, but FIDO is strongest. Disable SMS after enabling an authenticator app.
* **Use a Password Manager:** Store all passwords in a password manager (Apple Passwords, LastPass, 1Password, etc.). Use a strong passphrase to protect the vault. Regularly update passwords with the manager.
* **Set a Telco PIN:** Add a PIN/passcode to your mobile account with your provider to prevent SIM-swapping. Also, change your mobile account password.
* **Regularly Update Software:** Update operating systems and apps weekly; enable auto-updates.
* **Upgrade Hardware:** Use the latest hardware version from your phone manufacturer for optimal security features.
* **Avoid Personal VPNs:** They can increase the attack surface. Use organization-provided VPNs if required.
**iPhone-Specific:**
* **Enable Lockdown Mode:** Reduces the attack surface.
* **Disable "Send as Text Message":** Ensures iMessage (end-to-end encrypted) is used when available.
* **Protect DNS Queries:** Use Apple iCloud Private Relay or encrypted DNS services (Cloudflare, Google, Quad9).
* **Enroll in iCloud Private Relay:** Enhances privacy and security for Safari browsing.
* **Review App Permissions:** Restrict access to sensitive data (location, camera, microphone).
**Android-Specific:**
* **Prioritize Secure Manufacturers:** Choose Android phones from manufacturers with strong security track records and long-term update commitments (check Android Enterprise Recommended).
* **Use RCS with Encryption:** Only use RCS (Rich Communication Services) if end-to-end encryption is enabled (Google Messages).
* **Configure Android Private DNS:** Use a trusted DNS resolver (Cloudflare, Google, Quad9).
* **Enable Secure Connections in Chrome:** Ensure all website connections default to HTTPS.
* **Enable Enhanced Protection in Chrome:** Provides an extra layer of protection against malicious websites.
* **Enable Google Play Protect:** Regularly review app scans for threats. Be cautious with third-party app stores.
* **Review App Permissions:** Restrict access to sensitive data.
* **Use End-to-End Encryption:** Adopt a secure messaging app like Signal (compatible with iOS & Android).
* **Secure Messaging App Hygiene:**
* Be wary of social engineering attempts (account compromise scams).
* Verify group invitations through separate channels.
* Be suspicious of unexpected security alerts *within* the app.
* Enable message expiration features (check organizational policies first).
* Regularly review and remove unintended linked devices.
* **Enable FIDO Authentication:** Use phishing-resistant MFA (hardware keys like Yubico/Google Titan preferred, passkeys acceptable) for valuable accounts (email, social media, etc.). Disable less secure MFA methods after enabling FIDO.
* **Migrate Away from SMS MFA:** Do *not* use SMS for two-factor authentication. Use authenticator apps (Google Authenticator, Microsoft Authenticator, Authy) as a better alternative, but FIDO is strongest. Disable SMS after enabling an authenticator app.
* **Use a Password Manager:** Store all passwords in a password manager (Apple Passwords, LastPass, 1Password, etc.). Use a strong passphrase to protect the vault. Regularly update passwords with the manager.
* **Set a Telco PIN:** Add a PIN/passcode to your mobile account with your provider to prevent SIM-swapping. Also, change your mobile account password.
* **Regularly Update Software:** Update operating systems and apps weekly; enable auto-updates.
* **Upgrade Hardware:** Use the latest hardware version from your phone manufacturer for optimal security features.
* **Avoid Personal VPNs:** They can increase the attack surface. Use organization-provided VPNs if required.
**iPhone-Specific:**
* **Enable Lockdown Mode:** Reduces the attack surface.
* **Disable "Send as Text Message":** Ensures iMessage (end-to-end encrypted) is used when available.
* **Protect DNS Queries:** Use Apple iCloud Private Relay or encrypted DNS services (Cloudflare, Google, Quad9).
* **Enroll in iCloud Private Relay:** Enhances privacy and security for Safari browsing.
* **Review App Permissions:** Restrict access to sensitive data (location, camera, microphone).
**Android-Specific:**
* **Prioritize Secure Manufacturers:** Choose Android phones from manufacturers with strong security track records and long-term update commitments (check Android Enterprise Recommended).
* **Use RCS with Encryption:** Only use RCS (Rich Communication Services) if end-to-end encryption is enabled (Google Messages).
* **Configure Android Private DNS:** Use a trusted DNS resolver (Cloudflare, Google, Quad9).
* **Enable Secure Connections in Chrome:** Ensure all website connections default to HTTPS.
* **Enable Enhanced Protection in Chrome:** Provides an extra layer of protection against malicious websites.
* **Enable Google Play Protect:** Regularly review app scans for threats. Be cautious with third-party app stores.
* **Review App Permissions:** Restrict access to sensitive data.
Two top CISA officials, Bob Lord and Lauren Zabierek, have resigned citing their work on the Secure by Design program, coinciding with White House cuts and a potential shift in the program’s direction. The agency faces significant budget cuts and staff reductions.
The US government initially ended funding for the Common Vulnerabilities and Exposures (CVE) database. However, funding has been restored through the CVE Foundation and CISA. This article covers CVE from the perspective of effects on Android alone.
In the wake of the Salt Typhoon hacks, the US government agencies have reversed course on encryption, urging the use of end-to-end encryption after decades of advocating against it. This is a major turnaround from their previous demands for law enforcement backdoors.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is proposing security measures to prevent adversary states from accessing American's personal data and government-related information, aimed at entities handling sensitive data exposed to 'countries of concern.'
# Proposed Security Measures
| **Category** | **Requirements** |
|-------------------------------|---|
| **Asset Inventory** | Maintain and update monthly with IP addresses and hardware MAC addresses. |
| **Vulnerability Remediation** | Remediate known exploited vulnerabilities within 14 days, critical vulnerabilities within 15 days, high-severity flaws within 30 days. |
| **Network Topology** | Maintain an accurate network topology for incident identification and response. |
| **Authentication** | Enforce MFA on all critical systems, require 16+ character passwords, revoke access immediately upon employment termination or role change. |
| **Unauthorized Hardware** | Prevent unauthorized hardware (e.g., USB devices) from being connected to covered systems. |
| **Logging** | Collect logs on access and security-related events (IDS/IPS, firewall, data loss prevention, VPN, login events). |
| **Data Management** | Reduce or mask data to prevent unauthorized access or linkability, apply encryption to protect covered data during restricted transactions. |
| **Encryption Key Storage** | Do not store encryption keys along with covered data or in countries of concern. |
| **Data Protection Techniques**| Apply techniques such as homomorphic encryption or differential privacy to prevent reconstruction of sensitive data from processed data. |
# Proposed Security Measures
| **Category** | **Requirements** |
|-------------------------------|---|
| **Asset Inventory** | Maintain and update monthly with IP addresses and hardware MAC addresses. |
| **Vulnerability Remediation** | Remediate known exploited vulnerabilities within 14 days, critical vulnerabilities within 15 days, high-severity flaws within 30 days. |
| **Network Topology** | Maintain an accurate network topology for incident identification and response. |
| **Authentication** | Enforce MFA on all critical systems, require 16+ character passwords, revoke access immediately upon employment termination or role change. |
| **Unauthorized Hardware** | Prevent unauthorized hardware (e.g., USB devices) from being connected to covered systems. |
| **Logging** | Collect logs on access and security-related events (IDS/IPS, firewall, data loss prevention, VPN, login events). |
| **Data Management** | Reduce or mask data to prevent unauthorized access or linkability, apply encryption to protect covered data during restricted transactions. |
| **Encryption Key Storage** | Do not store encryption keys along with covered data or in countries of concern. |
| **Data Protection Techniques**| Apply techniques such as homomorphic encryption or differential privacy to prevent reconstruction of sensitive data from processed data. |
