How wise is the NSA’s zero-click threat advice in 2024?
Updated 24 October 2024: This article was originally published on 22 October and provides details of the UK government’s Cyber Essentials scheme, as well as new security recommendations issued by the US Cybersecurity and Infrastructure Security Agency. Contains.
If you’re a fan of comedy, you may well remember the line from the British sitcom, “Have you tried turning it off and turning it on again?” IT cloud. But what if the National Security Agency told all smartphone users to do so? And more importantly, if you follow that advice, will you be safe from malware and spyware in 2024 and beyond?
NSA advises iPhone and Android users
The NSA’s first warning was published in the Mobile Device Best Practices Guide in 2020. If you have trouble opening a PDF document from the previous link, there is another route to the same document that requires a few more clicks. NSA press room. As smartphones, running on all operating system platforms, become increasingly common targets for threat actors of all kinds, the NSA says, “Many of the features offer convenience and functionality, but do not come at the expense of security. ” and attempted to identify simple, if not the safest, procedures. Technology users can better protect their devices and the data stored on them. Earlier this year, I reported on the NSA’s recommendations, and that article continues to generate countless responses to this day. Security experts and smartphone users have thanked us for drawing attention to this warning, but for not detailing what a reboot won’t protect people from. Some people scold me. Of course, all these opinions are valid, and this article is written in the hope of providing further clarification.
First of all, I have nothing but praise for the documents released by the NSA. The advice is not only sensible, but presented in a way that is clear for all audiences. The NSA takes a pictorial approach and uses an icon-based warning system to tell readers what to avoid, what to disable, what to do, and what not to do. I have notified you. The to-do list includes the use of strong PINs and passwords, biometric locks, and regular software updates. Advice on what not to do includes rooting or jailbreaking your phone, clicking on unknown links or opening unknown attachments. But what intrigued me the most was the disable icon, especially when you disable the power by turning the device off and on again every week.
The second page of the infographic-heavy advice document took a more tabular approach to alerting smartphone users of what they should do when it comes to threat mitigation. This time, the iconography was divided between sometimes obstructed and almost always obstructed. If you regularly restart your phone, we recommend doing so as it may prevent spear phishing (installing malware) and zero-click exploits. So this was never a silver bullet solution or a one-size-fits-all security panacea.
do iPhone and Android Will users need to restart their smartphones regularly in 2024?
The short answer to whether you’ll need to restart your smartphone every week in 2024 is no. But need does a lot of the heavy lifting on this issue. From a security perspective, a reboot eliminates the threat of non-persistent malware. That is, it is a threat that cannot survive a reboot. I know it’s obvious, but I’ll say it. There are many types of malware that fall into this category, and not all of them come from the least advanced or sophisticated attackers.
At a time when spyware was making headlines for good reason, with nations using sophisticated software such as Pegasus to infect both Android and iPhone devices, the report notes that spyware’s persistence makes it difficult to reinfect it again. It was suggested that it now relies on a binary payload that can be exploited again after launch. Relying on malware in memory rather than being written to permanent storage is another way to avoid leaving behind evidence of surveillance during such advanced attacks.
“As long as people regularly update their devices when new versions of operating systems are released, their devices will stay healthy and protected,” said Jake Moore, Global Cybersecurity Evangelist at ESET. However, we recommend restarting your phone periodically for battery reasons rather than security.
Moore is right: A quick restart can often resolve performance or connectivity issues. However, the security reasons for rebooting are not completely ignored. “Zero-click malware is a recurring problem in both Apple and Android operating systems,” Moore said. “However, it is usually quickly identified and addressed. Once detected, patches are developed and new updates are released to mitigate the threat.”
There is no definitive answer regarding the greed of NSA warnings and reboot advisories, but in my humble opinion, erring on the side of caution should never be underestimated. Stack Exchange has an interesting discussion that sums things up pretty well. The long answer is that it depends on what your handheld has done since the last reboot, and the short answer is that, on average, reboots reduce vulnerabilities. There are few, if any, downsides to rebooting, so why not reboot regularly? I’m on the NSA’s side on this one.
U.S. Cybersecurity and Infrastructure Security Agency proposes new security requirements – iPhone and Android users should pay attention
As reported by Bleeping Computer, the U.S. Cybersecurity and Infrastructure Security Agency has announced a series of new security proposals aimed at protecting personal data and government information from adversaries. The list of proposed security requirements is directly targeted at government agencies that move large amounts of sensitive data, particularly those where the information may be disclosed to persons or countries of concern. This most often means someone who engages in cyber espionage against the United States or has a history of state sponsorship of advanced persistent threat actors. CISA recommends that organizations have “the technical capacity and sufficient governance structures to ensure that targeted data-level security requirements are appropriately selected, appropriately implemented, and continue to be enforced in a manner that addresses identified risks.” He said he is evaluating implementation of the requirements as necessary to verify that they are in place. Regulated by the Department of Justice for restricted transactions. ” At the same time, note that specific requirements may vary depending on the type of transaction.
Things like maintaining an up-to-date asset inventory of hardware and accurate network topology are beyond the purview of most individuals, no matter how sensible they may be. But it would be foolish to focus only on the benefits that you will not get from a very sound list of recommendations.
The complete list of security requirements proposed by CISA is available as a PDF document and is highly recommended as a must-read for organizations looking to strengthen their security posture.
“For America’s cybersecurity efforts, these requirements represent an important step in protecting the nation’s infrastructure from evolving threats,” said Dr. Mark Manzano, General Manager of Cybersecurity at SandboxAQ. “Focused on protecting sensitive information, these new guidelines provide the opportunity for modern cryptography,” a management system that enables discovery, observability, granular control, and protection of assets. ” Deploying such solutions will help strengthen government encryption frameworks, ensure compliance, and protect data from future encryption threats, Manzano concluded.
Although this proposal is aimed first and foremost at federal agencies, that doesn’t mean the proposed advice has no impact on the rest of us. In fact, some of the suggested steps should be etched on the smartphone screen of every iPhone and Android user. Update your devices to fix known vulnerabilities as soon as possible, use two-factor authentication on all available accounts, and make sure your passwords are at least 16 characters long, for example.
UK Government’s Cyber Essentials scheme brings better security to businesses
The UK Government has published a new research paper that takes a closer look at the impact of the Cyber Essentials Scheme on improving the cybersecurity of participating businesses and organizations. The Cyber Essentials scheme is a set of standards and technical technologies that organizations of virtually every size and sector should consider as essential in their efforts to protect themselves and their users from the most common online security threats. It’s management. As with any advice like this, we cannot claim that the scheme provides a security panacea, but official UK government statistics show that organizations that have implemented Cyber Essentials scheme controls are more likely than those that have not. It has been shown that there are 92% fewer insurance claims for cyberattacks compared to .
“This evaluation clearly shows that Cyber Essentials provides significant security benefits to organizations,” said William Wright, CEO of Closed Door Security. “We feel prepared and confident in dealing with high- and everyday cyber-attacks.” With the controls they introduced. What has become clear, says Wright, is that organizations feel more confident when entering into business partnerships with suppliers who are certified by Cyber Essentials, so they can The certification process is used in practice to support third party and supply chain resiliency. .
But just as the NSA advised smartphone users to turn off their phones and turn them on again, a single piece of advice is never enough to provide more than surface-level protection. As mentioned earlier in this article, the only way to improve security is a multi-layered approach, and that applies just as much, if not more, to businesses as it does to individuals. Survey data reveals that 53% of respondents use Cyber Essentials as their only form of external assurance for cybersecurity. “If these organizations are certified with only the basic version of certification, this is not enough to protect their systems from many of the attacks we are seeing today,” Wright warns.
Mr. Wright is right, if you’ll pardon the joke. The Cyber Essentials certification itself takes the form of a self-assessment questionnaire and is examined by a Cyber Essentials evaluator. There is no physical verification of the answer, and therefore no physical verification that the claimed controls are in place. I’m not saying that some organizations will lie to get certifications that provide business benefits, but I do. However, there is little to ensure that these controls are deployed correctly. This basic version of the Cyber Essentials certification “is not sufficient to defend against today’s advanced attacks,” Wright concludes. “Organizations should strive to achieve Cyber Essentials Plus certification, but this should be combined with other principles such as NIST, CIS controls, and ISO27001 to defend against real-world attacks.” Cyber Resilience improve. ”
