Authenticity in an Opaque Cyber-Enabled Ecosystem
We are a trusting sort of folk, aren’t we? Business owners, managers, and staff in organizations large and small interact with all-manners of product and service purveyors. Get a phone call from someone with a service you are really interested in. The phone number says New York, so that must be ok. “Hi, I’m [trustworthy sounding same] from [trustworthy sounding company – with a neat website]. I’d like to help you meet your cybersecurity goals and I guarantee that if you follow our advice, your company will be safe from hackers.” Wow! That is exactly what we need, but I’m no slouch. I can see the phone number is U.S.-based and I can check their webpage which looks legit. I think that maybe they can help. We get a demo, exchange some emails, and…
Even at home – “hey, this email says I can get [insert desirable commodity here] for 50% off” – click. Mayhem ensues…
Do You Know Who You’re Doing Business With?
The veritable explosion of teleworking, remote-work, and work-from-home situations due to everything from the pandemic or (like me) just being tired of the commute, abstracts identity authenticity further; trust has become, or should be considered, very tenuous. Heck, I am not even a fan of online-collaboration applications, aside from the audio and screen sharing benefits. This means I very rarely allow my webcam to be active so colleagues and other business representatives rarely see my visage.
A fellow cybersecurity professional wrote a great article on LinkedIn that describes the tenuousness of our trust, specifically relating to the U.S. Defense Industrial Base (DIB): https://www.linkedin.com/pulse/confidential-uncontrolled-information-leaks-dfar-7012-james-newman/
I wrote similarly about email security over a year ago, for our blog: https://assuredbridge.com/blog/email-security-and-nist-sp-800-171-compliance/
The Need for Verified Authenticity is Growing
We need to engage external people, services, and companies; we need to be able to trust they are who they say, and they us. But, even today, we seem to think an exchange of email is good enough to establish a customer-provider relationship.
A company I work with has a business relationship with another company that provides secure messaging and file storage services – an extremely valuable and well-implemented service. Yet, when receiving an email from their representatives, I’ve not yet seen a digital signing certificate in a single one. What the heck? These folks inherently know the value of identity validation and …. Nothing.
Fact: Ransomware is a type of invasive and crippling malware most often delivered by email. The email attempts to be representative of something of interest, or trustworthy, to the intended recipient(s). When interacted with, the resulting malware can wreak havoc on an organizations, bringing business to a halt, sometimes permanently.
What is a Digital Signing Certificate for email?
Fundamentally, an email digital signature is unique mathematical value that can help legitimately validate the email sender AND attest to the integrity of the email contents. So, it can help confirm that who sent the email is who they say they are and, that the contents of the email you received haven’t been tampered with. What’s wrong with that? For the most part, nothing at all. In fact, the U.S. Government often requires it’s use. Why don’t you?
True – getting and using valid digital certificates for email use requires adaptations to business processes
The Easy Button…….sort of
What if you could put a business process in place that virtually eliminated the risk of a phishing attack causing a malware or ransomware infection of your business network?
Here it is: Sign all emails with a valid email digital certificate, and do not open any emails without a valid email certificate. Period. On to the next risk mitigation.
True – Adopting and using valid email digital certificates can reduce cyber-risk to your business.
Fact – An Email Digital Certificate is also referred to as an S/MIME Certificate: https://en.wikipedia.org/wiki/S/MIME
We have Addressed and Overcome Similar Problems in the Past
Remember the media push for ‘that little lock symbol next to the website address”? Goodness, how long ago was that? The situation was thus: if you enter personal information, especially including financial information, into an unsecured website – your information may be compromised, stolen, and result in catastrophic financial loss. So, there was a huge, successful, push for companies to implement security on their websites and for consumers to look for it before entering information. And largely, that worked! Granted, the bad guys continue to find other nefarious ways of making digital-life difficult…
A Digital Email Certificate for You, or Better Yet, for your Business
Note: There are different types, or levels, of S/MIME Digital Certificates. The lowest level only validates that the email address of the sender matches the address of whoever purchased the certificate. Higher level certificates require identity or business validation documentation and are even more trustworthy.
The U.S. Government also sponsors a digital certificate program known as ECA, External Certificate Authorities. The ECA program provides for DoD-approved certificates to be issued to organizations in the United States Defense Industrial Base (DIB). While not [yet] required under the Cybersecurity Maturity Model Certification (CMMC) program, nor NIST SP 800-171, using ECA Digital Certificates may help meet your cybersecurity and controlled unclassified information (CUI) protection requirements.
At Assured Bridge, our cybersecurity experts understand both the complexities of your compliance challenges and potential solutions to address them. Whether you’re preparing for your CMMC assessment, implementing NIST SP 800-171 Controls, or just beginning your cybersecurity and compliance journey, we’re here to help. Give us a call or send a [signed?] email.