NSA Guidelines for Working from Home

Better late than never, the National Security Agency (NSA) (yes, them)  have released a guideline aimed towards US government employees and military personnel entitled: Selecting and Safely Using Collaboration Services for Telework. This aims to help government workers in selecting the proper tools to conduct remote work and communications in light of the current pandemic.

This cybersecurity guideline can also apply to companies and business professionals in order to keep their business information secure, as there are many threat actors out there taking advantage of the current situation. A similar guide entitled: Cybersecurity Recommendations for Federal Agencies When Using Video Conferencing Solutions was released by the Department of Homeland Security.

So TLDR, as the document is about 6 pages long, we’ll briefly discuss its contents. The guide lists down the current commercially-available collaboration tools on the market along with an assessment of how they measure up with the NSA’s security criteria. It will be ultimately up to your company on choosing these tools which include Microsoft Teams, Skype for Business, Slack, Zoom and Google G Suite.

Security Criteria When Choosing a Collaborating Tool

• The tool or service should provide end-to-end (E2E) encryption – This means that only the sender and the receiver will be able to see the unencrypted content. The message will be encrypted upon sending and upon receipt of the message or data, unintelligible along the way so that any potential eavesdroppers are none the wiser. For example, customers and banks routinely transmit financial data and credentials. It’s these credentials that must be protected via E2E from being intercepted and stolen.

• If the tool or service does feature encryption, the encryption should be strong or powerful – whether or not E2E is employed, the NSA recommends the use of strong encryption standards such as TLS. If the provider has their own proprietary encryption standard, they should be evaluated and certified by an accredited lab.

• Is Multi-factor authentication in use? – the biggest security challenge today is keeping credentials such as usernames and passwords from getting leaked. But every now and then, news breaks out that they do. The solution here is for another way to validate one’s identity even if the passwords are stolen and that is where multi-factor authentication comes in. Criminals may know your credentials but they don’t have your phone, hardware key or another code from a third party that will let them into your account/s. For example, upon entry of credentials, you will receive a prompt or message on your phone which will be another key to allow the login to complete.

• Can the users control who connects to the collaboration sessions? – the service should not allow any gatecrashers into your collaboration session, meaning that anyone unauthorized to join cannot eavesdrop into your communication or data exchange, by means of strong encryption as well as MFA.

• Does the service privacy policy allow the vendor/provider to share data with third parties? – it’s always important for Administrators or CIOs to read through their providers’ service policies or end-user license agreements (EULA) to check if the vendor shares data with third parties. Some providers collect and share telemetry data with others for additional income in the guise of service improvement. Such data include user metadata, devices used during sessions, session length and even locations that could be risky for your organization.

• Can users securely delete their data from the service – also known as the right to be forgotten. Does the service allow all data that has ever been transmitted or stored in the service?

• Is the collaboration tool’s source code open-source? – being open source does not always benefit a platform especially one as sensitive as communications and collaboration tools. Such a property allows for the reverse-engineering and/or tampering with the code by criminals in order to access sensitive information, intercept transmissions and eavesdrop on sensitive communications.

• Has the collaboration service/tool been reviewed and certified by a security-focused nationally recognized body? – such as the Office of Management and Budget (OMB) FEDRAMP program, independent testing labs under the National Information Assurance Partnership (NIAP) against the Application Software Protection Profile (PP) as well as the DHS S&T Mobile Security R&D Program to check how apps interact with other platforms, cryptographic libraries that are used, requested permissions and how the apps defend from exploits.

• Has the tool/service been developed on foreign soil under the jurisdiction of laws that can prevent US Government access? – for the sake of confidentiality and national security, US Government missions are not recommended to be performed on services and tools that are compelled to provide access and information to law enforcement of their country of origin.

Hope you understood these NSA guidelines for government employees whose provisions mostly apply to businesses and other organizations as well. If you wish to have more detail, you may access the complete document in the link provided above.