You have already committed to using encryption to protect your emergency and tactical communication. There’s just one problem. Do you have any idea whether your encryption systems and practices will stand up to attack? Don’t wait for the next battle to find the answer. Instead, use these three techniques to kick the tires on your encryption processes.
Why This Matters
Putting your encryption capabilities to the test is essential for three reasons. These systems are a critical support to operations – if they fail, operations will slow down, and you may lose your advantage. Strong encryption is also essential to your organization’s professional credibility with allies and coalition partners. If you suffer break downs in encryption, your allies may pull back on their willingness to share and cooperate with you. Finally, encryption is rarely tested directly during exercises and training missions. For all of these reasons, you need to making encryption testing a priority.
You also need to stay informed about emerging threats. According to the Canadian Centre for Cyber Security, “A threat actor could collect encrypted sensitive information today, and hold onto it to decrypt it when quantum computing matures in 10 to 20 years.” That’s why keeping up with basic encryption practices is not good enough. You need to take additional steps to protect data and discover your vulnerabilities proactively.
1) Put Your Encryption Technology Under Pressure
Put on your ethical hacker hat for a day and look for ways to break through your organization’s encryption. The exact details of this technology test will vary depending on your infrastructure. As a starting point, use the following techniques to protect encryption systems and the technologies that support them.
Check for default settings.
Breaking into a system is much easier when the default settings are left in place. The worst example of this weakness is the use of default passwords like “admin.” However, that is just one example. You will also want to check to see whether encryption is turned on for each of your systems. For example, half of consumers are unaware of how to change router security settings to improve security. Public safety and military organizations will likely have a higher baseline level of security discipline, but this area is still important to check.
Check for inactive user accounts.
Inactive user accounts raise the probability of a security incident. If those credentials fall into the wrong hands, an attack may come right through your defenses. To reduce this risk, review your user access accounts and cut them. At the very least, develop a process to quickly remove access when staff leave a department or depart from the organization
Evaluate how encryption instructions and supporting materials are protected.
To evaluate the quality of encryption protection in place, it is useful to compare your organization to a widely used benchmark like NIST’s FIPS 140. The standard provides for four levels of security, depending on the information involved. There’s just one problem. Supporting information may not be protected as well. For example, if your organization has a technical procedure or training documentation explaining how your encryption works, that information needs to be protected as well.
Review assessments and reports from third parties.
If you have hired a third-party consultant to carry out analysis, audits, penetration testing, or other reviews, analyze their recommendations. Unfortunately, many organizations pay for expert analysis and then do nothing with the recommendations. That’s an easy mistake to avoid.
Industry security research reveals that people continue to be the most significant security vulnerability. A 2014 report from IBM found that 95% of security incidents involve human error. That tells us that you need to improve your encryption processes for your people. Find out whether your people have good encryption habits and skills by using these questions.
Look for “SPOK” Vulnerabilities For Encryption
In IT, SPOK stands for “Single Point of Knowledge.” Whenever you have a SPOK in a team, that means you may lose a critical skillset if that person is sick or leaves the department. In a tactical situation, you might have one communication specialist who knows your encryption inside out. What if that person becomes incapacitated? You may lose your ability to communicate securely.
Encryption and Performance Management
In tactical operations, it is natural to focus on the result. Did you save the hostage? Or reach the mission objective on time? These measures of success matter and rightly deserve to be your focus. However, the way you achieve success also matters. If your people start to cut corners with communications security, you stand a higher chance of failure in the future. Therefore, we suggest testing whether you are properly assessing and rewarding people for using good encryption practices at all times.
Review Your Encryption Training
Ideally, you will need to provide two different types of training. First, offer in-depth training to communications and security specialists by offering certifications (e.g., certified ethical hacker or an ISACA certification). Second, provide end-user training broadly to your staff regularly. As you discover new vulnerabilities or poor practices (e.g., using personal cell phones to discuss tactical matters), you can address these gaps through better training.
3) Test Your Mobile Communications For Encryption
Some communication systems are easier to protect than others. At headquarters, you have landlines that are relatively easy to defend. You can also use physical security measures to augment your encryption measures. In the field, you face much more significant threats to communication security. That’s why we recommend testing mobile communications intensely.
Use these techniques to put your mobile encryption to the test.
Automated Vs. Manual Encryption.
Using code words and codebooks still has a place in communications. However, these measures are best seen as a secondary measure. If you rely exclusively on manual codes rather than secure systems, your mobile communications are under threat.
Test Systems Against Known Security Flaws.
n 2018, researchers published a method to break security on an LTE network successfully. Specifically, they found that weaker mobile networks may be successfully attacked using “ciphertext-only attacks enable an attacker to break standard algorithms like A5/1 and A5/2 within a few minutes.” If these networks are ever used, even as a backup option, your organization’s security may suffer significantly.
How To Respond to Encryption Problems
Since security threats are continually evolving, you are bound to find weaknesses in your encryption by using these tests. Armed with that knowledge, you can develop short term and long term improvements. In the short term, providing better training to your people on encryption will go a long way. In the long term, you also need to equip them with better tools.