It is CMTC policy to not recommend products and/or services. The products/services that may be mentioned are simply used as examples.
The Zero-Clear initiative is to aid small to medium manufacturers in encrypting everything, whether it be at rest, in transit, or in use. There is no warranty of any kind with this advisement. Due diligence and care are required to fully understand your individual target security posture, and the completeness of execution relating to the same.
This page is meant to have the feel of informality, similar to the CMTC Cybersecurity Fireside Chats. There are plenty of serious things out there and the guidance contained in Zero-Clear is indeed serious, but the Level 3 delivery doesn’t have to be.
Zero-Clear Tier 3 (of 3) Very small impact to an organization who is implementing at this level, but provides potentially significant increases in security posture to the organization, depending on the current security posture of the organization. Solutions are geared towards being able to be implemented in short order, and often same day by an implementer with a skillset similar to A+, N+, S+, or similar.
Technical Vectors to consider:
- Data in Motion:
- Trusted Infrastructure
- Firewall – Use a firewall that is able to be patched! Often SoHo firewalls are cheap and there version of security is to offer a password but have limited updating support. PFSense and OPNSense are GREAT, FREE options that are low resource users and can be deployed on just about any old PC that you may have sitting around. These are GREAT tools and OPNSense has been endorsed by the Secure Unix Foundation.
- Switching – While switching is often protected by the perimeter firewall, patching is a MUST. SMEs often gravitate to vendors such as Ubiquiti, Netgear, and others- just make sure it has good support!
- Wireless – Ubiquiti seems to be the choice for SMEs for wireless access points, but do understand that while they do a good job for functionality and support WPA 2 and 3, both personal and Enterprise (RADIUS), they DO NOT support FIPS validated cryptography. Known FIPS validated suppliers include Cisco/Aironet and HP/Aruba but be sure to verify that the model you are purchasing and/or using has this capability if you are compelled to follow the DFARS 252.204.7012 and/or are ramping up for CMMC.
- Email – Encrypt both internal and external while in transit. Encrypt the information in the database and wherever else its stored. Email should always be digitally signed.
- Text – Never use SMS. Always use end-to-end encrypted messaging, such as Signal, Wickr, or Telegram. DO NOT use messenger apps by Meta (Facebook), WhatsApp, Google, Instagram, We-Chat, others.
- Voice – Use end-to-end encrypted voice communication such as those provided by Signal, Wickr, and Telegram. DO NOT use POTS, Unencrypted VoIP, Carrier based (Verizon, AT&T, T-Mobile, etc.) or any of the messengers by big companies such as Meta (Facebook), We-Chat, Google, Instagram, etc.
- Web – There should never be organizationally sensitive information put on an anonymous access, or untrusted portal. It is advised to NEVER use cloud hosted platforms when sensitive information is involved. Data in motion should always be encrypted using a properly installed certificate, leveraging Transport Layer Security (TLS) 1.3 or greater.
- DNS – Domain Naming Service is responsible for translating Fully Qualified Domain Names (FQDN) or Relative Domain Names (RDN) into an IP address, typically routable on the global Internet, and as such, if intercepted, can give an attacker insight into the technologies, platforms, and applications that your organization uses (think windowsupdate.windows.com) and this information can be used to help structure an attack against you.
- Security-centric external DNS – There are several flavors of “Secure DNS” including DNSSEC, Secure DNS, TLS 1.3 encrypted DNS, and others at the time of this writing. Pick one that you can implement and DO IT ASAP!
- Risk Remediated DNS – Cloudflare, OpenDNS, and Quad 9 are good choices based on your needs. If there has ever been a malware, or other negative associated with an address, these DNS providers will not allow you and your users to go there- great protection and literally takes seconds to implement.
- Pi-Hole or other holistic ad-blockers. Pi-Hole is DNS sink-hole that specifically blocks adware, which has the side benefit of tracking you and your users. While we do not endorse products, Pi-Hole is free, runs on Linux and other OSs, is reasonably easy to install for a novice user, and generally is stable, and light enough for enterprise use with minimal resources. This isn’t the most straightforward process as it’s Linux and many often Windows users aren’t that adept with using it so a high-level install process is listed below. Virtualization is your friend. 🙂
- Step 1: Download and install latest DESKTOP Ubuntu Long Term Support (LTS). Desktop will give you a GUI which if you’re following these instructions- you’ll probably want. Server only gives you command line. Set a static IP address, Subnet Mask, Gateway, and DNS Server of your choosing.
- Step 2: Install cURL.
- $ sudo apt update
- $ sudo apt upgrade
- $ sudo apt install curl
- Step 3: Install Pi-Hole
curl -sSL https://install.pi-hole.net | bash
- The defaults are usually ok so just go through the install wizard with the exception of the DNS forwarders which by default is Google. Advise you choose anything BUT Google for privacy. OpenDNS is often a good choice.
- Take a cell phone picture of the final screen that includes the password. If you don’t, its ok- just change it using the next step which is recommended.
- Step 4: Change the Pi-Hole password to something you know for your own sanity
- pihole -a -p
- There will be no prompt- itll simply change it and if you need to do it again, just repeat this step.
- Step 5: Change the DNS server of the Ubuntu install to ITS OWN STATIC IP ADDRESS that you entered in step 1 above. This will now give the Ubuntu device the protection of Pi-Hole.
- Step 6: Change the DHCP settings of your DHCP server to use the IP address from Step 1 as the DNS Server for your network. This may be done on your router or whatever device is providing DHCP services on your network.
- Step 7 (CMMC and DFARS Requirement and good practice for others): Modify your firewall to allow the Ubuntu/Pi-Hole host to get to the EXTERNAL DNS forwarders that you chose during setup. Defaults at the time of this posting is OpenDNS servers which are 208.67.222.222 and 208.67.220.220. Next, block all other clients on your network from using TCP/UDP 53 to get outside your network. If you are using the CMTC Security Reference Architecture- please contact your CMTC Cyberteam SME. If you don’t have one, and you still need additional assistance, please contact CMTC to discuss a Professional Services engagement with the CMTC Cyberteam.
- Remember- all the above IS NOT a recommendation for a product, but rather a possible solution of this security use case. There are other solutions that you may want to consider before making a choice.
- MFA/2FA – DO NOT use SMS for multi-factor authentication. Spoofing/Cloning have made these better than nothing, but still not safe. Use MFA wherever possible- it is arguably the best, single thing you can do for both personal and enterprise security.
- Domain Naming System: Use a privacy-centric DNS service such as Quad9 and others. If possible, use DNSSEC and ECS to prevent spying on the queries you make. This information can easily be used against you in ways such as inference (inferring which operating systems and applications you use) attacks which can help an attacker plan an attack using information they may not be able to otherwise obtain.
- Password managers SHOULD be used. Dashlane, and Bitwarden do well for personal and small business use and enterprise solutions from OneLogin and other vendors are available and generally do a very good job. Passwords of course should be long, complex, new, and never repeated. Cloud synchronization is convenient but does include risk. Due diligence and care should be observed as a poor decision can mean disaster.
- On-Premises:
- Full Drive Encryption- DO use full drive encryption on ALL your workstations, servers, and mobile devices. Servers can be tricky as you could end up with a domain-level paperweight so plan it out for success! Options for this include Microsoft Bitlocker for Windows, Veracrypt for Mac, Linux, WIndows, and/or hardware based solutions that are available by reputable hard drive/SSD/M.2 suppliers.
- Portable Drive Encryption – USB devices are the most common method for portable data storage and transmission, so ideally: Use a FIPS validated USB device, but as an alternative- use Microsoft Bitlocker to Go or Veracrypt.
- Cloud
- Understand that if you put data into the cloud without encryption, you do not hold the encryption keys and it IS monitored/harvested to some degree.
- Encrypt dataset BEFORE uploading to any cloud repository using a trusted workstation and an encryption scheme that you deem appropriate.
- Encryption schemes should be based on FIPS 197, Advanced Encryption Standard as a baseline although stronger may be chosen. Although 128bit strength is acceptable per many compliance mandates, the industry has settled on 256 as a minimum.
- Hashing schemes should be based on FIPS 186-3, Secure Hashing Algorithm as a baseline although stronger may be chosen. SHA-1 has known weakness so 256bit minimum (or greater) should be employed for hashing.
- Cryptographic Modules are often directed by compliance mandates such as the NIST SP800-53, 800-171 and others which direct usage of a cryptographic module that is FIPS 140-2 or 140-3 validated, although validation of 1-5 is possible, few mandates include this level of detail. Often hardware modules will be validated to level 5 whereas software modules cannot exceed level 3, and that is the level you will find most to be validated to as a standard. 5 is the strongest, and 1 is weakest validation. If you are not subject to compelling mandate, you may choose to use a non-validated module, although this does present an element of risk as there could be backdoors, and other weaknesses in modules which have not been heavily scrutinized.
- Off Premises but not in the Cloud (Ex. Backup tapes)
- If these are stored onsite, then they should be stored using encryption similar to that outlined above for cloud; else,
- If they are stored somewhere other than the primary processing facility, they should of course be encrypted as above, and SPECIFICALLY encrypted AT the primary processing facility BEFORE they are allowed to go offsite.
- DO NOT allow any data outside of the primary processing facility to be in an unencrypted state- EVER!
- Trusted Infrastructure
- Step 3: Install Pi-Hole
curl -sSL https://install.pi-hole.net | bash
- Virtual Private Networking (VPN) – Always use strong encryption based on AES or stronger encryption. Please see more detail in the “Cloud section” below.
- Remote Endpoints: Whether they are organizationally owned, or “Bring your own disaster” (BYOD), the endpoints are a critical part of data protection. Treat them with same level as an organizationally owned, internal device. If the user/owner balks, change the operational scheme. You simply can’t have ambiguity and expect things to be “ok”.
- Server Messaging Blocks (SMB) sharing on Windows
- Modern Windows Server and Workstation OSs employ SMB 3.0 which includes encrypted file transfer.
- Implementation of this enhancement enables the encryption of data that is transferred over the network between the SMB file server and the client.
- Other file transfer mechanisms
- Never use FTP! Username, Password, and Payload are all sent in the clear. It couldn’t be less secure.
- TFTP is ok for things like boot configurations and similar on the internal LAN segments if REQUIRED by the devices. Explore other options and use this as a last resort.
- SFTP, FTPS, SSHFTP, SecureFTP, and other, reputable solutions are generally ok, provided the configuration supports encrypted and/or hashed authentication and payload information.
- Username
- Password
- Payload
Operational (Human-Based Procedures) Vectors to consider:
- Use modern tools to check for known and potential vulnerabilities. Developers can fix most software vulnerabilities — if they know about them. There are automated tools that can review code and find most coding errors before software ships, and before a malicious actor takes advantage of them.
- Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors.
- Back up your data and ensure you have offline backups beyond the reach of malicious actors.
- Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack.
- Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly.
- Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents. Please encourage your IT and Security leadership to visit the websites of CISA and the FBI where they will find technical information and other useful resources.
- Work from Home – Ensure that the remote location conforms to ALL (ALL!) requirements of in-house work. Workstations are configured per Zero-Clear guidance, are locked from view when an uncovered person comes within possible view. These uncovered persons include your kids, spouse, maids, yard and pool crews, and your dog and cat, if they have their own iPad. Fish and mice often aren’t able to convey sensitive data outside the home or remote office without collusion. Watch for nosey neighbors if your screen is visible from a window- you never know who an adversary has planted in your neighborhood. Suggestion- just close the blinds when you’re working on something. “Innocuous information isn’t always innocuous!”
- Develop software only on a system that is highly secure and accessible only to those actually working on a particular project. This will make it much harder for an intruder to jump from system to system and compromise a product or steal your intellectual property.
- Software developers are responsible for all code used in their products, including open source code. Most software is built using many different components and libraries, much of which is open source. Make sure developers know the provenance (i.e., origin) of components they are using and have a “software bill of materials” in case one of those components is later found to have a vulnerability so you can rapidly correct it.
- Use a privacy and security centric web browser. DO NOT USE CHROME, EDGE, or anything by big tech. Brave and Mozilla are currently good options.
- In addition to a privacy/security centric browser, there is an extension/plugin for both browsers that, when configured properly, can significantly increase your resistance to invasive and spying activity. Its called “uBlock Origin” by Raymond Hill. Remember we don’t endorse products and if you pursue this- be sure to get the one from Raymond Hill.
Management (Organizational Policy) Vectors to consider:
- Build security into your products from the ground up — “bake it in, don’t bolt it on” — to protect both your intellectual property and your customers’ privacy.
- Create a organizational management policy that restricts EVERYTHING within the organization as ORGANIZATIONALLY SENSITIVE/Do Not Export Outside (ORGANIZATION NAME). Ensure that this is conveyed and socialized with both employees and contractors so that everyone understands why its a good idea for both the company and for their personal lives.
- Implement a “Secret Key” for all data assets within the organization. Protect all Word, Excel, Powerpoint, etc. assets with this secret key so that if the assets are ever exfiltrated, then they are locked from view. This is helpful with ransomware and other attack mitigation because as long as the secret key is kept a secret, you cant be blackmailed- which is a newer ransomware concept, but widely used in recent attacks. This method is vulnerable to insider threat, but short of that- offers GREAT protection at nearly no cost. Use secure communications to share the secret key with those with “need to know” status. A shortfall with this method is that if compromised, it can be difficult to rekey all assets with a new key. Business unit keys work well- dissimilar keys for C-Suite, Finance/Accounting, Engineering, etc. so that if one key is compromised, it is less involved because the dataset is smaller.
- Implement the requirements within the NIST SP800-171 (Basic Security Hygiene- Not directly associated with Zero-Clear Initiative)