Authenticated secure business communication

1,030 Views | 9 Replies | Last: 2 yr ago by Signel
Bradley.Kohr.II
How long do you want to ignore this user?
AG
Dealing more with this, these days.

Internally, we use slack for chatter, and verified signal for financial stuff. (Accounts to wire money to, amounts to wire, etc)

I suppose BlackBerry Enterprise messenger might offer a way to do this, but I don't know anyone who uses it.

Most folks don't even use encrypted email - at least, that's how it seems, and I don't know enough to know if an encrypted email can be spoofed or not.

So far, I've known everyone enough that I could chat to them on the phone and verify that the info is correct, but I know that's a failure point.

Signal doesn't work with dual SIM phones, and I don't really want to have to give out my personal #.
AGSPORTSFAN07
How long do you want to ignore this user?
AG
Bradley.Kohr.II said:


Most folks don't even use encrypted email - at least, that's how it seems, and I don't know enough to know if an encrypted email can be spoofed or not.

Huh?
Bradley.Kohr.II
How long do you want to ignore this user?
AG
I need a way to send, and receive, bank account information, and payment amounts.

Ideally, one which cannot be "spoofed."

I suppose an encrypted email would work, if I can get the other people I do business with to start using them.

I do not think an encrypted email can be sent from a spooked address, but I am not sure.
powerbelly
How long do you want to ignore this user?
AG
Based on the amount of threads you start on similar topics you seem to spend a lot of time worried about this. I would suggest good policies and following procedures will make you much "safer" than whatever tech solution you are seeking.
Tailgate88
How long do you want to ignore this user?
AG
I use https://temp.pm to send/receive Credit Card and password info with my clients. Assign a password then email the link and text the password. It works great but these are all people I know and already have my mobile number.

You could call on a landline or use the Burner App to get a second cell number for a few bucks a month.
kb2001
How long do you want to ignore this user?
AG
PCI DSS has a long list of things that need to be addressed to handle CC information. You should follow those guidelines, and have annual audits conducted by a 3rd party to check yourself.

Coming at this by chasing technologies instead of following industry accepted practices is going to leave you in a bad spot.
DallasTeleAg
How long do you want to ignore this user?
Email security only gets you so far. If someone is spoofing your email, solutions like Proofpoint can help filter that out. However, without truly dedicating funds to cybersecurity awareness training for employees and MFA, you are going to be at risk.

Even with all of that, you are never going to be 100%.

If you are relying on emails to trigger bank transactions, you should always call the person to verify, first. If you are not using two methods to verify transactions like that, you could be leaving yourself vulnerable.
kb2001
How long do you want to ignore this user?
AG
Did we just have a couple spammers have a conversation about slack being insecure in order to push an email service?
bbattbq01
How long do you want to ignore this user?
AG
kb2001 said:

Did we just have a couple spammers have a conversation about slack being insecure in order to push an email service?


Yup.
Signel
How long do you want to ignore this user?
AG
Slack is as secure as your users and administrators leave it. Human error is usually the problem on that front.

You are looking for a DLP(Data Loss Prevention) solution that will CYA automatically as a business. It will encrypt all the messages even when your users fail to do so.

Most of the companies that offer DLP solutions do so for messaging and file storage. Azure/AWS have it built in, and can search your documents for file types that contain CC numbers for example. You set the policies and force the encryption, and they have pre-canned data dictionaries based on compliance types (HIPAA, PCI-DSS, GDPR, etc)

The same can be setup for Secure Email Gateways (SEGs) like Proofpoint, Mimecast, and Barracuda for example. If your user decides to send an outbound CC, it is snagged and auto encrypted. Not all DLP is created equal in my experience, though, and it can get very expensive.

Varonis is a great example of a very expensive tool for seeking out sensitive files in your business and based on data dictionaries, assigning risks to them. This also covers areas like File Integrity Monitoring (FIM) and protects from insider threats like mass ransomware or exfiltrated files from the guy you just fired..

There are also endpoint tools that can do similar but cost less like Absolute Computrace, many EDRs, or even traditional AV solutions that give you that visibility through their agents.

There are so many tools that overlap and touch what you are looking to solve that you can use a layered defense approach to meet your needs. Where to start would really take looking at your overall risk as a business, and understanding what you are trying to accomplish based on costs.
Refresh
Page 1 of 1
 
×
subscribe Verify your student status
See Subscription Benefits
Trial only available to users who have never subscribed or participated in a previous trial.