Strategies to Mitigate Cyber Security Incidents (EN)

3.10 Encrypt Sensitive Data in Transit 
Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH). 

3.10 Реализовано шифрование чувствительных данных при передаче
Примеры решений: Transport Layer Security (TLS), Open Secure Shell (OpenSSH).

/STANDARD
Although security is no longer optional today, this has not always been the case. This is why numerous network protocols had to evolve to integrate this component and respond to the confidentiality and integrity requirements that exchanging data requires. Secure network protocols must be used as soon as possible, whether on public networks (the Internet for example) or on the organization’s internal network. 

Although it may be difficult to provide an exhaustive list, the most common protocols rely on the use of TLS and are often identifiable by the addition of the letter "s" (for secure) in the protocol acronym. As an example HTTPS for web browsing or IMAPS, SMTPS or POP3S for email. 

Other protocols were designed securely from their creation to replace prior, insecure protocols. As an example SSH (Secure SHell) which came to replace the TELNET and RLOGIN historic communication protocols.. 

/STANDARD
The Internet is a network from which it is almost impossible to obtain guarantees as to the way that data will take when you send it through this medium. It is, therefore, entirely possible that a hacker will be on the pathway of data travelling between two correspondents. 

All the data sent by email or uploaded to online hosting tools (Cloud) is therefore vulnerable. Therefore, its systematic encryption must be undertaken before sending it to a correspondent or uploading it. 

Passing on confidential information (password, key, etc.) that is therefore able to decrypt data, if required, must be carried out by a trusted channel or, failing that, a different channel from the data transmission channel. Therefore, although the encrypted data is sent by mail, handing over the password by hand or, failing that, over the phone must be favoured. 

/STANDARD
Email is the main infection vector for a workstation, whether it is opening attachments containing malware or a misguided click on a link redirecting towards a site that is, itself, malicious. 

Users must be especially aware of this issue: is the sender known? Is information from him or her expected? Is the proposed link consistent with the subject mentioned? If any doubt, checking the message authenticity by another channel (telephone, SMS, etc.) is required. 

To protect against scams (e.g.: a fraudulent transfer request seeming to come from a manager), organisational measures must be strictly applied. 

Moreover, the redirection of professional messages to a personal email must be prohibited as it may constitute an irremediable information leak from the organization. If necessary, controlled and secure methods for remote access to professional email must be offered. 

Whether the organization hosts or has their email system hosted, it must ensure: