Certain information such as network and physical diagrams, incident response plans, list of critical cyber assets, SCADA software or PLC model information, and security assessment results can be a great help to an attacker. In fact, most security assessments begin with a reconnaissance phase to identify critical information.

A method for protecting Critical Information should be in place for both electronic distribution, such as email, and physical distribution, such as CD, DVD and USB drives.

A while back we wrote a white paper listing and comparing four different approaches to securing Critical Information that never made it to the site.  Here is a summary of the four approaches.

Solution Category 1 – Offline File Encryption

Offline file encryption applications protect the Critical Information (CI) in a file before it is sent by email or loaded onto physical media. The sender and recipient each install the application on their respective computers. The sender then starts the application, selects a file to encrypt, enters a crypto key or pass phrase, and selects a name and location for the resulting encrypted file.

The encrypted file is protected regardless of how it is transmitted. It could be sent as an email attachment, provided on a CD or memory stick, or even used as a secure local version of the file.

Example: PGP

Summary: A good solution for infrequent exchange of CI between a small number of individuals.

Solution Category 2 – Decentralized Email and File Security

Decentralized email solutions integrate security into common email applications such as Microsoft’s Outlook, Lotus Notes and Qualcomm’s Eudora. These solutions will encrypt and decrypt email messages and email attachments to protect the confidentiality of CI. They also can provide strong authentication of the email sender’s and recipient’s identities and cryptographically verify the message has not been altered in transit. Many of the solutions in this category also offer an offline file encryption utility as described in Category 1.

Example: PGP

Summary: A good solution for the frequent exchange of CI between a small number of individuals. 

Solution Category 3 – Centralized Email and File Security

The large email application and server vendors, such as Microsoft and Lotus, have integrated a similar type of security as described in Category 2 into their applications. Users will choose to encrypt and digitally sign their email by selecting the appropriate icons in their email application. There are three primary differences between this solution and the solution described in Category 2:

1. This solution has two products: and email client and an email server. For example, Microsoft’s client is Outlook and their server is Exchange. The server is a complex application that requires a system administrator. Using the security features will add more complexity to the server management.
2. No product needs to be installed at on end user’s email client. The security capability is already in the client and only needs to be configured. This configuration can be performed remotely by the system administrator.
3. Public keys do not need to be exchanged. The system administrator will give or help each user obtain a public/private key pair. Public keys for all user will then be provided automatically by the email server application as part of the address book.

Example: Microsoft Outlook/Exchange, Lotus Notes/Domino

Summary: A good solution for the exchange of CI between a large number of users within an organization.

Solution Category 4 – Secure Email Service Provider

Secure email can also be purchased as a service from a third party. A sender establishes an account with the service provider by paying a monthly or annual subscription fee. The sender then can send secure email and email attachments to any email address.

The only software that is required to use this service is a web browser. All information is encrypted in transit using the SSL or TLS protocol.

Example: CertifiedMail.com

Summary: A good solution for the exchange of CI for individuals who prefer not to purchase or manage security products. Works well for unforeseen CI transfers.

- – - -

Digital Bond initially attempted to exchange CI via PGP with our clients, but many clients resisted this. We still use PGP internally and with those that have PGP installed. We use CertifiedMail.com for those that don’t support PGP. The CertifiedMail.com solution has proven to be very easy to use by anyone who can use a browser. 

The Protecting Critical Information white paper describes each method in more detail and gives the pro’s and con’s of each method.