The Open Systems Interconnection (OSI) model is a guiding principle in online system design. By working from the OSI model, you could ensure that your employer’s online environment could accommodate interoperability among different online software products and services.
> Draw a chart for the OSI model and their numbers from top to bottom.
> Name three problems with cabling and the methods to counteract those issues.
> How do you protect your employer’s domain name from being hijacked?
Need 2-3 pages with peer-reviewed citations. No introduction or conclusion needed.
366
Chap ter 12 Se cure Com mu ni ca tions and Net work At tacks
THE CISSP EXAM TOP ICS COV ERED IN THIS CHAP TER IN CLUDE:
Do main 4: Com mu ni ca tion and Net work Se cu rity 4.3 Im ple ment se cure com mu ni ca tion chan nels ac cord ing to de sign
4.3.1 Voice
4.3.2 Mul ti me dia col lab o ra tion
4.3.3 Re mote ac cess
4.3.4 Data com mu ni ca tions
4.3.5 Vir tu al ized net works
Data re sid ing in a static form on a stor age de vice is fairly sim ple to se cure. As long as phys i cal ac cess con trol is main tained and rea son able log i cal ac cess con trols are im ple mented, stored files re main con fi den tial, re tain their in tegrity, and are avail able to au tho rized users. How ever, once data is used by an ap pli ca tion or trans ferred over a net work con nec tion, the process of se cur ing it be comes much more dif fi cult.
Com mu ni ca tions se cu rity cov ers a wide range of is sues re lated to the trans porta tion of elec tronic in for ma tion from one place to an other. That trans porta tion may be be tween sys tems on op po site sides of the planet or be tween sys tems on the same busi ness net work. Once it is in volved in any means of trans porta tion, data be comes vul ner a ble to a plethora of threats to its con fi den tial ity, in tegrity, and avail abil ity. For tu nately, many of these threats can be re duced or elim i nated with the ap pro pri ate coun ter mea sures.
Com mu ni ca tions se cu rity is de signed to de tect, pre vent, and even cor rect data trans porta tion er rors (that is, it pro vides in tegrity pro tec tion as well as con fi den tial ity). This is done to sus tain the se cu rity of net works while sup port ing the need to ex change and share data. This chap ter cov ers the many forms of com mu ni ca tions se cu rity, vul ner a bil i ties, and coun ter mea sures.
The Com mu ni ca tion and Net work Se cu rity do main for the CISSP cer ti fi ca tion exam deals with top ics re lated to net work com po nents (i.e., net work de vices and pro to cols), specif i cally how they func tion and how they are rel e vant to se cu rity. This do main is dis cussed in this chap ter and in Chap ter 11, “Se cure Net work Ar chi tec ture and Se cur ing Net work Com po nents.” Be sure to read and study the ma te rial in both chap ters to en sure com plete cov er age of the es sen tial ma te rial for the CISSP cer ti fi ca tion exam.
Net work and Pro to col Se cu rity Mech a nisms Trans mis sion Con trol Pro to col/In ter net Pro to col (TCP/IP) is the pri mary pro to col suite used on most
net works and on the in ter net. It is a ro bust pro to col suite, but it has nu mer ous se cu rity de fi cien cies. In an ef fort to im prove the se cu rity of TCP/IP, many sub pro to cols, mech a nisms, or ap pli ca tions have been de vel oped to pro tect the con fi den tial ity, in tegrity, and avail abil ity of trans mit ted data. It is im por tant to re mem ber that even with the foun da tional pro to col suite of TCP/IP, there are lit er ally hun dreds, if not thou sands, of in di vid ual pro to cols, mech a nisms, and ap pli ca tions in use across the in ter net. Some of them are de signed to pro vide se cu rity ser vices. Some pro tect in tegrity, oth ers pro tect con fi den tial ity, and oth ers pro vide au then ti ca tion and ac cess con trol. In the next sec tions, we’ll dis cuss some of the more com mon net work and pro to col se cu rity mech a nisms.
Se cure Com mu ni ca tions Pro to cols
Pro to cols that pro vide se cu rity ser vices for ap pli ca tion-spe cific com mu ni ca tion chan nels are called se cure com mu ni ca tion pro to cols. The fol low ing list in cludes a small sam pling of some of the op tions avail able:
IPsec In ter net Pro to col se cu rity (IPsec) uses pub lic key cryp tog ra phy to pro vide en cryp tion, ac cess con trol, non re pu di a tion, and mes sage au then ti ca tion, all us ing IP-based pro to cols. The pri mary use of IPsec
367
is for vir tual pri vate net works (VPNs), so IPsec can op er ate in ei ther trans port or tun nel mode. IPsec is dis cussed fur ther in Chap ter 7, “PKI and Cryp to graphic Ap pli ca tions.”
Ker beros Ker beros of fers a sin gle sign-on so lu tion for users and pro vides pro tec tion for lo gon cre den tials. Mod ern im ple men ta tions of Ker beros use hy brid en cryp tion to pro vide re li able au then ti ca tion pro tec tion. Ker beros is dis cussed fur ther in Chap ter 13, “Cryp tog ra phy and Sym met ric Key Al go rithms.”
SSH Se cure Shell (SSH) is a good ex am ple of an end-to-end en cryp tion tech nique. This se cu rity tool can be used to en crypt nu mer ous plain text util i ties (such as rcp, rlogin, rexec), serve as a pro to col en crypter (such as with SFTP), and func tion as a VPN.
Sig nal Pro to col This is a cryp to graphic pro to col that pro vides end-to-end en cryp tion for voice com mu ni ca tions, video con fer enc ing, and text mes sage ser vices. The Sig nal Pro to col is non fed er ated and is a core el e ment in the mes sag ing app named Sig nal.
Se cure Re mote Pro ce dure Call (S-RPC) This is an au then ti ca tion ser vice and is sim ply a means to pre vent unau tho rized ex e cu tion of code on re mote sys tems.
Se cure Sock ets Layer (SSL) This is an en cryp tion pro to col de vel oped by Net scape to pro tect the com mu ni ca tions be tween a web server and a web browser. SSL can be used to se cure web, email, File Trans fer Pro to col (FTP) or even Tel net traf fic. It is a ses sion-ori ented pro to col that pro vides con fi den tial ity and in tegrity. SSL is de ployed us ing a 40-bit key or a 128-bit key. SSL is su per seded by Trans port Layer Se cu rity (TLS).
Trans port Layer Se cu rity (TLS) TLS func tions in the same gen eral man ner as SSL, but it uses stronger au then ti ca tion and en cryp tion pro to cols.
SSL and TLS both have the fol low ing fea tures:
Sup port se cure client-server com mu ni ca tions across an in se cure net work while pre vent ing tam per ing, spoof ing, and eaves drop ping.
Sup port one-way au then ti ca tion.
Sup port two-way au then ti ca tion us ing dig i tal cer tifi cates.
Of ten im ple mented as the ini tial pay load of a TCP pack age, al low ing it to en cap su late all higher-layer pro to col pay loads.
Can be im ple mented at lower lay ers, such as layer 3 (the Net work layer) to op er ate as a VPN. This im ple men ta tion is known as Open VPN.
In ad di tion, TLS can be used to en crypt User Data gram Pro to col (UDP) and Ses sion Ini ti a tion Pro to col (SIP) con nec tions. (SIP is a pro to col as so ci ated with Voice over IP [VoIP].)
Au then ti ca tion Pro to cols Af ter a con nec tion is ini tially es tab lished be tween a re mote sys tem and a server or a net work, the first
ac tiv ity that should take place is to ver ify the iden tity of the re mote user. This ac tiv ity is known as au then ti ca tion. There are sev eral au then ti ca tion pro to cols that con trol how the lo gon cre den tials are ex changed and whether those cre den tials are en crypted dur ing trans port:
Chal lenge Hand shake Au then ti ca tion Pro to col (CHAP) This is one of the au then ti ca tion pro to cols used over Point-to-Point Pro to col (PPP) links. CHAP en crypts user names and pass words. It per forms au then ti ca tion us ing a chal lenge-re sponse di a logue that can not be re played. CHAP also pe ri od i cally reau then ti cates the re mote sys tem through out an es tab lished com mu ni ca tion ses sion to ver ify a per sis tent iden tity of the re mote client. This ac tiv ity is trans par ent to the user.
Pass word Au then ti ca tion Pro to col (PAP) This is a stan dard ized au then ti ca tion pro to col for PPP. PAP trans mits user names and pass words in clear t ext. It of fers no form of en cryp tion; it sim ply pro vides a means to trans port the lo gon cre den tials from the client to the au then ti ca tion server.
Ex ten si ble Au then ti ca tion Pro to col (EAP) This is a frame work for au then ti ca tion in stead of an ac tual pro to col. EAP al lows cus tom ized au then ti ca tion se cu rity so lu tions, such as sup port ing smart cards, to kens, and bio met rics. (See the side bar “EAP, PEAP, and LEAP” for in for ma tion about other pro to cols based on EAP.)
These three au then ti ca tion pro to cols were ini tially used over dial-up PPP con nec tions. To day, these and many other, newer au then ti ca tion pro to cols (such as openID, OAuth, and Shib bo leth) and con cepts (such as au then ti ca tion fed er a tion and SAML) are in use over a wide num ber of dis tance con nec tion tech nolo gies, in clud ing broad band and vir tual pri vate net works (VPNs), as well as ex pand ing sup port and us ing tra di tional au then ti ca tion ser vices, such as Ker beros, Re mote Au then ti ca tion Dial-in User Ser vice (RA DIUS), and even Ter mi nal Ac cess Con troller Ac cess Con trol Sys tem Plus (TACACS+).
368
EAP, PEAP, and LEAP
Pro tected Ex ten si ble Au then ti ca tion Pro to col (PEAP) en cap su lates EAP in a TLS tun nel. PEAP is pre ferred to EAP be cause EAP as sumes that the chan nel is al ready pro tected but PEAP im poses its own se cu rity. PEAP is used for se cur ing com mu ni ca tions over 802.11 wire less con nec tions. PEAP can be em ployed by Wi-Fi Pro tected Ac cess (WPA) and WPA-2 con nec tions.
PEAP is also pre ferred over Cisco’s pro pri etary EAP known as Light weight Ex ten si ble Au then ti ca tion Pro to col (LEAP). LEAP was Cisco’s ini tial re sponse to in se cure WEP. LEAP sup ported fre quent reau then ti ca tion and chang ing of WEP keys (whereas WEP used sin gle au then ti ca tion and a static key). How ever, LEAP is crack able us ing a va ri ety of tools and tech niques, in clud ing the ex ploit tool Asleap.
Se cure Voice Com mu ni ca tions The vul ner a bil ity of voice com mu ni ca tion is tan gen tially re lated to in for ma tion tech nol ogy (IT) sys tem
se cu rity. How ever, as voice com mu ni ca tion so lu tions move on to the net work by em ploy ing dig i tal de vices and VoIP, se cur ing voice com mu ni ca tions be comes an in creas ingly im por tant is sue. When voice com mu ni ca tions oc cur over the IT in fra struc ture, it is im por tant to im ple ment mech a nisms to pro vide for au then ti ca tion and in tegrity. Con fi den tial ity should be main tained by em ploy ing an en cryp tion ser vice or pro to col to pro tect the voice com mu ni ca tions while in tran sit.
Nor mal pri vate branch ex change (PBX) or POTS/pub lic switched tele phone net work (PSTN) voice com mu ni ca tions are vul ner a ble to in ter cep tion, eaves drop ping, tap ping, and other ex ploita tions. Of ten, phys i cal se cu rity is re quired to main tain con trol over voice com mu ni ca tions within the con fines of your or ga ni za tion’s phys i cal lo ca tions. Se cu rity of voice com mu ni ca tions out side your or ga ni za tion is typ i cally the re spon si bil ity of the phone com pany from which you lease ser vices. If voice com mu ni ca tion vul ner a bil i ties are an im por tant is sue for sus tain ing your se cu rity pol icy, you should de ploy an en crypted com mu ni ca tion mech a nism and use it ex clu sively.
Voice over In ter net Pro to col (VoIP) VoIP is a tech nol ogy that en cap su lates au dio into IP pack ets to sup port tele phone calls over TCP/IP
net work con nec tions. VoIP has be come a pop u lar and in ex pen sive tele phony so lu tion for com pa nies and in di vid u als world wide.
It is im por tant to keep se cu rity in mind when se lect ing a VoIP so lu tion to en sure that it pro vides the pri vacy and se cu rity you ex pect. Some VoIP sys tems are es sen tially plain-form com mu ni ca tions that are eas ily in ter cepted and eaves dropped; oth ers are highly en crypted, and any at tempt to in ter fere or wire tap is de terred and thwarted.
VoIP is not with out its prob lems. Hack ers can wage a wide range of po ten tial at tacks against a VoIP so lu tion:
Caller ID can be fal si fied eas ily us ing any num ber of VoIP tools, so hack ers can per form vish ing (VoIP phish ing) or Spam over In ter net Tele phony (SPIT) at tacks.
The call man ager sys tems and the VoIP phones them selves might be vul ner a ble to host op er at ing sys tem (OS) at tacks and DoS at tacks. If a de vice’s or soft ware’s host OS or firmware has vul ner a bil i ties, there is in creased risk of ex ploits.
At tack ers might be able to per form man-in-the-mid dle (MitM) at tacks by spoof ing call man agers or end point con nec tion ne go ti a tions and/or re sponses.
De pend ing on the de ploy ment, there are also risks as so ci ated with de ploy ing VoIP phones off the same switches as desk top and server sys tems. This could al low for 802.1X au then ti ca tion fal si fi ca tion as well as vir tual lo cal area net work (VLAN) and VoIP hop ping (i.e., jump ing across au then ti cated chan nels).
Since VoIP traf fic is just net work traf fic, it is of ten pos si ble to lis ten in on VoIP com mu ni ca tions by de cod ing the VoIP traf fic when it isn’t en crypted.
Se cure Real-Time Trans port Pro to col or Se cureRTP (SRTP) is a se cu rity im prove ment over the Real-Time Trans port Pro to col (RTP) that is used in many VoIP com mu ni ca tions. SRTP aims to min i mize the risk of VoIP DoS through ro bust en cryp tion and re li able au then ti ca tion.
So cial En gi neer ing
369
Ma li cious in di vid u als can ex ploit voice com mu ni ca tions through a tech nique known as so cial en gi neer ing. So cial en gi neer ing is a means by which an un known, un trusted, or at least unau tho rized per son gains the trust of some one in side your or ga ni za tion. Adept in di vid u als can con vince em ploy ees that they are as so ci ated with up per man age ment, tech ni cal sup port, the help desk, and so on. Once con vinced, the vic tim is of ten en cour aged to make a change to their user ac count on the sys tem, such as re set ting their pass word. Other at tacks in clude in struct ing the vic tim to open spe cific email at tach ments, launch an ap pli ca tion, or con nect to a spe cific uni form re source lo ca tor (URL). What ever the ac tual ac tiv ity is, it is usu ally di rected to ward open ing a back door that the at tacker can use to gain net work ac cess.
The peo ple within an or ga ni za tion make it vul ner a ble to so cial en gi neer ing at tacks. With just a lit tle in for ma tion or a few facts, it is of ten pos si ble to get a vic tim to dis close con fi den tial in for ma tion or en gage in ir re spon si ble ac tiv ity. So cial en gi neer ing at tacks ex ploit hu man char ac ter is tics such as a ba sic trust in oth ers, a de sire to pro vide as sis tance, or a propen sity to show off. Over look ing dis crep an cies, be ing dis tracted, fol low ing or ders, as sum ing oth ers know more than they ac tu ally do, want ing to help oth ers, and fear ing rep ri mands can also lead to at tacks. At tack ers are of ten able to by pass ex ten sive phys i cal and log i cal se cu rity con trols be cause the vic tim opens an ac cess path way from the in side, ef fec tively punch ing a hole in the se cured perime ter.
The Fas ci nat ing World of So cial En gi neer ing
So cial en gi neer ing is a fas ci nat ing sub ject. It is the means to break into the per fectly tech ni cally se cured en vi ron ment. So cial en gi neer ing is the art of us ing an or ga ni za tion’s own peo ple against it. Al though not nec es sary for the CISSP exam, there are lots of ex cel lent re sources, ex am ples, and dis cus sions of so cial en gi neer ing that can in crease your aware ness of this se cu rity prob lem. Some are also highly en ter tain ing. We sug gest do ing some search ing on the term so cial en gi neer ing to dis cover books and on line videos. You’ll find the read ing in for ma tive and the video ex am ples ad dict ing.
The only way to pro tect against so cial en gi neer ing at tacks is to teach users how to re spond and in ter act with any form of com mu ni ca tions, whether voice-only, face to face, IM, chat, or email. Here are some guide lines:
Al ways err on the side of cau tion when ever voice com mu ni ca tions seem odd, out of place, or un ex pected.
Al ways re quest proof of iden tity. This can be a driver’s li cense num ber, So cial Se cu rity num ber, em ployee ID num ber, cus tomer num ber, or a case or ref er ence num ber, any of which can be eas ily ver i fied. It could also take the form of hav ing a per son in the of fice that would rec og nize the caller’s voice take the call. For ex am ple, if the caller claims to be a de part ment man ager, you could con firm their iden tity by ask ing their ad min is tra tive as sis tant to take the call.
Re quire call back au tho riza tions on all voice-only re quests for net work al ter ations or ac tiv i ties. A call back au tho riza tion oc curs when the ini tial client con nec tion is dis con nected, and a per son or party would call the client on a pre de ter mined num ber that would usu ally be stored in a cor po rate di rec tory in or der to ver ify the iden tity of the client.
Clas sify in for ma tion (user names, pass words, IP ad dresses, man ager names, dial-in num bers, and so on), and clearly in di cate which in for ma tion can be dis cussed or even con firmed us ing voice com mu ni ca tions.
If priv i leged in for ma tion is re quested over the phone by an in di vid ual who should know that giv ing out that par tic u lar in for ma tion over the phone is against the com pany’s se cu rity pol icy, ask why the in for ma tion is needed and ver ify their iden tity again. This in ci dent should also be re ported to the se cu rity ad min is tra tor.
Never give out or change pass words via voice-only com mu ni ca tions.
When dis pos ing of of fice doc u men ta tion (ac cord ing to pol icy and reg u la tion com pli ance) al ways use a se cure dis posal or de struc tion process, es pe cially for any pa per work or me dia that con tains in for ma tion about the IT in fra struc ture or its se cu rity mech a nisms.
Fraud and Abuse An other voice com mu ni ca tion threat is pri vate branch ex change (PBX) fraud and abuse. Many PBX
sys tems can be ex ploited by ma li cious in di vid u als to avoid toll charges and hide their iden tity. Ma li cious at tack ers known as phreak ers abuse phone sys tems in much the same way that at tack ers abuse com puter net works. Phreak ers may be able to gain unau tho rized ac cess to per sonal voice mail boxes, re di rect mes sages, block ac cess, and re di rect in bound and out bound calls.
370
Coun ter mea sures to PBX fraud and abuse in clude many of the same pre cau tions you would em ploy to pro tect a typ i cal com puter net work: log i cal or tech ni cal con trols, ad min is tra tive con trols, and phys i cal con trols. Here are sev eral key points to keep in mind when de sign ing a PBX se cu rity so lu tion:
Con sider re plac ing re mote ac cess or long-dis tance call ing through the PBX with a credit card or call ing card sys tem.
Re strict dial-in and dial-out fea tures to au tho rized in di vid u als who re quire such func tion al ity for their work tasks.
If you still have dial-in modems, use un pub lished phone num bers that are out side the pre fix block range of your voice num bers.
Pro tect ad min is tra tive in ter faces for the PBX.
Block or dis able any unas signed ac cess codes or ac counts.
De fine an ac cept able use pol icy and train users on how to prop erly use the sys tem.
Log and au dit all ac tiv i ties on the PBX and re view the au dit trails for se cu rity and use vi o la tions.
Dis able main te nance modems (i.e., re mote ac cess modems used by the ven dor to re motely man age, up date, and tune a de ployed prod uct) and/or any form of re mote ad min is tra tive ac cess.
Change all de fault con fig u ra tions, es pe cially pass words and ca pa bil i ties re lated to ad min is tra tive or priv i leged fea tures.
Block re mote call ing (that is, al low ing a re mote caller to dial in to your PBX and then dial out again, thus di rect ing all toll charges to the PBX host).
De ploy Di rect In ward Sys tem Ac cess (DISA) tech nolo gies to re duce PBX fraud by ex ter nal par ties. (But be sure to con fig ure it prop erly; see the side bar “DISA: A Dis ease and the Cure.”)
Keep the sys tem cur rent with ven dor/ser vice provider up dates.
Ad di tion ally, main tain ing phys i cal ac cess con trol to all PBX con nec tion cen ters, phone por tals, and wiring clos ets pre vents di rect in tru sion from on site at tack ers.
DISA: A Dis ease and the Cure
An of ten-touted “se cu rity” im prove ment to PBX sys tems is Di rect In ward Sys tem Ac cess (DISA). This sys tem is de signed to help man age ex ter nal ac cess and ex ter nal con trol of a PBX by as sign ing ac cess codes to users. Al though great in con cept, this sys tem is be ing com pro mised and abused by phreak ers. Once an out side phreaker learns the PBX ac cess codes, they can of ten fully con trol and abuse the com pany’s tele phone net work. This can in clude us ing the PBX to make long-dis tance calls that are charged to your com pany’s tele phone ac count rather than the phreaker’s phone.
DISA, like any other se cu rity fea ture, must be prop erly in stalled, con fig ured, and mon i tored in or der to ob tain the de sired se cu rity im prove ment. Sim ply hav ing DISA is not suf fi cient. Be sure to dis able all fea tures that are not re quired by the or ga ni za tion, craft user codes/pass words that are com plex and dif fi cult to guess, and then turn on au dit ing to keep watch on PBX ac tiv i ties. Phreak ing is a spe cific type of at tack di rected to ward the tele phone sys tem. Phreak ers use var i ous types of tech nol ogy to cir cum vent the tele phone sys tem to make free long-dis tance calls, to al ter the func tion of tele phone ser vice, to steal spe cial ized ser vices, and even to cause ser vice dis rup tions. Some phreaker tools are ac tual de vices, whereas oth ers are just par tic u lar ways of us ing a reg u lar tele phone. No mat ter what the tool or tech nol ogy ac tu ally is, phreaker tools are re ferred to as col ored boxes (black box, red box, and so on). Over the years, many box tech nolo gies have been de vel oped and widely used by phreak ers, but only a few of them work against to day’s tele phone sys tems based on packet switch ing. Here are a few of the phreaker tools of ten used to at tack tele phone ser vices:
Black boxes are used to ma nip u late line volt ages to steal long-dis tance ser vices. They are of ten just cus tom-built cir cuit boards with a bat tery and wire clips.
Red boxes are used to sim u late tones of coins be ing de posited into a pay phone. They are usu ally just small tape recorders.
Blue boxes are used to sim u late 2600 Hz tones to in ter act di rectly with tele phone net work trunk sys tems (that is, back bones). This could be a whis tle, a tape recorder, or a dig i tal tone gen er a tor.
White boxes are used to con trol the phone sys tem. A white box is a dual-tone mul ti fre quency (DTMF) gen er a tor (that is, a key pad). It can be a cus tom-built de vice or one of the pieces of equip ment that most
371
tele phone re pair per son nel use.
As you prob a bly know, cell phone se cu rity is a grow ing con cern. Cap tured elec tronic se rial
num bers (ESNs) and mo bile iden ti fi ca tion num bers (MINs) can be burned into blank phones to cre ate clones (even sub scriber iden tity mod ules—SIMs—can be du pli cated). When a clone is used, the charges are billed to the orig i nal owner’s cell phone ac count. Fur ther more, con ver sa tions and data trans mis sion can be in ter cepted us ing ra dio fre quency scan ners. Also, any one in the im me di ate vicin ity can over hear at least one side of the con ver sa tion. So don’t talk about con fi den tial, pri vate, or sen si tive top ics in pub lic places.
Mul ti me dia Col lab o ra tion Mul ti me dia col lab o ra tion is the use of var i ous mul ti me dia-sup port ing com mu ni ca tion so lu tions to
en hance dis tance col lab o ra tion (peo ple work ing on a project to gether re motely). Of ten, col lab o ra tion al lows work ers to work si mul ta ne ously as well as across dif fer ent time frames. Col lab o ra tion can also be used for track ing changes and in clud ing mul ti me dia func tions. Col lab o ra tion can in cor po rate email, chat, VoIP, video con fer enc ing, use of a white board, on line doc u ment edit ing, real-time file ex change, ver sion ing con trol, and other tools. It is of ten a fea ture of ad vanced forms of re mote meet ing tech nol ogy.
Re mote Meet ing
Re mote meet ing tech nol ogy is used for any prod uct, hard ware, or soft ware that al lows for in ter ac tion be tween re mote par ties. These tech nolo gies and so lu tions are known by many other terms: dig i tal col lab o ra tion, vir tual meet ings, video con fer enc ing, soft ware or ap pli ca tion col lab o ra tion, shared white board ser vices, vir tual train ing so lu tions, and so on. Any ser vice that en ables peo ple to com mu ni cate, ex change data, col lab o rate on ma te ri als/data/doc u ments, and oth er wise per form work tasks to gether can be con sid ered a re mote meet ing tech nol ogy ser vice.
No mat ter what form of mul ti me dia col lab o ra tion is im ple mented, the at ten dant se cu rity im pli ca tions must be eval u ated. Does the ser vice use strong au then ti ca tion tech niques? Does the com mu ni ca tion oc cur across an open pro to col or an en crypted tun nel? Does the so lu tion al low for true dele tion of con tent? Are ac tiv i ties of users au dited and logged? Mul ti me dia col lab o ra tion and other forms of re mote meet ing tech nol ogy can im prove the work en vi ron ment and al low for in put from a wider range of di verse work ers across the globe, but this is only a ben e fit if the se cu rity of the com mu ni ca tions so lu tion can be en sured.
In stant Mes sag ing In stant mes sag ing (IM) is a mech a nism that al lows for real-time text-based chat be tween two users
lo cated any where on the in ter net. Some IM util i ties al low for file trans fer, mul ti me dia, voice and video con fer enc ing, and more. Some forms of IM are based on a peer-to-peer ser vice while oth ers use a cen tral ized con trol ling server. Peer-to-peer-based IM is easy for end users to de ploy and use, but it’s dif fi cult to man age from a cor po rate per spec tive be cause it’s gen er ally in se cure. It has nu mer ous vul ner a bil i ties: It’s sus cep ti ble to packet sniff ing, it lacks true na tive se cu rity ca pa bil i ties, and it pro vides no pro tec tion for pri vacy.
Many forms of tra di tional in stant mes sag ing lack com mon se cu rity fea tures, such as en cryp tion or user pri vacy. Many stand-alone IM clients have been sus cep ti ble to ma li cious code de posit or in fec tion through their file trans fer ca pa bil i ties. Also, IM users are of ten sub ject to nu mer ous forms of so cial-en gi neer ing at tacks, such as im per son ation or con vinc ing a vic tim to re veal in for ma tion that should re main con fi den tial (such as pass words).
There are sev eral mod ern in stant mes sag ing so lu tions to con sider for both per son-to-per son in ter ac tions and col lab o ra tion and com mu ni ca tions among a group. Some are pub lic ser vices, such as Twit ter, Face book Mes sen ger, and Snapchat. Oth ers are de signed for pri vate or in ter nal use, such as Slack, Google Hang outs, Cisco Spark, Work place by Face book, and Skype. Most of these mes sag ing ser vices are de signed with se cu rity as a key fea ture, of ten em ploy ing mul ti fac tor au then ti ca tion and trans mis sion en cryp tion.
Man age Email Se cu rity Email is one of the most widely and com monly used in ter net ser vices. The email in fra struc ture em ployed
on the in ter net pri mar ily con sists of email servers us ing Sim ple Mail Trans fer Pro to col (SMTP) to ac cept mes sages from clients, trans port those mes sages to other servers, and de posit them into a user’s server-based in box. In ad di tion to email servers, the in fra struc ture in cludes email clients. Clients re trieve email from their
372
server-based in boxes us ing Post Of fice Pro to col ver sion 3 (POP3) or In ter net Mes sage Ac cess Pro to col (IMAP). Clients com mu ni cate with email servers us ing SMTP. Many in ter net-com pat i ble email sys tems rely on the X.400 stan dard for ad dress ing and mes sage han dling.
Send mail is the most com mon SMTP server for Unix sys tems, and Ex change is the most com mon SMTP server for Mi cro soft sys tems. In ad di tion to these three pop u lar prod ucts, nu mer ous al ter na tives ex ist, but they all share the same ba sic func tion al ity and com pli ance with in ter net email stan dards.
If you de ploy an SMTP server, it is im per a tive that you prop erly con fig ure au then ti ca tion for both in bound and out bound mail. SMTP is de signed to be a mail re lay sys tem. This means it re lays mail from sender to in tended re cip i ent. How ever, you want to avoid turn ing your SMTP server into an open re lay (also known as an open re lay agent or re lay agent), which is an SMTP server that does not au then ti cate senders be fore ac cept ing and re lay ing mail. Open re lays are prime tar gets for spam mers be cause they al low spam mers to send out floods of emails by pig gy back ing on an in se cure