It’s an understatement to say that today’s work environments are, in a word, perpetual. Advances in communication and collaboration tools have made it possible for business professionals to be productive in more ways, at any time, and in any place. There never seems to be a moment when people aren’t working—whether at work, home, or while standing in line. Remote access and cloud-based tools are starting to provide remote users with the same enterprise-level experience once previously available only to workers at the office. Not to mention that the unification of communication tools like voice, e-mail, instant messaging, meeting, video, and audio are streamlining tasks and making collaboration very convenient. Yet, our reliance on ubiquitous tool access, ease-of-use, multidevice support, and integration with other organizational tools has created a myriad of new security holes to mitigate.

One of the great shifts in communications lies not only with the unification aspects but also with the migration to the cloud. Yet, regardless of the channel being used for communication, or the application providing the specific type of communication service, there is a need to have the communications secured. Depending on the specifics of the communication and the channel, the attributes of security, confidentiality, integrity, and availability may have different desired levels of protection. In streaming communications, such as video and web conferencing, availability can have significant impact because lost packets can result in a poor user experience.

Communication systems have long been a target of hackers, spies, and other unauthorized parties. From trying to make free phone calls to eavesdropping on sensitive information in transit, communication channels are a high-priority target for many parties. With unified communications moving more and more content and communications to Internet-delivered methods, attackers have followed the communications to the Web. In this chapter, we take a look at the selection of appropriate security controls for various communications and collaboration scenarios.

Remote Access

One of the earliest renditions of unified communications is remote access. Remote access solutions enable users to connect to organizational resources and services such as files, e-mail, and web pages while not being connected directly to the work network. Multiple remote connectivity options exist, such as dial-up, VPN, and DirectAccess servers—in addition to various desktop- and application-sharing solutions. In this section, we discuss each of these solutions and their security considerations.

Dial-Up

It began a few decades ago with companies hosting dial-up remote access servers (RASs) to permit workers to connect to company files while using dial-up modems. Dial-up modems were the standard throughout the 1980s and 1990s and were responsible for connecting digital computers to analog telephone networks. These telephone networks were sometimes referred to as Public Switched Telephone Networks (PSTN) or Plain Old Telephone Service (POTS) networks.

Modems were either installed into internal ISA/PCI slots or external serial/USB ports. Such modems were typically capable of sending information at a maximum of 56 Kbps, although FCC restrictions limited the connection speeds to 53 Kbps. Despite dial-up connections being rare today, some organizations maintain a dial-up server for emergency backup purposes. Risk management needs to account for dial-up security because many hackers still practice the old-school method of dial-up hacking known as wardialing, which involves an individual dialing up different modem phone numbers until an open modem accepts the connection. Wardialing was like an early form of port scanning. Consider securing dial-up solutions with the following recommendations:

•   Implement Remote Authentication Dial-in User Service (RADIUS) to provide centralized authentication, authorization, and account services for dial-up connections.

•   Limit access to authorized users via strong authentication protocols.

•   Use the Point-to-Point Protocol (PPP) as opposed to the Serial Line Internet Protocol (SLIP).

•   Limit users to authorized functions.

•   Implement security event logging.

•   Ensure physical security for network circuits.

•   Have remote access servers call back users.

•   Disallow call forwarding.

VPN

Replacing the slower dial-up servers were the faster, more secure, more flexible, and increasingly available virtual private network (VPN) servers—which were commonly accessed by a newer generation of cable modems, DSL modems, Wi-Fi, and cellular technologies. Unlike dial-up connections, which took place through a relatively private telephone line, VPN servers were typically accessed by connections over the public Internet. Such public connectivity required VPN connections to adopt a stronger assortment of protocols, including tunneling, encryption, and authentication protocols. Authentication methods such as MS-CHAPv2 or, even better, the Extensible Authentication Protocol (EAP) or the Protected Extensible Authentication Protocol (PEAP), will provide for the strongest authentication. For encryption, choose IPSec or SSL-based security. VPNs were already covered in detail in Chapters 5 and 7.

DirectAccess

Created by Microsoft starting with Windows 7 Enterprise/Ultimate and Windows Server 2008 R2, DirectAccess allows connectivity for remote users without requiring user interaction or pre-established VPN connections. It has many benefits over traditional VPN, in addition to some negatives:

DirectAccess Benefits

•   Always on    Users are always connected to the corporate network since the connection is established by the machine as opposed to the user. After logging into the workstation, the user will have immediate access to corporate resources.

•   IPv6    DirectAccess’s requirement for IPv6 ensures better end-to-end connectivity and management features.

•   Bidirectional    Unlike VPN, DirectAccess connections are bidirectional, which means the corporate network can more easily manage the DirectAccess clients from a group policy and patching perspective, even without the user being logged on.

•   Device certificate    Devices must have a certificate that indirectly serves as a type of multifactor authentication for the remote device.

•   Easy to deploy    Users can connect from anywhere and don’t require any DirectAccess client software or agents. It fits into the existing environment perfectly.

DirectAccess Negatives

•   Limited OS support    DirectAccess only supports Windows 7 Enterprise/Ultimate, Windows 8 Enterprise/Ultimate, and Windows 10 Enterprise/Education.

•   Limited role support    DirectAccess only supports domain-joined Windows devices.

•   IPv6 requirement    Although good IPv6/IPv4 tunneling options are available, some IT and security shops will be turned off or intimidated by the IPv6 requirement.

Due to limited OSs and devices supporting DirectAccess, it should be seen as complementary to VPN as opposed to a complete replacement. Organizations will generally use both solutions as needed.

Resource and Services

The whole point of remote access is to provide workers with access to corporate resources and services, regardless of the users’ whereabouts. Resources can include internal web pages, applications, e-mail, remote desktops, printers, web cameras, organizational IoT devices, and more. However, resource access should be limited to minimize the risk of organizational breaches. Since remote access, resources, and services were already covered in detail in Chapter 5, we’ll summarize with some recommended security practices for managing resource access:

•   Determine organizational goals for remote access from stakeholders.

•   Require multifactor authentication.

•   Require unique credentials.

•   Consolidate remote access tools to standardize access.

•   Lock down permissions.

•   Implement auditing and logging processes.

Desktop and Application Sharing

Desktop sharing is a useful task in today’s distributed computing world. A user on his mobile device needs a file from his desktop PC when he is not in the office. Desktop sharing solutions enable a user to gain the simple functionality of retrieving the file. Workers may choose to share their entire desktops with other people during a meeting, training session, or help-desk trouble call. Desktop-sharing solutions can do other things as well, in some cases opening complete desktop functionality as if the user was sitting at the desktop itself.

Desktop sharing can be used in a peer-to-peer or centralized fashion through a dedicated server solution such as Microsoft Remote Desktop Services. Connections should be private and secured through strong cryptographic ciphers such as RSA and AES. Connectivity options such as connection quality, resolution, background/animation effects, file sharing, full-screen view, USB device redirection, printer redirection, and mouse and keyboard controls are typically configurable.

For security, privacy, and bandwidth-conservation reasons, a worker may choose to only share a specific application with another individual, such as with Microsoft Skype for Business. This is common during meetings or conferences when presenting a slideshow and you want to maintain confidentiality.

One of the elements associated with securing desktop sharing is the control of connections to the TCP/UDP ports and applications needed to implement this functionality. As in many aspects of security, planning plays an important role in the security of desktop and application sharing. One of the planning elements is the determination of which desktops require remote access and which do not. For the desktops that don’t require access, the use of firewalls can prevent access. For those that do require access, application-specific ports need to be opened allowing access—but additional monitoring is needed for any remote-access activities. Attempted login failures are a potential sign of an attack; therefore, use monitoring tools to keep an eye out for repeated login failures.

The other planning decision is to determine on which applications to allow desktop sharing in the organization. A quick Internet search reveals dozens of remote desktop applications in the marketplace across a variety of platforms. Attempting to manage any and all user-chosen applications is a strategy destined to fail. Remote desktop software applications should be controlled just like any other software. Packages should be evaluated, use should be limited to approved software only, and proper usage should be included in policy.

Desktop sharing also has a threat in common with video and web conferencing. When a desktop is shared with another person, content may be observed that is outside the desired objectives of the sharing operation. Imagine the reaction if a CFO shares his desktop during a web conference, a video conference, or a training session, only to have others see a folder on his desktop labeled “XYZ Acquisition” or “Layoffs.” This form of passive information leakage can occur when the principles of a clean desk are not applied to an electronic desktop. Other security considerations to keep in mind include the following:

•   Create and enforce a remote administration or remote access policy to set expectations, procedures, and guidelines on its usage.

•   Remote access should start off with “implicit deny all” with exceptions configured afterward.

•   Ensure that patches are up to date for server and client remote desktop/applications.

•   Implement strong cryptographic algorithms such as AES, RSA, and SHA-2.

•   If possible, use a security or network gateway tool to screen remote login attempts.

•   Utilize the latest version of remote administration products.

•   Ensure remote administration staff members are sufficiently trained.

•   Implement and check security logs for signs of malicious activity.

•   Ensure remote administration is enabled on required devices only.

Remote Assistance

Remote assistance is similar to remote desktop access, except that the term narrows the focus from general remote administration of systems to assisting other users. Since the goal is typically to assist other users, remote assistance benefits the recipient of the connection. On the flipside, more traditional remote desktop tools benefit the initiator by permitting private access to their own system remotely, or for remotely managing servers.

During remote assistance connections, the end user is watching the technician remotely controlling and fixing their computer. Screen sharing is supported, and file exchange and instant messaging (IM) may be available too. Plus, logs are generally kept of the connection. Unlike more “administrative” tools such as Microsoft’s Remote Desktop, the remote assistance tools often allow the user “first right of refusal” by permitting them to accept connections only upon a user-generated invitation. Even after the connection has been established, the end user generally can temporarily or permanently suspend the connection, or limit the helper’s access to read-only. Because these utilities allow remote access, they must be carefully monitored and secured.

The following is the process of sending a Microsoft Remote Assistance invitation to helpers:

1.   Run “msra” on the Windows Start Menu.

2.   Select “Invite someone you trust to help you.”

3.   Select “Save this invitation as a file.”

4.   Choose a location to save the invitation, such as a network location.

5.   Make note of the provided password.

6.   E-mail or IM the invitation file and password to the person you want to connect to your computer.

7.   The helper can double-click the invitation, type the Remote Assistance password, and complete the connection process.

Products such as Microsoft System Center Configuration Manager and Symantec’s Altiris Suite are beginning to blur the lines between remote desktop functionality, asset management, remote security management, and a host of other administrative functions. Maintaining strong control over one’s remote management application security is an essential element in preventing a significant risk vector across the enterprise. Ensure that remote assistance connections follow a process such as connections through end-user invitations only. The opposite would be allowing helpers to “offer” assistance—which increases risk due to the heightened potential for social engineering. Most remote assistance products have AES- and/or RSA-based algorithms built in. If possible, make sure it is enabled with a suitable key strength of 128-bit or higher.

Unified Collaboration Tools

The term “unified communications services” refers to a wide range of products and systems if you follow the marketing literature. Using the IEC technical definition, unified communications systems is an industry term that describes all forms of business communication, audio, video, multimedia data, text, and messaging. Part of unified communications is the management of all these channels within a single view for the end user. Since attackers have already gone after VoIP, e-mail, instant messages, and other data streams, an important element of enterprise security is protecting these communication channels.

From an end-user and security perspective, unified communications is similar to single sign-on (SSO) in that it is easier to use by keeping all the information accessible from a single interface. In short, using unified communications makes an end user’s daily access simpler. However, it also offers adversaries the same advantage. Because all of an organization’s communications channels are together in one overlay, it’s easier to hop from system to system in search of information. This places the burden on security practitioners to implement stronger controls and to enhance audit and monitoring.

This section discusses various tools that permeate unified communications, including conferencing, collaboration, messaging, presence, social media, and cloud-based tools.

Conferencing

Just 15 years ago, most workers were tied to their desk. Within the past 10 years, most workers were in the office and utilized remote access options when at home. Today, more than half of workers have remote access to real-time conferencing tools to permit communication and collaboration from essentially anywhere, with any device. This saves time and travel expenses that might’ve been spent driving, flying, taking trains, and booking hotel rooms.

In some cases, a web browser is all that is needed to launch a web-based audio- and/or video-conferencing session. In other cases, the participants will use a client/server architecture tool, like Microsoft’s Skype for Business. The modalities chosen will vary based on the meeting participants, their devices, and the goals of the conference. This section explores web-, video-, and audio-based conferencing options in addition to their security considerations.

Web Conferencing

Web-based communications have become ubiquitous in offices since more information is shared over the Web than any other mechanism. Numerous web-based tools, such as Cisco’s WebEx and Adobe Connect, are used to conduct audio and video conferencing, in addition to allowing screen sharing and presence information. Web conferencing is seen as a low-cost and time-efficient alternative to business travel. For the end users of web conferencing technology, security is often neglected. They, in the natural course of business, examine the information they are going to share with the other parties on the conference to see if the material should be shared, but they fail to consider an outside third party.

Web conferencing piggybacks on top of existing infrastructure. Because it is up to the enterprise security staff to keep the infrastructure secure, it is reasoned that the web conferencing is secure. This can be the case if appropriate precautions are taken. Here are some of the issues/precautions to consider when using web conferencing:

•   Don’t use trialware or software with a default password and setup.

•   Understand where the material is being recorded.

•   Use secure communication channels.

•   Change passwords for invites on recurring sessions.

•   Monitor the number of active participants.

•   Mark materials being passed as sensitive and not for redistribution.

•   Ensure uninvited guests are not allowed.

Trialware and other unlicensed software frequently have default passwords and setups that allow others to easily add themselves to a conference. If the conference is being recorded on a server, the person responsible for the content should understand where that server is (internal or external) and how the material is going to be secured. If a meeting is a recurring one, different passwords should be used for each session. This prevents a replay-type attack against future events. Many web conferencing software packages have the ability to show the host how many parties are participating in the event. If the event is between two parties, and a third party shows up on the list, they should be questioned and understood before the information sharing takes place. Marking the materials being shared can establish legal rights should future liability case be initiated. Many of these items are like simple door locks: They tend to keep honest people honest as opposed to serious adversaries. Nonetheless, they are still useful and important.

As with any other data-sharing exercise, it is incumbent on those sharing the information to know who they are sharing it with, why it is being shared, and how the information will be protected once it leaves the enterprise. Meeting organizers need to know who is authorized to attend, and they must manage the attendance authorization process like any other authorization process. Ensure both video and audio channels are covered and secured. Match authentication methods to the sensitivity of the data. For very critical pieces of data, consider whether you would allow connections from a foreign IP address if all attendees are in the U.S.

A key factor in securing web conferencing is to consider the implications of sharing sensitive corporate data across the Web. What protocols would you use to secure the transmission of the data? SSL? TLS? How would you handle authentication and authorization? The fact that it is web conferencing does not change the fact that it is occurring across the Web. The role of security is to architect working solutions that secure the information being shared across the insecure Web.

Video Conferencing

Video conferencing is very similar from a security perspective to web conferencing. The primary purpose of a video conference is to provide a means for face-to-face communication via a video system as opposed to actual travel. The same concerns associated with web conferencing noted in the previous section still apply.

Video conferencing equipment ranges from no cost, using the webcam and microphone on your PC, to high-end systems costing thousands of dollars. The major difference is in the quality of the data capture; however, from a security point of view, they are basically equivalent. One additional concern over those expressed in the “Web Conferencing” section is the issue of an unauthorized party activating webcams and microphones as eavesdropping devices.

For PCs and laptops with built-in webcams, this is yet another reason to consider whitelisting as an antimalware mechanism. The proliferation of malware today raises questions concerning the effectiveness of antimalware programs against advanced threats. If a machine is going to be employed in a sensitive area of a firm, a wise precaution would be to buy one without the webcam. Simply removing the driver doesn’t work because the malware can replace the driver without notifying a user.

Although antimalware tools won’t remove all malware, they must still be employed. However, it’s not just malware you should fear. Security professionals must also limit the app permissions, or prohibit the use of mobile applications, that require camera permissions.

Audio Conferencing

Whether a web-based or locally installed communications tool, most conferencing products are both video and audio based. Since video capabilities are not always needed, most of the time it’s a simple checkbox to turn off the video and utilize audio only. This may be done for privacy and confidentiality reasons, and also to reduce the bandwidth requirements normally needed by video output. For example, it is common with online training for the instructor to utilize both audio and video; meanwhile, the students may opt to use audio only. The following are some audio conferencing security recommendations:

•   Lock down conference requirements such as maximum participants, inactive participants, and sub-conference rooms.

•   Define whether conference audio recordings are permissible and, if so, what the encryption and download requirements are.

•   Define roles and privileges for callers based on contact list or directory listings.

•   Use dynamic personal identification numbers (PINs) so that unauthorized callers cannot get in with old PINs.

Storage and Document Collaboration Tools

At their most basic, storage and document collaboration tools provide online file-sharing services between local and geographically distributed teams. If document sharing is the goal, products like Microsoft OneDrive, Google Drive, Dropbox, and Box are all worthy contenders. Somewhat misunderstood is the fact that most online file-sharing tools do more than just store and share files. For example, Microsoft OneDrive provides free online light versions of Office products—Word Online, Excel Online, PowerPoint Online, and OneNote Online—that permit creating/editing/saving of real Microsoft Office files. On the downside, OneDrive only provides 5GB of online space for free accounts.

Most free storage and collaboration tools also include file versioning, apps on mobile and desktop OSs, plus real-time and/or asynchronous file-sync options between the cloud and local devices.

The downside to free online file-sharing products is the lack of security and control. Although connections to these websites will likely utilize SSL/TLS, the following are security challenges you’ll likely experience with most free online file-sharing sites:

•   Files probably stored and processed on the website unencrypted

•   Access controls/permissions not granular enough

•   Little to no auditing capabilities

•   No remote wiping

•   No independent backup options

•   Lack of compliance offerings

•   Lack of expiration dates and download limits for links

•   Single-factor authentication

•   Little to no reporting capabilities

•   No malware protection

In most cases, better security, control, and compliance offerings will come from purchasing access to more powerful storage and collaboration products, which will be discussed later in this section.

Unified Communications

Unified communications synergize individual communication features, such as web, video and audio conferencing, instant messaging, presence, and e-mail, into a single entity. This will help improve the efficiency of business processes involving company communications and collaboration. Once upon a time e-mails, instant messages, phone calls, and voice mails were separate processes—yet today you’re likely to see the following process take place via Microsoft’s Skype for Business 2016 and Outlook 2016.

1.   Using Skype for Business 2016, Alice sends an instant message to Bob since Bob’s present information appears on Alice’s contact list as “available.”

2.   If Bob does not reply to the instant message, Alice clicks on Bob’s name and selects to call him via VoIP.

3.   If Bob does not answer the phone call, Alice leaves Bob a voice mail via the VoIP connection.

4.   Bob receives an e-mail on his Outlook 2016 work account that he missed a phone call and that a voice mail is attached. The e-mail also transcribes the voice mail so that Bob can choose to “read” the voice mail or listen to it.

5.   Bob click’s on Alice’s name listed on his Outlook 2016 contacts list, or a recent e-mail, and chooses to call, instant message, video conference, or leave a voice mail to Alice.

Although unified communications is an umbrella term that may include more or less than what is described, this scenario is very common in office and remote worker environments today.

Chipping away at the on-premises unified communications industry is Unified Communications as a Service (UCaaS), which promises to shift unified communications into the provider-based cloud computing realm. This is an inevitable trend given the mass migration that organizations have already begun toward cloud computing—plus the inherent cost benefits and simplicity of procuring an entire company phone system by simply subscribing to a website.

The conveniences of integrated product offerings like unified communications are tempered by its security challenges. With all communications being sent over data networks, we will need to implement security controls that mitigate the following risk factors:

•   Eavesdropping IM, audio and video communications

•   Hijacked voice services for long-distance calls

•   Vishing VoIP devices as opposed to phishing e-mail accounts

•   Denial of service attacks crashing phones

•   Malware infecting communications applications

Instant Messaging

Instant messaging (IM) provides computer-mediated near-real-time communication between parties by means of a software application. Numerous applications permit this activity as well as the sharing of files directly between users. The security exposure associated with IM is fairly obvious—information sharing outside normal channels. Even internal to a company, IM traffic is typically plaintext and base64-encoded files, making the communication channel easy to eavesdrop on.

Although external IM usage has dropped off in some instances, IM is still a very popular means of two-way communication between users for real-time issues inside corporate networks. E-mail is now considered slow and old by many newer-generation employees. The advantages of IM for real-time communication have resulted in products designed to take advantage of this form of communication. Products now enable logging as well as meetings with file sharing and integration via contacts and address books to enable quick user location. Some of these clients offer statuses, allowing one to see if someone is in their office, is currently typing, and so on.

The standard threats are malware injections coming in via IM and sensitive information leaving via IM. These can occur by way of file transfers or in some cases in the text being sent. Logging of IM adds another dimension because sensitive information can then end up in log files. Although antivirus scanners have been relied upon for years as the protection of choice against viruses, worms, and other forms of malware, with today’s spear-phishing, individually crafted malware attacks, antimalware solutions are not nearly as effective as in the past.

As with all modern communication products, an important first step is the drafting of a communications policy to ensure intentions for proper usage and security are clearly stated and enforced. Stemming from this policy should be an informed and aware user population. Users need to know that communication channels are a prime target for information thieves and that using IM tools can have significant security impacts on an organization. On the other hand, not using an encrypted communication channel can also lead to eavesdropping, man-in-the-middle, and hijacking attacks. Transport encryption should be configured on the IM client or, if available, on the communications server.

Presence

“Presence” is a term used to describe the knowledge of a person’s availability. This is one of the strengths of a unified communications solution because it can combine multiple media channels, including IM, telephone, e-mail, video conferencing, and others. Add in a person’s calendar function and you can determine when to schedule a meeting, when to hold a conference call, and so on. This is certainly more efficient than the previous method of asking, rescheduling, asking again, and so on.

When you’re trying to call someone, presence functionality can help direct your phone call to the correct device, whether it is a desk phone or a mobile device. This improves the connectivity and availability for critical response situations. Gone are the days of trying multiple phone numbers and leaving multiple voice mails when trying to track someone down.

Presence also brings complexity: with multiple vendors and protocols, coupled with the lack of industry-wide standards, IT staffs will be busy authenticating presence elements from multiple vendors across multiple platforms. Security and privacy also become an issue. Presence information is another form of information that begs the question of which “watchers” need to know? Watchers are the users or presence subscribers that request presence information from a presence service such as a Skype for Business contacts list. We must figure out how to build a communications platform that enables presence information for some watchers while being more restrictive to other watchers. Because these systems tend to be multiple vendor, multiple platform, and multiple protocol in nature, building a security solution across them is a challenge.

E-mail

E-mail is one of the most widely used applications in the enterprise and also one of the most difficult to secure. Primarily built on three protocols, e-mail provides for asynchronous cleartext communication between users, with a wide variety of file-sharing options. Typical e-mail operations involve both client and server applications and offer both internal and external communication channels.

Here are the primary protocols involved in e-mail:

•   Simple Mail Transfer Protocol (SMTP)    A protocol designed for transferring mail between SMTP servers across IP networks. This protocol uses TCP port 25 by default. The SMTP functionality occurs in both services on PCs and mail server applications on servers, although client mail applications typically use POP and IMAP protocols to retrieve mail from the server.

•   Post Office Protocol (POP)    A protocol designed for e-mail retrieval on client machines. This is an application layer protocol whose typical function is to connect to a mail server, retrieve all messages for the client, and then delete them from the server. The current version is POP3; it operates over TCP port 110 in cleartext mode and over TCP 995 when TLS or SSL is used to secure the connection. The other protocol, IMAP, provides greater functionality associated with mail operations but is a proprietary protocol and not supported by all ISPs.

•   Internet Message Access Protocol (IMAP)    An application-level protocol for mail transfer to clients over TCP port 143 (or port 993 when using SSL). Supported by virtually all mail clients, this protocol provides the remote access functionality associated with e-mail, including the creation and deletion of mailboxes on a server. IMAP is currently in version 4 and is referred to as IMAP4.

E-mail is as ubiquitous an application as any, with it proliferating on all device types. E-mail was designed in an era before security was a major concern, and many users are ignorant of how it operates and how it can expose their systems to risk. E-mail is, typically, a cleartext technology, meaning that all data being transmitted is susceptible to easy eavesdropping. Because of its ubiquity, e-mail became a mechanism for criminals, resulting in SPAM (unsolicited bulk e-mail). Although users are becoming savvy toward SPAM, a new form has arisen called spear phishing, which involves sending a message that appears to be legit to coax a user into downloading a file or clicking a link. With the phenomenon of URL-shortening services becoming commonplace, it has become an effective method of delivering malware.

Although e-mail can be secured using secure transport and encrypted information transfers, these elements require a sophisticated and extensive PKI implementation, making them out of reach for most organizations other than governments and specialized firms. Even then, because both ends of the communication must be involved in the security information transfer, the PKI ramifications can be significant.

Entire books have been written about securing e-mail systems, but the basics are relatively easy. Users need to be aware of the threats—and not just from SPAM, but from spear phishing, a leading method of targeted attacks. Users need to understand that the information in an e-mail and its attachments is no longer under the same security umbrella as information in a database store, for instance. If the secret recipe for your product is secured in a database, accessible by only certain executives and from certain machines, sending the information between these same executives via e-mail can negate all the current levels of protection.

Telephony and VoIP Integration

Telephones may be considered “old school,” but they are still a valuable business tool and are present in all businesses. The original telephone systems were analog devices, separate from computer systems. Then the phone systems became digital, and the interconnection to computer systems became inevitable. Businesses with multiple phones connect them with private branch exchanges (PBXs) to minimize the number of external lines needed. PBX systems can provide a wide range of services, including metering and controlling long-distance and other tariff calls. This one feature makes them a target for scammers who can break into the PBX and steal long-distance time. This is facilitated by system administrators not changing the default passwords for the system, thus allowing attackers relatively easy access.

Changing default passwords is also important for user mailboxes. An adversary can access a voice mailbox and change the prompt to “Yes, I will accept the charges,” which can bypass many tool-charge requests. When employees leave, their mailboxes should be closed. Also, all unused mailboxes should be either disabled or monitored to prevent unauthorized use.

In the beginning, we had PSTNs and we implemented methods to run data over the analog voice circuits. Then the PSTN became an all-digital network, making the voice signal in essence a data signal. Today, we run voice over the data networks, bypassing the PSTN entirely in some cases. When voice is transmitted using the Internet Protocol, we refer to the technology as Voice over IP (VoIP).

VoIP is the encapsulation of voice data in an IP packet by using IP networks to move voice data between clients (telephones). Because it is not typically encrypted, VoIP traffic is subject to exploitation and disclosure. As in all network traffic, it is essential to provide physical protection for all the networking devices to prevent physical attacks, such as the use of a Switched Port Analyzer (SPAN) to replicate ports and copy traffic.

VoIP is a complex set of protocols including both TCP for signaling and UDP for services. Whereas old PSTN-based telephones were single-purpose devices, VoIP implementation can be on specialty devices such as handsets, computers, or even mobile devices. The versatility of some VoIP devices is both a blessing and a curse. The versatility allows flexibility, but it also exposes the VoIP to risk from vulnerabilities associated with the platform. The risk goes both ways. A vulnerability on the platform can expose the VoIP traffic to risk, and a vulnerability associated with the softphone can expose the platform to risk.

A hardware phone separates the VoIP application from a multiuse platform, reducing overall risk but also increasing costs. Both softphones and separate hardware phones have network dependencies, and the security of the network can affect the security of the traffic and applications. As in most network security issues, one of the key elements is understanding the services being carried and implementing an architecture to support the required services. VLANs can be useful in segregating traffic and making it harder for attackers to sniff traffic.

Managing the traffic across the network is important in unified communications networks, as VoIP implementations have quality of service (QoS) dependencies. File transfers and e-mail are fine with packet delays, but VoIP quality is highly dependent on QoS. Packet delay and latency issues can quickly degrade VoIP quality.

Securing VoIP is an industry-wide issue. As in all complex technology implementations, the rate of advancement outpaces the rate of security requirement achievement. This gap is one that firms will need to take specific actions to monitor and close. An industry group called the Voice over IP Security Alliance (VOIPSA) has been created to assist users, vendors, and implementers with the task of managing VoIP security issues. The VOIPSA website offers best-practice recommendations and links to tools for monitoring and managing security issues.

Collaboration Sites

Although we discussed some basic storage and document collaboration tools earlier, they lacked many important features needed by enterprises. Larger organizations will need powerful and flexible collaboration tools in order to address the collaboration needs of a disparate workforce. The first one that often comes to mind is Microsoft SharePoint. SharePoint can be installed on-premises or utilized in the cloud via Microsoft Office 365. SharePoint goes far beyond online file sharing by offering the following capabilities:

•   Creating team sites and customer-facing sites from multiple templates

•   Integration with countless Microsoft and third-party products

•   Business intelligence and dashboards

•   Enterprise search

•   Records management

•   Workflows

•   Custom code

•   Granular permissions

•   Information rights management

•   Role-based access control

•   Social media

•   Document versioning

Some important security considerations for collaboration sites include strong authentication—preferably multifactor authentication, if supported—as well as the use of groups to aggregate users and then standardize their access to relevant content. You’ll also want to limit who has access to the collaboration environment, and also limit members with administrative-level privileges to prevent privilege abuse. If not enabled by default, ensure encryption of data in transit and at rest is enabled and configured. Enterprise-level collaboration tools should include auditing, reporting, and even some analysis tools, so be sure to configure these. Also important is advising users to lock down their devices with drive encryption and PIN access just in case their device synchronizes content to/from the collaboration environments. If remote wipe and remote backup options are available, be sure to configure these as well.

Social Media

For every organization that finds social media sites too risky to be of sufficient use, there are other organizations looking to capitalize on its numerous benefits. In terms of Internet-based social networking sites like LinkedIn, Facebook, Twitter, and YouTube, organizations may experience several of the following benefits:

•   Generate business leads.

•   Demonstrate organizational expertise.

•   Enhanced marketing.

•   More sales.

•   Improve brand awareness.

•   Reduce communication costs.

•   Improve search rankings.

•   Employee recruitment.

•   Improve customer communication practices.

•   Better customer service.

•   Research opportunities.

•   Better market research.

•   Increased traffic.

Despite the many benefits that social media provides to organizations, there are many reasons why other organizations avoid social media like the plague. Here’s a summary of a few of them:

•   Malware

•   Personal information disclosure

•   Loss of intellectual property

•   Confidential information leaked

•   Loss of organizational reputation

•   Employee or customer defamation

•   Social engineering

•   Identity theft

•   Reduced employee productivity

•   Damage to organizational infrastructure

•   Compliance issues

Although social media carries some risk, the benefits generally outweigh the negatives if you take a layered approach to securing your network, devices, and creating policies, procedures, and awareness, as described in the next section.

Not all social media is public and Internet based, as with the preceding products. Some organizations prefer to keep all of their social media capabilities hosted within the enterprise. A popular example of such a service is Yammer, which was acquired by Microsoft. Unlike public social media platforms, only domain-based users can access the Yammer environment. Yammer provides numerous private features to organizations, including enterprise microblogging, Office 365 integration, company directories, profile pages, file transfer, chat, collaboration workspaces and tools, employee communities—and the list goes on.

Cloud-Based Collaboration

Cloud-based collaboration sites fill the collective need of having the enterprise-level collaboration capabilities typically provided on-premises, but with the ease of access and flexibility offered by an Internet cloud provider. Microsoft Office 365 provides several cloud-based collaboration tools, including SharePoint Online (which is essentially a cloud version of Microsoft SharePoint—in addition to Microsoft Teams). Other, non-Microsoft tools include ezTalks Cloud Meeting, Evernote, Cisco WebEx, and Prezi. Cloud-based collaboration sites provide several benefits, including the following:

•   Cost-effective (pay by usage)

•   Compatible across multiple OSs and device types

•   Reduce collaboration barriers to entry

•   Simplify collaboration between local and global team members

Since cloud-based collaboration sites are hosted by another organization, you might experience reductions in or changes to data security controls, privacy, auditing, and regulatory compliance. As such, be sure to research various cloud providers to ensure that their tools provide the closest fit to your organization’s objectives, functions, cost requirements, and regulatory requirements. Ensure that the tool provides adequate encryption for data in transit and at rest. It’s also important that the tool support multifactor authentication, protect data through DLP processes, and offer adequate tracking and auditing capabilities.

Chapter Review

This chapter covered the selection of appropriate security controls given various communications and collaboration scenarios. We began with coverage on remote access methods such as the legacy dial-up RAS servers, which are still subject to wardialing attacks. We then highlighted VPN and a few encryption and authentication recommendations. Remote access methods ended with Microsoft’s DirectAccess, which provides easier, more integrated and manageable remote access than VPN. We then looked at security recommendations for enterprise resources and services. Next was desktop- and application-sharing methods and security considerations such as cryptography, policies, patching, and others. This section ended on remote assistance with Microsoft’s Remote Assistance product being highlighted.

The next section covered unified collaboration tools such as web, video, and audio conferencing. These conferencing methods share many security requirements, including transport encryption, strict authentication, and defined roles and privileges. Next was storage and document collaboration tools, which highlighted Microsoft’s OneDrive. We also took a look at the various features that are commonly missing from free online file-sharing tools such as a lack of encryption of data at rest and in storage, lack of granular permissions, no auditing, and minimal compliance offerings. We then covered unified communications techniques, such as instant messaging, which has antimalware, transport encryption, and logging requirements for improved security. Following instant messaging was the topic of presence information and its authentication and authorization security requirements. We then moved on to e-mail security, including coverage and security suggestions for protocols such as SMTP, POP3, and IMAP4. Telephony and VoIP integration topics and their security requirements followed, with the chapter ending on collaboration sites on social media and cloud-based tools.

Quick Tips

The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.

Remote Access

•   Remote access solutions enable users to connect to organizational resources and services such as files, e-mail, and web pages, while not being connected directly to the work network.

•   Dial-up modems were the standard throughout the 1980s and 1990s. They connected digital computers to analog telephone networks.

•   The telephone networks were sometimes referred to as Public Switched Telephone Networks (PSTNs) or Plain Old Telephone Service (POTS) networks

•   Some organizations maintain a dial-up server for emergency backup purposes.

•   Wardialing involves an individual dialing up different modem phone numbers until an open modem accepts the connection.

•   VPN connections use a stronger assortment of protocols, including tunneling, encryption, and authentication protocols.

•   DirectAccess allows connectivity for remote users without requiring user interaction or pre-established VPN connections.

•   Due to limited OSs and devices supporting DirectAccess, it should be seen as complementary to VPN as opposed to a complete replacement.

•   Resources can include internal web pages, applications, e-mail, remote desktops, printers, web cameras, organizational IoT devices, and more.

•   Desktop-sharing solutions enable a user to gain the simple functionality of retrieving a file.

•   Desktop-sharing connections should be secured through strong cryptographic ciphers such as RSA and AES.

•   For security, privacy, and bandwidth-conservation reasons, a worker may choose to only share a specific application with another individual.

•   Remote assistance is similar to remote desktop access, except that the term narrows the focus from general remote administration of systems to assisting other users.

Unified Collaboration Tools

•   Unified communications systems is an industry term that describes all forms of business communication, audio, video, multimedia data, text, and messaging.

•   Part of unified communications is the management of all these channels into a single view for the end user.

•   Most of today’s workers have remote access to real-time conferencing tools to permit communication and collaboration from essentially anywhere with any device.

•   In some cases, a web browser is all that is needed to launch a web-based audio- and/or video-conferencing session.

•   The primary purpose of a video conference is to provide a means for face-to-face communication via a video system, as opposed to actual travel.

•   Video conferencing is very similar from a security perspective to web conferencing.

•   Audio conferencing provides most of the important benefits of conferencing, but with increased privacy and confidentiality compared to that of video conferencing.

•   Storage and document collaboration tools provide online file-sharing services between local and geographically distributed teams.

•   Better security, control, and compliance offerings will come from purchasing access to more powerful storage and collaboration products.

•   Instant messaging (IM) provides computer-mediated near-real-time communication between parties by means of a software application.

•   Transport encryption should be configured on the IM client or, if available, on the communications server.

•   Presence is a term used to describe the knowledge of a person’s availability.

•   E-mail is one of the most widely used applications in the enterprise and also one of the most difficult to secure.

•   Although e-mail can be secured using secure transport and encrypted information transfers, these elements require a sophisticated and extensive PKI implementation.

•   VoIP is the encapsulation of voice data in an IP packet by using IP networks to move voice data between clients (telephones).

•   VoIP’s general lack of encryption subjects its communications to exploitation and disclosure.

•   Larger organizations will need powerful and flexible collaboration tools—such as Microsoft SharePoint—in order to address the collaboration needs of a disparate workforce.

•   For every organization that finds social media sites too risky to be of sufficient use, there are other organizations looking to capitalize on social media’s numerous benefits.

•   Cloud-based collaboration sites fill the collective need of having the enterprise-level collaboration capabilities typically provided on-premises, but with the ease of access and flexibility offered by an Internet cloud provider.

Questions

The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question.

1.   Unified communications can add significant risk to an enterprise because:

A.   Information is concentrated in single user channels.

B.   There is a lack of security products for this market segment.

C.   Auditing is not possible because of the nature of the system.

D.   Unified communications enable all users access to important information.

2.   Unified communications is frequently used to describe which of the following communication channels? (Choose all that apply.)

A.   VoIP

B.   E-mail

C.   Social media channels

D.   Instant messaging

3.   Web conferencing can introduce which of the following security threat(s)? (Choose all that apply.)

A.   Data leakage

B.   Unauthorized attendance

C.   Impersonation

D.   Replay attacks against future sessions

4.   Video-conferencing equipment poses what new threat(s) in the enterprise?

A.   Unauthorized eavesdropping via equipment

B.   Replay attacks

C.   Malware proliferation

D.   Driver corruption

5.   Desktop sharing can have which of the following security implications in an enterprise? (Choose all that apply.)

A.   Electronic clean desk issue

B.   VPN channels

C.   Malware delivery mechanism

D.   Increased need for monitoring

6.   Which ports are involved in e-mail? (Choose all that apply.)

A.   TCP 22

B.   TCP 25

C.   TCP 21

D.   TCP 110

7.   Implementing VoIP in an enterprise has an effect on network utilization. Which complementary technology is frequently associated with VoIP?

A.   Data archiving

B.   Log management

C.   Quality of service

D.   Encryption

8.   Your VoIP installation is having difficulty with call quality. Network analysis points to severe traffic congestion causing consistent delays in packet delivery. This is an example of which of the following?

A.   Best-effort class of service

B.   VoIP routing

C.   Latency

D.   Jitter

9.   VPN technology provides which of the following benefits? (Choose all that apply.)

A.   Secure data transfers over insecure networks

B.   Self-correcting data packets

C.   Removes the need for IDS/IPS

D.   Secures external traffic into the enterprise past firewalls

10.   Unwanted bulk instant messages are called what?

A.   SPAM

B.   Malware

C.   Pharming

D.   SPIM

11.   Variations in packet delays affecting VoIP signal quality are known as what?

A.   Noise

B.   Slamming

C.   Latency

D.   Jitter

12.   Remote assistance differs from remote desktop sharing in which of the following ways?

A.   Remote assistance uses encryption.

B.   Remote assistance does not support screen sharing.

C.   Remote assistance is designed for end-user assistance.

D.   Remote assistance is designed for server-based administration.

13.   Which of the following presence standards is used by Facebook Messenger and Google Talk?

A.   XMPP

B.   HTTPS

C.   SIP

D.   VoIP

14.   Which port number does IMAP4 use when secured by SSL/TLS?

A.   110

B.   143

C.   995

D.   993

15.   Which port number does POP3 use when secured by SSL/TLS?

A.   110

B.   143

C.   995

D.   993

Answers

1.   A. Concentrating information can increase exposure when vulnerabilities are exploited.

2.   A, B, D. Unified communications combine VoIP, e-mail, text messages, IM, voice mail, and other communication mechanisms into a single stream by user.

3.   A, B, D. Data leakage can occur when information is inadvertently shared via a shared desktop image during a web conference. Unauthorized attendance can occur if credentials are shared by a participant (forwarded e-mail invitation). Replay attacks can occur if sessions are recorded, or if a regular series of sessions uses common access passwords.

4.   A. Video conferencing equipment can be remotely activated and used to spy on people within range of camera and microphones, at times, without them knowing that they are being recorded.

5.   A, C. If the desktop has sensitive issues such as files with names that give away details, then the act of sharing can lead to data leakage. (Just as leaving a file marked “XYZ Merger” on your desk can alert passersby.) Also, because the desktop is shared, it can involve delivery of files and hence malware to a system.

6.   B, D. Port 25 is for SMTP, port 110 for POP3.

7.   C. Quality of service can be an issue with respect to voice quality in VoIP implementations.

8.   C. Latency is the measured time in milliseconds it takes for the transmission of a network packet.

9.   A, D. VPNs can provide a secure network connection over insecure networks and can bring external traffic into an enterprise past the firewalls to a VPN server.

10.   D. SPIM is SPAM over instant messaging.

11.   D. Jitter is the variation of latency from packet to packet and can disturb VoIP call quality.

12.   C. Remote assistance is designed for end-user assistance.

13.   A. Extensible Messaging and Presence Protocol (XMPP).

14.   D. 993 is used by IMAP4 when secured by SSL/TLS.

15.   C. 995 is used by POP3 when secured by SSL/TLS.