Remote Access

Remote access applications allow users to access an organization’s resources from a remote connection. These remote connections can be direct dial-in connections but are increasingly using the Internet as the network over which the data is transmitted. If an organization allows remote access to internal resources, the organization must ensure that the data is protected using encryption when the data is being transmitted between the remote access client and remote access server. Remote access servers can require encrypted connections with remote access clients, meaning that any connection attempt that does not use encryption will be denied. Remote access to the corporate network is a fairly mature technology, and proper security measures have been clearly defined.

Dial-up connections can use either Serial Line Internet Protocol (SLIP) or Point-to-Point Protocol (PPP) at layer 2. SLIP is an older protocol made obsolete by PPP. PPP provides authentication and multilink capability. The caller is authenticated by the remote access server. This authentication process can be centralized by using either a Terminal Access Control Access Control Server Plus (TACACS+) or Remote Authentication Dial-in User Service (RADIUS) server.

Some basic measures that should be in place when using dial-up are:

• Have the remote access server call back the initiating caller at a preset number. Do not allow call forwarding, which can be used to thwart this security measure.

• Set modems to answer after a set number of rings to thwart war dialers (automated programs that dial numbers until a modem signal is detected).

• Consolidate the modems in one place for physical security and disable modems that are not in use.

• Use the strongest possible authentication mechanisms.

Security professionals should work with management to determine the remote access needs of the organization and deploy the appropriate solution and controls to ensure that the needs are met while the security of the remote access transactions is ensured.

Chapter 5 covers remote access resources and services as well as the protocols used in remote access.

While these products certainly make managing remote computers and users easier, remote administration software is one of the most common attack vectors used by hackers.

Issues that reduce the security of a remote administration solution include:

• Misconfiguration or poor deployment

• Outdated software

• Cached administrative credentials

• Poor administrative password management

• Failure to adopt two-factor authentication

• Lack of encryption

As a CASP candidate, you should know the following mitigation techniques to address these issues:

• Always use the latest version of the products.

• Install all updates.

• If the solution will only be used in a LAN, block the port number used by the solution at the network perimeter.

• For mobile users, disable automatic listening on the device to prevent having an open port in an untrusted network.

• Regularly review security logs for evidence of port scans.

• Secure access to configuration files used by the solution.

• Implement encryption.

• Control administrative access to the solution.

• Ensure logging settings that establish an audit trail.

• Train users on its proper usage.

• Remove the software from computers on which it should never be used, such as secure servers.

• Implement policies to prevent its installation unless administrative approval is given.

First, the screen data that is sent back and forth between the user and the technician is typically in standard formats, making it easy to rebuild an image that is captured. Many products implement proprietary encryption, but in regulated industries, this type of encryption may not be legal. Always use the level of encryption required by your industry, such as Advanced Encryption Standard (AES).

Second, many remote assistance tools do not provide sufficient auditing capabilities, which are critical in industries such as banking and healthcare. If auditing is an issue in your industry, choose a product that has the ability to capture the detail you require for legal purposes.

Limited access control also plagues many products. When a technician logs in to a remote computer, he has full access to everything on the system as if he were sitting at the console. If he sees patient information at any time, a Health Insurance Portability and Accountability Act (HIPAA) violation occurs. You should choose a product that allows you to determine exactly what remote technicians are allowed to see and do.

Potential liability may result if any information goes missing or if another problem arises that may appear to be the fault of the technician. Consider crafting a standard message that a user sees and must acknowledge before allowing the connection, stating the extent of liability on your part for issues that may arise after the remote session.

Specifically, some of the security issues are:

• Data leakage: Because web conference data typically resides on a shared server for a little while, there is always a possibility of the data leaking out of the conference into hostile hands.

• Uninvited guests: Most systems use a simple conference code for entrance to the conference, so there is always a possibility that uninvited guests will arrive.

• Data capture en route: The possibility of information being captured en route is high. Using encrypting technologies can prevent this.

• DoS attack: There is a possibility of Denial of Service (DoS) attacks on local servers when a web conferencing solution is integrated with existing applications.

To address these issues, you should:

• Take ownership of the process of selecting the web conferencing solution. Often other departments select a product, and the IT and security departments are faced with reacting to whatever weaknesses the solution may possess.

• Ensure compatibility with all devices in your network by choosing products that use standard security and networking components, such as SSL.

• Ensure that the underlying network is secured.

• Define a process for selecting and using the product. The following four steps should be completed:

  Step 1. Define the allowed uses of the solution.

  Step 2. Identify security needs before selecting the product.

  Step 3. Ensure that usage scenarios and security needs are built in to the request for proposal (RFP).

  Step 4. Include security practitioners in the planning and decision-making process.

• Disable or strongly audit read/write desktop mode, if supported by the product. This mode allows other meeting participants to access the host desktop.

• Execute non-disclosure documents covering conferences that disclose confidential material or intellectual property.

• Ensure that unique passwords are generated for each conference to prevent reuse of passwords for inappropriately attending conferences.

Consider requiring a VPN connection to the company network to attend conferences. If this approach is taken, you can provide better performance for the participants by disallowing split tunneling on the VPN concentrator. While split tunneling allows access to the LAN and the Internet at the same time, it reduces the amount of bandwidth available to each session.

Having said that, in high-security networks (those of the U.S. Department of Defense, Department of Homeland Security, and so on) that use video conferencing, additional security measures are typically taken to augment the solution.

Some examples include:

• Device-level physical encryption keys that must be inserted each time the system is used and that are typically exchanged every 30 days

• Additional password keys that limit access to a device’s functions and systems

• Session keys generated at the start of each session that are changed automatically during the session

• Traffic transmitted on secure data networks that also use advanced encryption technologies

Because 128-bit AES encryption is very secure, in most cases, video conferencing products are secure out of the box.

A nonproprietary approach to securing video conferences as well as VoIP traffic is to extend the H.323 standard to support DES encryption. H.323 is a standard for providing audiovisual communications sessions, such as web conferences, video conferences, and VoIP. Security for these sessions can be provided by H.235 extensions. H.235 includes the ability to negotiate services and functionality in a generic manner. It allows for the use of both standard and proprietary encryption algorithms. It provides a means to identify a person rather than a device, using a security profile that consists of either a password, digital certificates, or both.

In most cases, security issues don’t involve shortcomings in recent products but do involve the following:

• Not enabling the encryption

• Using outdated video systems that don’t support encryption

• Failure in updating the associated software on video systems and other devices

• Devices (such as gateways and video bridges) to which the system connects either not supporting encryption or having encryption turned off

• Deploying software solutions or services that either don’t encrypt or that support weaker encryption

• Poor password management

Avoiding these issues can be accomplished by creating and following a process for selecting and using the product, as defined in the “Web Conferencing” section, earlier in this chapter.

• Using file-level encryption to ensure that only authorized users are able to access and listen to the audio files

• Applying multi-factor authentication to systems on which the files are stored

Unified Communication

Unified communication tools often combine voice, video, email, instant messaging, personal assistant, and other communication features in a single tool. Some of the newer tools even include document collaboration. Often these tools are purchased with individual configurable modules. For instance, if your company does not need the personal assistant feature, then that module could be disabled. Security risks that you should examine include:

Instant Messaging

Instant messaging (IM) has become so popular that many users prefer it to email when communicating with coworkers. It is so popular, in fact, that many email systems, such as Google Mail, have integrated IM systems. Users demand it, and thus security professionals need to learn how to secure it.

Presence

Many collaboration solutions use presence functionality to indicate the availability of a user. A system that uses presence signals to other users whether a user is online, busy, in a meeting, and so forth. If enabled across multiple communication tools, such as IM, phone, email, and video conferencing, it can also help determine on which communication channel the user is currently active and therefore which channel provides the best possibility of an immediate response.

Email

Email is without a doubt the most widely used method of communication in the enterprise. It uses three standard messaging protocols. Each of them can be run over SSL to create a secure communication channel. When they are run over SSL, the port numbers used are different. These protocols are discussed in the following sections.

IMAP

Internet Message Access Protocol (IMAP) is an application layer protocol used on a client to retrieve email from a server. Its latest version is IMAP4. Unlike POP3 (discussed next), another email client that can only download messages from the server, IMAP4 allows a user to download a copy and leave a copy on the server. IMAP4 uses port 143. A secure version, IMAPS (IMAP over SSL), uses port 993.

POP

Post Office Protocol (POP) is an application layer email retrieval protocol. POP3 is the latest version. It allows for downloading messages only and does not allow the additional functionality provided by IMAP4. POP3 uses port 110. A secure version that runs over SSL is also available; it uses port 995.

SMTP

POP and IMAP are client email protocols used for retrieving email, but when email servers are talking to each other, they use Simple Mail Transfer Protocol (SMTP), a standard application layer protocol. This is also the protocol used by clients to send email. SMTP uses port 25, and when it runs over SSL, it uses port 465.

Email Spoofing

Email spoofing is the process of sending an email that appears to come from one source when it really comes from another. It is made possible by altering the fields of email headers, such as From, Return Path, and Reply-to. Its purpose is to convince the receiver to trust the message and reply to it with some sensitive information that the receiver would not share with an untrusted source.

Spear Phishing

Phishing is a social engineering attack in which a recipient is convinced to click a link in an email that appears to go to a trusted site but in fact goes to the hacker’s site. These attacks are used to harvest usernames and passwords.

Whaling

Just as spear phishing is a subset of phishing, whaling is a subset of spear phishing. In whaling, the person targeted is someone of significance or importance. It might be a CEO, COO, or CTO, for example. The attack is based on the assumption that these people have more sensitive information to divulge. The same techniques that can be used to mitigate spear phishing can also apply to whaling.

Spam

You probably don’t like the way your email box fills every day with unsolicited emails, many of them trying to sell you something. In many cases, you cause yourself to receive this email by not paying close attention to all the details when you buy something or visit a site. When email is sent out on a mass basis that is not requested, it is called spam.

Captured Messages

Email traffic, like any other traffic type, can be captured in its raw form with a protocol analyzer. If the email is cleartext, it can be read. For this reason, encryption should be used for all email of a sensitive nature. While this can be done using the digital certificate of the intended recipient, this is typically possible only if the recipient is part of your organization and your company has a PKI. Many email products include native support for digital signing and encryption of messages using digital certificates.

Disclosure of Information

In some cases, information is disclosed not because an unencrypted message is captured but because the email is shared with others who may not be trustworthy. Even when an information disclosure policy is in place, it may not be followed by everyone. To prevent this type of disclosure, you can sanitize all outgoing content for types of information that should not be disclosed and have it removed. An example of a product that can do this is Axway’s MailGate.

Malware

Email is a frequent carrier of malware; in fact, email is the most common vehicle for infecting computers with malware. You should employ malware scanning software on both the client machines and the email server. Despite taking this measure, malware can still get through, and it is imperative to educate users to follow safe email handling procedures (such as not opening attachments from unknown sources). Training users is critical.

Telephony and VoIP Integration

Telephony systems include both traditional analog phone systems and digital, or Voice over IP (VoIP), systems. In traditional telephony, analog phones connect to a private branch exchange (PBX) system. The entire phone network is separate from the organization’s IP data network. Table 16-2 lists advantages and disadvantages of traditional telephony.

Collaboration Sites

Users are increasingly using web technology to collaborate on cloud-based tools. Organizations are also leveraging social media to connect with and share information with customers and the world at large. While both social media and cloud-based collaboration offer many benefits, they also introduce security issues. The following sections look at these issues and mitigation techniques and offer guidelines on the proper use of both social media and cloud-based collaboration.

Social Media

While the subject of social media may conjure thoughts of Facebook and Twitter, the use of both public and enterprise (private) social media presents new security challenges. The security risks of public social media may be more obvious than those of private social media sites, but the fact that most enterprise social media tools offer at least the ability to be tightly integrated with public social media means that many issues of public social media can easily become your problem when there is an enterprise social media site.

Cloud-Based Collaboration

Cloud-based collaboration is primarily used by enterprises and small teams as a means of storing documents, communicating, and sharing updates on projects. The benefits to this are:

• Allows you to pay by usage

• Speeds deployment of new tools, applications, and services to workers

• Can be absorbed as an operational expense rather than a capital expense

• Boosts speed of innovation

• Enhances productivity

• Increases operational efficiencies

Exam Preparation Tasks

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 16-5 lists these key topics and the page number on which each is found.

Define Key Terms

Define the following key terms from this chapter and check your answers in the glossary: