This chapter covers the following topics:
Remote Access: This section describes guidelines and measures to take to ensure secure remote access, resources and services, desktop and application sharing, and remote assistance.
Unified Collaboration Tools: Tools covered include those for web conferencing, video conferencing, audio conferencing, storage and document collaboration, and unified communication. This section also covers instant messaging, presence, email, telephony and VoIP integration, and collaboration sites.
This chapter covers CAS-003 objective 4.5.
Increasingly, workers and the organizations for which they work are relying on new methods of communicating and working together that introduce new security concerns. As a CASP candidate, you need to be familiar with these new technologies, understand the security issues they raise, and implement controls that mitigate the security issues. This chapter describes these new methods and technologies, identifies issues, and suggests methods to secure these new workflow processes.
Remote access applications allow users to access an organization’s resources from a remote connection. These remote connections can be direct dial-in connections but are increasingly using the Internet as the network over which the data is transmitted. If an organization allows remote access to internal resources, the organization must ensure that the data is protected using encryption when the data is being transmitted between the remote access client and remote access server. Remote access servers can require encrypted connections with remote access clients, meaning that any connection attempt that does not use encryption will be denied. Remote access to the corporate network is a fairly mature technology, and proper security measures have been clearly defined.
Note
Remote access is covered in Chapter 5, “Network and Security Components, Concepts, and Architectures.”
A dial-up connection uses the public switched telephone network (PSTN). If such a connection is initiated over an analog phone line, it requires a modem that converts the digital data to analog on the sending end, with a modem on the receiving end converting it back to digital. These lines operate up to 56 Kbps.
Dial-up connections can use either Serial Line Internet Protocol (SLIP) or Point-to-Point Protocol (PPP) at layer 2. SLIP is an older protocol made obsolete by PPP. PPP provides authentication and multilink capability. The caller is authenticated by the remote access server. This authentication process can be centralized by using either a Terminal Access Control Access Control Server Plus (TACACS+) or Remote Authentication Dial-in User Service (RADIUS) server.
Some basic measures that should be in place when using dial-up are:
Have the remote access server call back the initiating caller at a preset number. Do not allow call forwarding, which can be used to thwart this security measure.
Set modems to answer after a set number of rings to thwart war dialers (automated programs that dial numbers until a modem signal is detected).
Consolidate the modems in one place for physical security and disable modems that are not in use.
Use the strongest possible authentication mechanisms.
As you learned in Chapter 5, a virtual private network (VPN) connection uses an untrusted carrier network but provides protection of the information through strong authentication protocols and encryption mechanisms. While we typically use the most untrusted network, the Internet, as the classic example, and most VPNs do travel through the Internet, they can be used with interior networks as well whenever traffic needs to be protected from prying eyes. For more information on VPN components and scenarios in which VPNs are appropriate, see Chapter 5.
Secure Sockets Layer (SSL) is another option for creating VPNs. SSL is discussed in Chapter 5.
In many cases, administrators or network technicians need to manage and configure network devices remotely. Remote administration is covered in Chapter 5.
Telecommuting has become more common in today’s world, and as a result, remote access solutions must be deployed to ensure that personnel have access to resources and services in the enterprise. Remote access resources and services vary based on the deployment model and can be provided via the Remote Access role in Windows servers, the Remote Desktop service on Windows clients and servers, Virtual Network Computing (VNC) or ssh on Linux, and many other methods.
Security professionals should work with management to determine the remote access needs of the organization and deploy the appropriate solution and controls to ensure that the needs are met while the security of the remote access transactions is ensured.
Chapter 5 covers remote access resources and services as well as the protocols used in remote access.
Desktop sharing involves a group of related technologies that allow for both remote login to a computer and real-time collaboration on the desktop of a remote user. Both functions use a graphical terminal emulator. Some of these products are built into an operating system, such as Microsoft’s Remote Desktop technology, while others are third-party applications, such as LogMeIn and GoToMyPC.
While these products certainly make managing remote computers and users easier, remote administration software is one of the most common attack vectors used by hackers.
Issues that reduce the security of a remote administration solution include:
Misconfiguration or poor deployment
Outdated software
Cached administrative credentials
Poor administrative password management
Failure to adopt two-factor authentication
Lack of encryption
As a CASP candidate, you should know the following mitigation techniques to address these issues:
Always use the latest version of the products.
Install all updates.
If the solution will only be used in a LAN, block the port number used by the solution at the network perimeter.
For mobile users, disable automatic listening on the device to prevent having an open port in an untrusted network.
Regularly review security logs for evidence of port scans.
Secure access to configuration files used by the solution.
Implement encryption.
Control administrative access to the solution.
Ensure logging settings that establish an audit trail.
Train users on its proper usage.
Remove the software from computers on which it should never be used, such as secure servers.
Implement policies to prevent its installation unless administrative approval is given.
Remote assistance is a feature that often relies on the same technology as desktop sharing. In fact, one if its features is the ability to allow a technician to share a user’s desktop for the purpose of either teaching the user something or troubleshooting an issue for the user. Naturally, some of the same issues that exist for desktop sharing products also exist for remote assistance sessions.
First, the screen data that is sent back and forth between the user and the technician is typically in standard formats, making it easy to rebuild an image that is captured. Many products implement proprietary encryption, but in regulated industries, this type of encryption may not be legal. Always use the level of encryption required by your industry, such as Advanced Encryption Standard (AES).
Second, many remote assistance tools do not provide sufficient auditing capabilities, which are critical in industries such as banking and healthcare. If auditing is an issue in your industry, choose a product that has the ability to capture the detail you require for legal purposes.
Limited access control also plagues many products. When a technician logs in to a remote computer, he has full access to everything on the system as if he were sitting at the console. If he sees patient information at any time, a Health Insurance Portability and Accountability Act (HIPAA) violation occurs. You should choose a product that allows you to determine exactly what remote technicians are allowed to see and do.
Potential liability may result if any information goes missing or if another problem arises that may appear to be the fault of the technician. Consider crafting a standard message that a user sees and must acknowledge before allowing the connection, stating the extent of liability on your part for issues that may arise after the remote session.
Two intersecting trends are introducing new headaches for security professionals. People are working together or collaborating more while at the same time becoming more mobile and working in nontraditional ways, such as working from home. This means that sensitive data is being shared in ways we haven’t had to secure before. The following sections discuss the specific security issues that various collaboration tools and methods raise and the controls that should be put in place to secure these solutions.
Web conferencing has allowed companies to save money on travel while still having real-time contact with meeting participants. Web conferencing services and software often have robust meeting tools that allow for chatting, sharing documents, and viewing the screen of the presenter. Many also allow for video. (Video conferencing is specifically covered in the next section.) When the information you are chatting about and the documents you are sharing are of a sensitive nature, security issues arise, and you should take special care during the web conference.
Specifically, some of the security issues are:
Data leakage: Because web conference data typically resides on a shared server for a little while, there is always a possibility of the data leaking out of the conference into hostile hands.
Uninvited guests: Most systems use a simple conference code for entrance to the conference, so there is always a possibility that uninvited guests will arrive.
Data capture en route: The possibility of information being captured en route is high. Using encrypting technologies can prevent this.
DoS attack: There is a possibility of Denial of Service (DoS) attacks on local servers when a web conferencing solution is integrated with existing applications.
To address these issues, you should:
Take ownership of the process of selecting the web conferencing solution. Often other departments select a product, and the IT and security departments are faced with reacting to whatever weaknesses the solution may possess.
Ensure compatibility with all devices in your network by choosing products that use standard security and networking components, such as SSL.
Ensure that the underlying network is secured.
Define a process for selecting and using the product. The following four steps should be completed:
Step 1. Define the allowed uses of the solution.
Step 2. Identify security needs before selecting the product.
Step 3. Ensure that usage scenarios and security needs are built in to the request for proposal (RFP).
Step 4. Include security practitioners in the planning and decision-making process.
Disable or strongly audit read/write desktop mode, if supported by the product. This mode allows other meeting participants to access the host desktop.
Execute non-disclosure documents covering conferences that disclose confidential material or intellectual property.
Ensure that unique passwords are generated for each conference to prevent reuse of passwords for inappropriately attending conferences.
Consider requiring a VPN connection to the company network to attend conferences. If this approach is taken, you can provide better performance for the participants by disallowing split tunneling on the VPN concentrator. While split tunneling allows access to the LAN and the Internet at the same time, it reduces the amount of bandwidth available to each session.
While most or all of the video conferencing products produced in the past 10 years use 128-bit AES encryption, it is important to remember that no security solution is infallible. Recently, the U.S. National Security Agency (NSA) was accused of cracking the military-grade encryption (better than AES 128) to spy on a United Nations video conference. The same source reported that the NSA discovered that the Chinese were also attempting to crack the encryption. While it is still unknown if either the NSA or the Chinese actually succeeded, this story highlights the risks that always exist.
Having said that, in high-security networks (those of the U.S. Department of Defense, Department of Homeland Security, and so on) that use video conferencing, additional security measures are typically taken to augment the solution.
Some examples include:
Device-level physical encryption keys that must be inserted each time the system is used and that are typically exchanged every 30 days
Additional password keys that limit access to a device’s functions and systems
Session keys generated at the start of each session that are changed automatically during the session
Traffic transmitted on secure data networks that also use advanced encryption technologies
Because 128-bit AES encryption is very secure, in most cases, video conferencing products are secure out of the box.
A nonproprietary approach to securing video conferences as well as VoIP traffic is to extend the H.323 standard to support DES encryption. H.323 is a standard for providing audiovisual communications sessions, such as web conferences, video conferences, and VoIP. Security for these sessions can be provided by H.235 extensions. H.235 includes the ability to negotiate services and functionality in a generic manner. It allows for the use of both standard and proprietary encryption algorithms. It provides a means to identify a person rather than a device, using a security profile that consists of either a password, digital certificates, or both.
In most cases, security issues don’t involve shortcomings in recent products but do involve the following:
Not enabling the encryption
Using outdated video systems that don’t support encryption
Failure in updating the associated software on video systems and other devices
Devices (such as gateways and video bridges) to which the system connects either not supporting encryption or having encryption turned off
Deploying software solutions or services that either don’t encrypt or that support weaker encryption
Poor password management
Avoiding these issues can be accomplished by creating and following a process for selecting and using the product, as defined in the “Web Conferencing” section, earlier in this chapter.
Most of the video collaboration tools in use today can be utilized to provide just the audio functionality. Having said that, in high-security networks (for example, Department of Defense, Department of Homeland Security) that create and store audio data, additional security measures are typically taken to augment the solution. Some examples include:
Using file-level encryption to ensure that only authorized users are able to access and listen to the audio files
Applying multi-factor authentication to systems on which the files are stored
Storage and document collaboration tools allow teams and entire companies to share documents no matter the location from which the team members or personnel may be working. Google Drive and Microsoft SharePoint are popular examples of this type of tool. In most cases, these tools allow live updates to all users viewing the documents, as well as features that allow commenting to specific parts of the document. Some of the security risks related to these tools include:
Login credential breaches: Most tools use the username/password model. If credentials are obtained, attackers can access any information to which that user has access. Single sign-on (SSO) can help ensure that collaboration tool login credentials used follow the same guidelines as enterprise login credentials.
Web-based threats: Web-based threats include malware and unauthorized tracking. Implementing a VPN for connection to the collaboration tool can cut down on many of these issues.
URL-related issues: Default site names and other default settings often make it easy for attackers to discover a site. In addition, metadata included in the site URL may reveal confidential data.
Reports or summaries: While reports and summaries may be important to help you quickly see the status of documents, these same tools can often compromise data if the reports are transmitted over email or other insecure methods. Emailing of these reports should be discouraged.
Lack of or minimal encryption: Thoroughly examine the encryption offered with a tool. In some tools, encryption is not comprehensive. In addition, most tools are made as one-size-fits-all solutions. If your enterprise must comply with regulations or laws requiring encryption or other controls, you need to ensure that the tool you select provides the coverage you need.
Security professionals should work with others in their organization to ensure that the products are fully analyzed prior to selecting a tool. In addition, any known issues that are discovered should be researched to determine if there are mitigating controls that can be implemented to minimize the impact of the issues.
Unified communication tools often combine voice, video, email, instant messaging, personal assistant, and other communication features in a single tool. Some of the newer tools even include document collaboration. Often these tools are purchased with individual configurable modules. For instance, if your company does not need the personal assistant feature, then that module could be disabled. Security risks that you should examine include:
Minimal vendor data center security
Inadequate data encryption
Inability of the Internet connection to support demand at peak times
Inadequate security or access controls
Lack of or minimal automation of on-demand account management
Vendor experience
While unified communication tools might sound like a wonderful means to integrate all business processes, the implementation and data integration of these tools can often be a nightmare. Security professionals should ensure that management understands the complexity in deploying and securing these solutions.
Instant messaging (IM) has become so popular that many users prefer it to email when communicating with coworkers. It is so popular, in fact, that many email systems, such as Google Mail, have integrated IM systems. Users demand it, and thus security professionals need to learn how to secure it.
Table 16-1 lists the security issues that exist with IM systems and the associated measures to take to mitigate them.
Issue |
Mitigations |
Transfer of worms, Trojans, and other malware through the IM connection |
Disable the ability to transfer files through the system. Install an anti-malware product that can plug in to the IM client. Train users on these dangers. |
Hijacked user accounts after account information is stolen through social engineering |
Teach users to never share their account information. |
Hijacked user information from a password-stealing Trojan |
Ensure that anti-malware software is installed and updated on the computer. |
DoS attacks that send multiple messages to the user’s account |
Teach users to share their account name only with trusted parties. |
Disclosure of information en route |
Purchase a product that uses encryption. Purchase an encryption product that integrates with the IM system. |
Many collaboration solutions use presence functionality to indicate the availability of a user. A system that uses presence signals to other users whether a user is online, busy, in a meeting, and so forth. If enabled across multiple communication tools, such as IM, phone, email, and video conferencing, it can also help determine on which communication channel the user is currently active and therefore which channel provides the best possibility of an immediate response.
While the information contained in a presence system about each individual helps to make the system function, it is information that could be used maliciously.
Specific issues include:
Systems that do not authenticate presence sources during the status update process
Systems that do not authenticate receivers of presence information (also called subscribers, or watchers)
Systems that do not provide confidentiality and integrity of presence information
Systems that use weak methods to authenticate the user (also called a presentity)
When selecting a presence product or when evaluating a system that includes a presence feature, follow these guidelines:
Select a product that uses a secure protocol. One example is Extensible Messaging and Presence Protocol (XMPP) over TLS, and another is Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions (SIMPLE).
Select a product that uses your company’s public key infrastructure (PKI) for authentication. Using certificate-based authentication, when possible, is the best.
Encrypt the communications both internally and across the Internet.
Ensure that the product performs authentication of both presence sources and subscribers.
If the system supports presence groups, use grouping to control the viewing of presence information among groups.
Email is without a doubt the most widely used method of communication in the enterprise. It uses three standard messaging protocols. Each of them can be run over SSL to create a secure communication channel. When they are run over SSL, the port numbers used are different. These protocols are discussed in the following sections.
Internet Message Access Protocol (IMAP) is an application layer protocol used on a client to retrieve email from a server. Its latest version is IMAP4. Unlike POP3 (discussed next), another email client that can only download messages from the server, IMAP4 allows a user to download a copy and leave a copy on the server. IMAP4 uses port 143. A secure version, IMAPS (IMAP over SSL), uses port 993.
Post Office Protocol (POP) is an application layer email retrieval protocol. POP3 is the latest version. It allows for downloading messages only and does not allow the additional functionality provided by IMAP4. POP3 uses port 110. A secure version that runs over SSL is also available; it uses port 995.
POP and IMAP are client email protocols used for retrieving email, but when email servers are talking to each other, they use Simple Mail Transfer Protocol (SMTP), a standard application layer protocol. This is also the protocol used by clients to send email. SMTP uses port 25, and when it runs over SSL, it uses port 465.
Unfortunately, email offers a number of attack vectors to those with malicious intent. In most cases, the best tool for preventing these attacks is user training and awareness as many of these attacks are based on poor security practices among users.
Email spoofing is the process of sending an email that appears to come from one source when it really comes from another. It is made possible by altering the fields of email headers, such as From, Return Path, and Reply-to. Its purpose is to convince the receiver to trust the message and reply to it with some sensitive information that the receiver would not share with an untrusted source.
Email spoofing is often one step in an attack designed to harvest usernames and passwords for banking or financial sites. Such attacks can be mitigated in several ways. One is to use SMTP authentication, which, when enabled, disallows the sending of an email by a user that cannot authenticate with the sending server.
Another possible mitigation technique is to implement Sender Policy Framework (SPF). SPF is an email validation system that works by using Domain Name System (DNS) to determine whether an email sent by someone has been sent by a host sanctioned by that domain’s administrator. If it can’t be validated, it is not delivered to the recipient’s inbox.
Phishing is a social engineering attack in which a recipient is convinced to click a link in an email that appears to go to a trusted site but in fact goes to the hacker’s site. These attacks are used to harvest usernames and passwords.
Spear phishing is the process of foisting a phishing attack on a specific person rather than a random set of people. The attack may be made more convincing by using details about the person learned through social media.
Several actions can be taken to mitigate spear phishing, including:
Deploy a solution that verifies the safety of all links in emails. An example of this is Invincea FreeSpace, which opens all links and attachments in a secure virtual container, preventing any harm to users’ systems.
Train users to regard all emails suspiciously, even if they appear to come from friends.
Just as spear phishing is a subset of phishing, whaling is a subset of spear phishing. In whaling, the person targeted is someone of significance or importance. It might be a CEO, COO, or CTO, for example. The attack is based on the assumption that these people have more sensitive information to divulge. The same techniques that can be used to mitigate spear phishing can also apply to whaling.
You probably don’t like the way your email box fills every day with unsolicited emails, many of them trying to sell you something. In many cases, you cause yourself to receive this email by not paying close attention to all the details when you buy something or visit a site. When email is sent out on a mass basis that is not requested, it is called spam.
Spam is more than an annoyance; it can clog email boxes and cause email servers to spend resources delivering it. Sending spam is illegal, so many spammers try to hide the source of their spam by relaying through other corporations’ email servers. Not only does this hide its true source, but it can cause the relaying company to get in trouble.
Today’s email servers have the ability to deny relaying to any email servers that you do not specify. This can prevent your email system from being used as a spamming mechanism. This type of relaying should be disallowed on your email servers. Moreover, spam filtering should be deployed on all email servers.
Email traffic, like any other traffic type, can be captured in its raw form with a protocol analyzer. If the email is cleartext, it can be read. For this reason, encryption should be used for all email of a sensitive nature. While this can be done using the digital certificate of the intended recipient, this is typically possible only if the recipient is part of your organization and your company has a PKI. Many email products include native support for digital signing and encryption of messages using digital certificates.
While it is possible to use email encryption programs like Pretty Good Privacy (PGP), it is confusing for many users to use these products correctly without training. Another option is to use an encryption appliance or service that automates the encryption of email. Regardless of the specific approach, encryption of messages is the only mitigation for information disclosure from captured packets.
In some cases, information is disclosed not because an unencrypted message is captured but because the email is shared with others who may not be trustworthy. Even when an information disclosure policy is in place, it may not be followed by everyone. To prevent this type of disclosure, you can sanitize all outgoing content for types of information that should not be disclosed and have it removed. An example of a product that can do this is Axway’s MailGate.
Email is a frequent carrier of malware; in fact, email is the most common vehicle for infecting computers with malware. You should employ malware scanning software on both the client machines and the email server. Despite taking this measure, malware can still get through, and it is imperative to educate users to follow safe email handling procedures (such as not opening attachments from unknown sources). Training users is critical.
Telephony systems include both traditional analog phone systems and digital, or Voice over IP (VoIP), systems. In traditional telephony, analog phones connect to a private branch exchange (PBX) system. The entire phone network is separate from the organization’s IP data network. Table 16-2 lists advantages and disadvantages of traditional telephony.
Advantages |
Disadvantages |
Separation from the data network reduces the possibility of snooping or eavesdropping. |
Physical access to the cabling may provide an opportunity to access the cabling and eavesdrop. |
Theft of service is possible only if physical access to an unattended set is possible. |
Access through unsecured maintenance ports on the PBX can make snooping and theft of service possible. |
DoS attacks are limited to cutting wires or destroying phones. |
|
To secure a traditional analog system, you should:
Prevent physical access to the cabling plant.
Secure or disable all maintenance ports on the PBX.
While it may seem that analog phone systems offer some security benefits, it should be noted that the U.S. Federal Communications Commission (FCC) is in the process of dismantling the analog phone system that has existed since the days of Bell Labs. While there is no date set for final discontinuation, it seems foolish to deploy a system, however secure, that will soon be obsolete. Moreover, many of the security issues with VoIP seem to be getting solutions, as discussed next.
VoIP phone systems offer some advantages but also introduce security issues. Table 16-3 lists the advantages and disadvantages of VoIP systems. One attack type is a VoIP spam, or Spam over Internet Telephony (SPIT), attack. This type of attack causes unsolicited prerecorded phone messages to be sent. Detecting these attacks is a matter of regularly performing Session Initiation Protocol (SIP) traffic analysis. SIP is used for call setup and teardown. If you’re using Secure Real-Time Transport Protocol (SRTP), a protocol that provides encryption, integrity, and anti-replay to Real-Time Transport Protocol (RTP) traffic, SRTP traffic analysis should be done as well. RTP is a protocol used in the delivery of voice and video traffic. Some protocol analyzers, such as PacketScan from GL Communications, are dedicated to these protocols. Such analysis can help identify SPIT attacks.
Advantages |
Disadvantages |
Using the Internet and wireless sets for making long-distance calls can bring cost advantages. |
The threat of snooping is increased. |
There is just one network to manage. |
The threat of theft of service is increased. |
|
The threat of DoS attacks is increased. |
While the threat of snooping, theft of service, and DoS attacks is higher with VoIP than with traditional analog, measures can be taken to mitigate the issues and reduce the risks with VoIP:
Physically separate the phone and data networks.
Secure all management interfaces on infrastructure devices (for example, switches, routers, gateways).
In high-security environments, use some version of a secure phone (to provide end-to-end encryption).
Deploy network address translation (NAT) to hide the true IP addresses of the phones.
Maintain the latest patches for operating system and VoIP applications.
Disable any unnecessary services or features.
To prevent performance issues, especially during DoS attacks on the network, employ 802.11e to provide Quality of Service (QoS) for the VoIP packets when they traverse a wireless segment, just as you would provide QoS on all wired segments.
Ensure that the SIP servers, which are the servers responsible for creating voice and video sessions, are protected by a firewall.
Users are increasingly using web technology to collaborate on cloud-based tools. Organizations are also leveraging social media to connect with and share information with customers and the world at large. While both social media and cloud-based collaboration offer many benefits, they also introduce security issues. The following sections look at these issues and mitigation techniques and offer guidelines on the proper use of both social media and cloud-based collaboration.
While the subject of social media may conjure thoughts of Facebook and Twitter, the use of both public and enterprise (private) social media presents new security challenges. The security risks of public social media may be more obvious than those of private social media sites, but the fact that most enterprise social media tools offer at least the ability to be tightly integrated with public social media means that many issues of public social media can easily become your problem when there is an enterprise social media site.
Several scenarios illustrating the dangers of social media to the enterprise are discussed in Chapter 9, “Security Assessments.” Most of these security issues can be placed in two categories: disclosure of sensitive enterprise information and introduction of malware to the enterprise. With respect to information disclosure, one of the ways an organization can become subject to a disclosure event is by allowing company devices holding sensitive data to access social media sites. Table 16-4 reviews the issues that exist in social media and measures that can be taken to reduce their risk and impact.
Issue |
Mitigation |
Information disclosure |
Implement a carefully designed social media policy that limits who can speak and post on the organization’s behalf, coupled with user training. |
Introduction of malware to the enterprise |
Train users concerning safe social media practices and install anti-malware software on all systems that connect to the network. |
Cloud-based collaboration is primarily used by enterprises and small teams as a means of storing documents, communicating, and sharing updates on projects. The benefits to this are:
Allows you to pay by usage
Speeds deployment of new tools, applications, and services to workers
Can be absorbed as an operational expense rather than a capital expense
Boosts speed of innovation
Enhances productivity
Increases operational efficiencies
Some of the issues or challenges posed by moving to a cloud-based collaboration solution rather than using a premises-based solution are:
Potential need to redesign networks to accommodate cloud services
Data security concerns
Difficulty enforcing security policies
Challenges of providing an audit trail
Meeting regulatory requirements
Because of these concerns, using cloud-based collaboration is not the best solution for many highly regulated industries, such as banking and healthcare. The following types of information should not be stored in a public cloud-based solution:
Credit card information
Trade secrets
Financial data
Health records
State and federal government secrets
Proprietary or sensitive data
Personally identifiable information
When a cloud-based collaboration solution is appropriate, the following measures should be taken to secure the solution:
Ensure that you completely understand the respective security responsibilities of the vendor and your organization.
If handling sensitive information, ensure that either the vendor is providing encryption or that you send data through an encryption proxy before it is sent to the provider.
Require strong authentication on the collaboration site.
If the vendor also provides data loss prevention (DLP) services, strongly consider using these services.
When databases are also in use, consider implementing database activity monitoring (DAM).
As mentioned in the section “How to Use This Book” in the Introduction, you have a couple choices for exam preparation: the exercises here and the practice exams in the Pearson IT Certification test engine.
Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 16-5 lists these key topics and the page number on which each is found.
Key Topic Element |
Description |
Page Number |
List |
Issues with and mitigations for desktop sharing |
619 |
List |
Security issues with web conferencing |
621 |
List |
Security measures for web conferencing |
621 |
List |
Additional security measures for video conferencing in high-security networks |
623 |
List |
Security issues with video conferencing |
623 |
Issues with and mitigations for instant messaging |
626 |
|
List |
Issues with and mitigations for presence |
626 |
Define the following key terms from this chapter and check your answers in the glossary:
Advanced Encryption Standard (AES)
Extensible Messaging and Presence Protocol (XMPP)
Real-Time Transport Protocol (RTP)
Secure Real-Time Transport Protocol (SRTP)
Serial Line Internet Protocol (SLIP)
Session Initiation Protocol (SIP) server
Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions (SIMPLE)
Spam over Internet Telephony (SPIT)
1. Your company is planning to procure a web conferencing system to cut costs on travel. You have been asked to investigate the security issues that should be considered during this process. Which of the following is not an issue to consider?
Preventing uninvited guests at meetings
The dangers of data being stored on a vendor’s shared server
The potential for the solution to affect network performance
The possibility of information being captured during transmission
2. Your users use a VPN connection to connect to the office for web conferences. Several users have complained about poor performance during the meetings. Which of the following actions could help improve the performance of the video conference for all participants without reducing security?
Change the encryption used from AES to DES.
Disable split tunneling.
Enable read/write desktop mode.
Change the hashing algorithm to SHA-1.
3. Your organization just deployed an enterprise instant messaging solution. The CIO is concerned about the transfer of worms, Trojans, and other malware through the IM connections. Which of the following would not be a measure that could help mitigate the introduction of malware through the IM system?
Disable the ability to transfer files through the system.
Purchase a product that performs encryption.
Install an anti-malware product that can plug into the IM client.
Train users in the dangers of using IM.
4. Your organization is planning the deployment of a new remote assistance tool. The security team is trying to determine the level of encryption the selected product must support. Which of the following factors should be the most important consideration?
the type required by industry regulations
the strongest available
the opinion of the third-party vendor
the level supported by the desktops
5. To improve the security of products providing presence information, which protocol could you use?
SPF
XMPP
SPIT
SKRT
6. What type of traffic is the SIMPLE protocol designed to secure?
IM
presence
video conferencing
7. The email administrator has suggested that a technique called SPF should be deployed. What issue does this address?
spear phishing
whaling
email spoofing
captured messages
8. Your organization is planning the deployment of a VoIP phone system. During the risk analysis, which of the following is not a valid consideration?
increased threat of snooping in VoIP
increased threat of theft of service
access through unsecured maintenance ports on the PBX
increased threat of DoS attacks
9. Your company is determining what data to make accessible in the new cloud-based collaboration solution. Which of the following types of information should not be stored in a public cloud–based collaboration solution?
price lists
financial data
catalogues
company forms
10. Which of the following combines voice, video, email, instant messaging, personal assistant, and other communication features?
remote access
VoIP
telephony
unified communication
13.59.34.87