Chapter 16. Secure Communication and Collaboration

This chapter covers the following topics:

This chapter covers CAS-003 objective 4.5.

Increasingly, workers and the organizations for which they work are relying on new methods of communicating and working together that introduce new security concerns. As a CASP candidate, you need to be familiar with these new technologies, understand the security issues they raise, and implement controls that mitigate the security issues. This chapter describes these new methods and technologies, identifies issues, and suggests methods to secure these new workflow processes.

Remote Access

Remote access applications allow users to access an organization’s resources from a remote connection. These remote connections can be direct dial-in connections but are increasingly using the Internet as the network over which the data is transmitted. If an organization allows remote access to internal resources, the organization must ensure that the data is protected using encryption when the data is being transmitted between the remote access client and remote access server. Remote access servers can require encrypted connections with remote access clients, meaning that any connection attempt that does not use encryption will be denied. Remote access to the corporate network is a fairly mature technology, and proper security measures have been clearly defined.

Dial-up

A dial-up connection uses the public switched telephone network (PSTN). If such a connection is initiated over an analog phone line, it requires a modem that converts the digital data to analog on the sending end, with a modem on the receiving end converting it back to digital. These lines operate up to 56 Kbps.

Dial-up connections can use either Serial Line Internet Protocol (SLIP) or Point-to-Point Protocol (PPP) at layer 2. SLIP is an older protocol made obsolete by PPP. PPP provides authentication and multilink capability. The caller is authenticated by the remote access server. This authentication process can be centralized by using either a Terminal Access Control Access Control Server Plus (TACACS+) or Remote Authentication Dial-in User Service (RADIUS) server.

Some basic measures that should be in place when using dial-up are:

  • Have the remote access server call back the initiating caller at a preset number. Do not allow call forwarding, which can be used to thwart this security measure.

  • Set modems to answer after a set number of rings to thwart war dialers (automated programs that dial numbers until a modem signal is detected).

  • Consolidate the modems in one place for physical security and disable modems that are not in use.

  • Use the strongest possible authentication mechanisms.

VPN

As you learned in Chapter 5, a virtual private network (VPN) connection uses an untrusted carrier network but provides protection of the information through strong authentication protocols and encryption mechanisms. While we typically use the most untrusted network, the Internet, as the classic example, and most VPNs do travel through the Internet, they can be used with interior networks as well whenever traffic needs to be protected from prying eyes. For more information on VPN components and scenarios in which VPNs are appropriate, see Chapter 5.

SSL

Secure Sockets Layer (SSL) is another option for creating VPNs. SSL is discussed in Chapter 5.

Remote Administration

In many cases, administrators or network technicians need to manage and configure network devices remotely. Remote administration is covered in Chapter 5.

Resource and Services

Telecommuting has become more common in today’s world, and as a result, remote access solutions must be deployed to ensure that personnel have access to resources and services in the enterprise. Remote access resources and services vary based on the deployment model and can be provided via the Remote Access role in Windows servers, the Remote Desktop service on Windows clients and servers, Virtual Network Computing (VNC) or ssh on Linux, and many other methods.

Security professionals should work with management to determine the remote access needs of the organization and deploy the appropriate solution and controls to ensure that the needs are met while the security of the remote access transactions is ensured.

Chapter 5 covers remote access resources and services as well as the protocols used in remote access.

Desktop and Application Sharing

Desktop sharing involves a group of related technologies that allow for both remote login to a computer and real-time collaboration on the desktop of a remote user. Both functions use a graphical terminal emulator. Some of these products are built into an operating system, such as Microsoft’s Remote Desktop technology, while others are third-party applications, such as LogMeIn and GoToMyPC.

While these products certainly make managing remote computers and users easier, remote administration software is one of the most common attack vectors used by hackers.

Images

Issues that reduce the security of a remote administration solution include:

  • Misconfiguration or poor deployment

  • Outdated software

  • Cached administrative credentials

  • Poor administrative password management

  • Failure to adopt two-factor authentication

  • Lack of encryption

As a CASP candidate, you should know the following mitigation techniques to address these issues:

  • Always use the latest version of the products.

  • Install all updates.

  • If the solution will only be used in a LAN, block the port number used by the solution at the network perimeter.

  • For mobile users, disable automatic listening on the device to prevent having an open port in an untrusted network.

  • Regularly review security logs for evidence of port scans.

  • Secure access to configuration files used by the solution.

  • Implement encryption.

  • Control administrative access to the solution.

  • Ensure logging settings that establish an audit trail.

  • Train users on its proper usage.

  • Remove the software from computers on which it should never be used, such as secure servers.

  • Implement policies to prevent its installation unless administrative approval is given.

Remote Assistance

Remote assistance is a feature that often relies on the same technology as desktop sharing. In fact, one if its features is the ability to allow a technician to share a user’s desktop for the purpose of either teaching the user something or troubleshooting an issue for the user. Naturally, some of the same issues that exist for desktop sharing products also exist for remote assistance sessions.

First, the screen data that is sent back and forth between the user and the technician is typically in standard formats, making it easy to rebuild an image that is captured. Many products implement proprietary encryption, but in regulated industries, this type of encryption may not be legal. Always use the level of encryption required by your industry, such as Advanced Encryption Standard (AES).

Second, many remote assistance tools do not provide sufficient auditing capabilities, which are critical in industries such as banking and healthcare. If auditing is an issue in your industry, choose a product that has the ability to capture the detail you require for legal purposes.

Limited access control also plagues many products. When a technician logs in to a remote computer, he has full access to everything on the system as if he were sitting at the console. If he sees patient information at any time, a Health Insurance Portability and Accountability Act (HIPAA) violation occurs. You should choose a product that allows you to determine exactly what remote technicians are allowed to see and do.

Potential liability may result if any information goes missing or if another problem arises that may appear to be the fault of the technician. Consider crafting a standard message that a user sees and must acknowledge before allowing the connection, stating the extent of liability on your part for issues that may arise after the remote session.

Unified Collaboration Tools

Two intersecting trends are introducing new headaches for security professionals. People are working together or collaborating more while at the same time becoming more mobile and working in nontraditional ways, such as working from home. This means that sensitive data is being shared in ways we haven’t had to secure before. The following sections discuss the specific security issues that various collaboration tools and methods raise and the controls that should be put in place to secure these solutions.

Web Conferencing

Web conferencing has allowed companies to save money on travel while still having real-time contact with meeting participants. Web conferencing services and software often have robust meeting tools that allow for chatting, sharing documents, and viewing the screen of the presenter. Many also allow for video. (Video conferencing is specifically covered in the next section.) When the information you are chatting about and the documents you are sharing are of a sensitive nature, security issues arise, and you should take special care during the web conference.

Images

Specifically, some of the security issues are:

  • Data leakage: Because web conference data typically resides on a shared server for a little while, there is always a possibility of the data leaking out of the conference into hostile hands.

  • Uninvited guests: Most systems use a simple conference code for entrance to the conference, so there is always a possibility that uninvited guests will arrive.

  • Data capture en route: The possibility of information being captured en route is high. Using encrypting technologies can prevent this.

  • DoS attack: There is a possibility of Denial of Service (DoS) attacks on local servers when a web conferencing solution is integrated with existing applications.

Images

To address these issues, you should:

  • Take ownership of the process of selecting the web conferencing solution. Often other departments select a product, and the IT and security departments are faced with reacting to whatever weaknesses the solution may possess.

  • Ensure compatibility with all devices in your network by choosing products that use standard security and networking components, such as SSL.

  • Ensure that the underlying network is secured.

  • Define a process for selecting and using the product. The following four steps should be completed:

    Step 1. Define the allowed uses of the solution.

    Step 2. Identify security needs before selecting the product.

    Step 3. Ensure that usage scenarios and security needs are built in to the request for proposal (RFP).

    Step 4. Include security practitioners in the planning and decision-making process.

  • Disable or strongly audit read/write desktop mode, if supported by the product. This mode allows other meeting participants to access the host desktop.

  • Execute non-disclosure documents covering conferences that disclose confidential material or intellectual property.

  • Ensure that unique passwords are generated for each conference to prevent reuse of passwords for inappropriately attending conferences.

Consider requiring a VPN connection to the company network to attend conferences. If this approach is taken, you can provide better performance for the participants by disallowing split tunneling on the VPN concentrator. While split tunneling allows access to the LAN and the Internet at the same time, it reduces the amount of bandwidth available to each session.

Video Conferencing

While most or all of the video conferencing products produced in the past 10 years use 128-bit AES encryption, it is important to remember that no security solution is infallible. Recently, the U.S. National Security Agency (NSA) was accused of cracking the military-grade encryption (better than AES 128) to spy on a United Nations video conference. The same source reported that the NSA discovered that the Chinese were also attempting to crack the encryption. While it is still unknown if either the NSA or the Chinese actually succeeded, this story highlights the risks that always exist.

Having said that, in high-security networks (those of the U.S. Department of Defense, Department of Homeland Security, and so on) that use video conferencing, additional security measures are typically taken to augment the solution.

Images

Some examples include:

  • Device-level physical encryption keys that must be inserted each time the system is used and that are typically exchanged every 30 days

  • Additional password keys that limit access to a device’s functions and systems

  • Session keys generated at the start of each session that are changed automatically during the session

  • Traffic transmitted on secure data networks that also use advanced encryption technologies

Because 128-bit AES encryption is very secure, in most cases, video conferencing products are secure out of the box.

A nonproprietary approach to securing video conferences as well as VoIP traffic is to extend the H.323 standard to support DES encryption. H.323 is a standard for providing audiovisual communications sessions, such as web conferences, video conferences, and VoIP. Security for these sessions can be provided by H.235 extensions. H.235 includes the ability to negotiate services and functionality in a generic manner. It allows for the use of both standard and proprietary encryption algorithms. It provides a means to identify a person rather than a device, using a security profile that consists of either a password, digital certificates, or both.

Images

In most cases, security issues don’t involve shortcomings in recent products but do involve the following:

  • Not enabling the encryption

  • Using outdated video systems that don’t support encryption

  • Failure in updating the associated software on video systems and other devices

  • Devices (such as gateways and video bridges) to which the system connects either not supporting encryption or having encryption turned off

  • Deploying software solutions or services that either don’t encrypt or that support weaker encryption

  • Poor password management

Avoiding these issues can be accomplished by creating and following a process for selecting and using the product, as defined in the “Web Conferencing” section, earlier in this chapter.

Audio Conferencing

Most of the video collaboration tools in use today can be utilized to provide just the audio functionality. Having said that, in high-security networks (for example, Department of Defense, Department of Homeland Security) that create and store audio data, additional security measures are typically taken to augment the solution. Some examples include:

  • Using file-level encryption to ensure that only authorized users are able to access and listen to the audio files

  • Applying multi-factor authentication to systems on which the files are stored

Storage and Document Collaboration Tools

Storage and document collaboration tools allow teams and entire companies to share documents no matter the location from which the team members or personnel may be working. Google Drive and Microsoft SharePoint are popular examples of this type of tool. In most cases, these tools allow live updates to all users viewing the documents, as well as features that allow commenting to specific parts of the document. Some of the security risks related to these tools include:

  • Login credential breaches: Most tools use the username/password model. If credentials are obtained, attackers can access any information to which that user has access. Single sign-on (SSO) can help ensure that collaboration tool login credentials used follow the same guidelines as enterprise login credentials.

  • Web-based threats: Web-based threats include malware and unauthorized tracking. Implementing a VPN for connection to the collaboration tool can cut down on many of these issues.

  • URL-related issues: Default site names and other default settings often make it easy for attackers to discover a site. In addition, metadata included in the site URL may reveal confidential data.

  • Reports or summaries: While reports and summaries may be important to help you quickly see the status of documents, these same tools can often compromise data if the reports are transmitted over email or other insecure methods. Emailing of these reports should be discouraged.

  • Lack of or minimal encryption: Thoroughly examine the encryption offered with a tool. In some tools, encryption is not comprehensive. In addition, most tools are made as one-size-fits-all solutions. If your enterprise must comply with regulations or laws requiring encryption or other controls, you need to ensure that the tool you select provides the coverage you need.

Security professionals should work with others in their organization to ensure that the products are fully analyzed prior to selecting a tool. In addition, any known issues that are discovered should be researched to determine if there are mitigating controls that can be implemented to minimize the impact of the issues.

Unified Communication

Unified communication tools often combine voice, video, email, instant messaging, personal assistant, and other communication features in a single tool. Some of the newer tools even include document collaboration. Often these tools are purchased with individual configurable modules. For instance, if your company does not need the personal assistant feature, then that module could be disabled. Security risks that you should examine include:

  • Minimal vendor data center security

  • Inadequate data encryption

  • Inability of the Internet connection to support demand at peak times

  • Inadequate security or access controls

  • Lack of or minimal automation of on-demand account management

  • Vendor experience

While unified communication tools might sound like a wonderful means to integrate all business processes, the implementation and data integration of these tools can often be a nightmare. Security professionals should ensure that management understands the complexity in deploying and securing these solutions.

Instant Messaging

Instant messaging (IM) has become so popular that many users prefer it to email when communicating with coworkers. It is so popular, in fact, that many email systems, such as Google Mail, have integrated IM systems. Users demand it, and thus security professionals need to learn how to secure it.

Table 16-1 lists the security issues that exist with IM systems and the associated measures to take to mitigate them.

Images

Table 16-1 Security Issues with IM Systems

Issue

Mitigations

Transfer of worms, Trojans, and other malware through the IM connection

Disable the ability to transfer files through the system.

Install an anti-malware product that can plug in to the IM client.

Train users on these dangers.

Hijacked user accounts after account information is stolen through social engineering

Teach users to never share their account information.

Hijacked user information from a password-stealing Trojan

Ensure that anti-malware software is installed and updated on the computer.

DoS attacks that send multiple messages to the user’s account

Teach users to share their account name only with trusted parties.

Disclosure of information en route

Purchase a product that uses encryption.

Purchase an encryption product that integrates with the IM system.

Presence

Many collaboration solutions use presence functionality to indicate the availability of a user. A system that uses presence signals to other users whether a user is online, busy, in a meeting, and so forth. If enabled across multiple communication tools, such as IM, phone, email, and video conferencing, it can also help determine on which communication channel the user is currently active and therefore which channel provides the best possibility of an immediate response.

While the information contained in a presence system about each individual helps to make the system function, it is information that could be used maliciously.

Images

Specific issues include:

  • Systems that do not authenticate presence sources during the status update process

  • Systems that do not authenticate receivers of presence information (also called subscribers, or watchers)

  • Systems that do not provide confidentiality and integrity of presence information

  • Systems that use weak methods to authenticate the user (also called a presentity)

When selecting a presence product or when evaluating a system that includes a presence feature, follow these guidelines:

Email

Email is without a doubt the most widely used method of communication in the enterprise. It uses three standard messaging protocols. Each of them can be run over SSL to create a secure communication channel. When they are run over SSL, the port numbers used are different. These protocols are discussed in the following sections.

IMAP

Internet Message Access Protocol (IMAP) is an application layer protocol used on a client to retrieve email from a server. Its latest version is IMAP4. Unlike POP3 (discussed next), another email client that can only download messages from the server, IMAP4 allows a user to download a copy and leave a copy on the server. IMAP4 uses port 143. A secure version, IMAPS (IMAP over SSL), uses port 993.

POP

Post Office Protocol (POP) is an application layer email retrieval protocol. POP3 is the latest version. It allows for downloading messages only and does not allow the additional functionality provided by IMAP4. POP3 uses port 110. A secure version that runs over SSL is also available; it uses port 995.

SMTP

POP and IMAP are client email protocols used for retrieving email, but when email servers are talking to each other, they use Simple Mail Transfer Protocol (SMTP), a standard application layer protocol. This is also the protocol used by clients to send email. SMTP uses port 25, and when it runs over SSL, it uses port 465.

Unfortunately, email offers a number of attack vectors to those with malicious intent. In most cases, the best tool for preventing these attacks is user training and awareness as many of these attacks are based on poor security practices among users.

Email Spoofing

Email spoofing is the process of sending an email that appears to come from one source when it really comes from another. It is made possible by altering the fields of email headers, such as From, Return Path, and Reply-to. Its purpose is to convince the receiver to trust the message and reply to it with some sensitive information that the receiver would not share with an untrusted source.

Email spoofing is often one step in an attack designed to harvest usernames and passwords for banking or financial sites. Such attacks can be mitigated in several ways. One is to use SMTP authentication, which, when enabled, disallows the sending of an email by a user that cannot authenticate with the sending server.

Another possible mitigation technique is to implement Sender Policy Framework (SPF). SPF is an email validation system that works by using Domain Name System (DNS) to determine whether an email sent by someone has been sent by a host sanctioned by that domain’s administrator. If it can’t be validated, it is not delivered to the recipient’s inbox.

Spear Phishing

Phishing is a social engineering attack in which a recipient is convinced to click a link in an email that appears to go to a trusted site but in fact goes to the hacker’s site. These attacks are used to harvest usernames and passwords.

Spear phishing is the process of foisting a phishing attack on a specific person rather than a random set of people. The attack may be made more convincing by using details about the person learned through social media.

Several actions can be taken to mitigate spear phishing, including:

  • Deploy a solution that verifies the safety of all links in emails. An example of this is Invincea FreeSpace, which opens all links and attachments in a secure virtual container, preventing any harm to users’ systems.

  • Train users to regard all emails suspiciously, even if they appear to come from friends.

Whaling

Just as spear phishing is a subset of phishing, whaling is a subset of spear phishing. In whaling, the person targeted is someone of significance or importance. It might be a CEO, COO, or CTO, for example. The attack is based on the assumption that these people have more sensitive information to divulge. The same techniques that can be used to mitigate spear phishing can also apply to whaling.

Spam

You probably don’t like the way your email box fills every day with unsolicited emails, many of them trying to sell you something. In many cases, you cause yourself to receive this email by not paying close attention to all the details when you buy something or visit a site. When email is sent out on a mass basis that is not requested, it is called spam.

Spam is more than an annoyance; it can clog email boxes and cause email servers to spend resources delivering it. Sending spam is illegal, so many spammers try to hide the source of their spam by relaying through other corporations’ email servers. Not only does this hide its true source, but it can cause the relaying company to get in trouble.

Today’s email servers have the ability to deny relaying to any email servers that you do not specify. This can prevent your email system from being used as a spamming mechanism. This type of relaying should be disallowed on your email servers. Moreover, spam filtering should be deployed on all email servers.

Captured Messages

Email traffic, like any other traffic type, can be captured in its raw form with a protocol analyzer. If the email is cleartext, it can be read. For this reason, encryption should be used for all email of a sensitive nature. While this can be done using the digital certificate of the intended recipient, this is typically possible only if the recipient is part of your organization and your company has a PKI. Many email products include native support for digital signing and encryption of messages using digital certificates.

While it is possible to use email encryption programs like Pretty Good Privacy (PGP), it is confusing for many users to use these products correctly without training. Another option is to use an encryption appliance or service that automates the encryption of email. Regardless of the specific approach, encryption of messages is the only mitigation for information disclosure from captured packets.

Disclosure of Information

In some cases, information is disclosed not because an unencrypted message is captured but because the email is shared with others who may not be trustworthy. Even when an information disclosure policy is in place, it may not be followed by everyone. To prevent this type of disclosure, you can sanitize all outgoing content for types of information that should not be disclosed and have it removed. An example of a product that can do this is Axway’s MailGate.

Malware

Email is a frequent carrier of malware; in fact, email is the most common vehicle for infecting computers with malware. You should employ malware scanning software on both the client machines and the email server. Despite taking this measure, malware can still get through, and it is imperative to educate users to follow safe email handling procedures (such as not opening attachments from unknown sources). Training users is critical.

Telephony and VoIP Integration

Telephony systems include both traditional analog phone systems and digital, or Voice over IP (VoIP), systems. In traditional telephony, analog phones connect to a private branch exchange (PBX) system. The entire phone network is separate from the organization’s IP data network. Table 16-2 lists advantages and disadvantages of traditional telephony.

Table 16-2 Advantages and Disadvantages of Traditional Telephony

Advantages

Disadvantages

Separation from the data network reduces the possibility of snooping or eavesdropping.

Physical access to the cabling may provide an opportunity to access the cabling and eavesdrop.

Theft of service is possible only if physical access to an unattended set is possible.

Access through unsecured maintenance ports on the PBX can make snooping and theft of service possible.

DoS attacks are limited to cutting wires or destroying phones.

 

To secure a traditional analog system, you should:

  • Prevent physical access to the cabling plant.

  • Secure or disable all maintenance ports on the PBX.

While it may seem that analog phone systems offer some security benefits, it should be noted that the U.S. Federal Communications Commission (FCC) is in the process of dismantling the analog phone system that has existed since the days of Bell Labs. While there is no date set for final discontinuation, it seems foolish to deploy a system, however secure, that will soon be obsolete. Moreover, many of the security issues with VoIP seem to be getting solutions, as discussed next.

VoIP phone systems offer some advantages but also introduce security issues. Table 16-3 lists the advantages and disadvantages of VoIP systems. One attack type is a VoIP spam, or Spam over Internet Telephony (SPIT), attack. This type of attack causes unsolicited prerecorded phone messages to be sent. Detecting these attacks is a matter of regularly performing Session Initiation Protocol (SIP) traffic analysis. SIP is used for call setup and teardown. If you’re using Secure Real-Time Transport Protocol (SRTP), a protocol that provides encryption, integrity, and anti-replay to Real-Time Transport Protocol (RTP) traffic, SRTP traffic analysis should be done as well. RTP is a protocol used in the delivery of voice and video traffic. Some protocol analyzers, such as PacketScan from GL Communications, are dedicated to these protocols. Such analysis can help identify SPIT attacks.

Table 16-3 Advantages and Disadvantages of VoIP

Advantages

Disadvantages

Using the Internet and wireless sets for making long-distance calls can bring cost advantages.

The threat of snooping is increased.

There is just one network to manage.

The threat of theft of service is increased.

 

The threat of DoS attacks is increased.

While the threat of snooping, theft of service, and DoS attacks is higher with VoIP than with traditional analog, measures can be taken to mitigate the issues and reduce the risks with VoIP:

  • Physically separate the phone and data networks.

  • Secure all management interfaces on infrastructure devices (for example, switches, routers, gateways).

  • In high-security environments, use some version of a secure phone (to provide end-to-end encryption).

  • Deploy network address translation (NAT) to hide the true IP addresses of the phones.

  • Maintain the latest patches for operating system and VoIP applications.

  • Disable any unnecessary services or features.

  • To prevent performance issues, especially during DoS attacks on the network, employ 802.11e to provide Quality of Service (QoS) for the VoIP packets when they traverse a wireless segment, just as you would provide QoS on all wired segments.

  • Ensure that the SIP servers, which are the servers responsible for creating voice and video sessions, are protected by a firewall.

Collaboration Sites

Users are increasingly using web technology to collaborate on cloud-based tools. Organizations are also leveraging social media to connect with and share information with customers and the world at large. While both social media and cloud-based collaboration offer many benefits, they also introduce security issues. The following sections look at these issues and mitigation techniques and offer guidelines on the proper use of both social media and cloud-based collaboration.

Social Media

While the subject of social media may conjure thoughts of Facebook and Twitter, the use of both public and enterprise (private) social media presents new security challenges. The security risks of public social media may be more obvious than those of private social media sites, but the fact that most enterprise social media tools offer at least the ability to be tightly integrated with public social media means that many issues of public social media can easily become your problem when there is an enterprise social media site.

Several scenarios illustrating the dangers of social media to the enterprise are discussed in Chapter 9, “Security Assessments.” Most of these security issues can be placed in two categories: disclosure of sensitive enterprise information and introduction of malware to the enterprise. With respect to information disclosure, one of the ways an organization can become subject to a disclosure event is by allowing company devices holding sensitive data to access social media sites. Table 16-4 reviews the issues that exist in social media and measures that can be taken to reduce their risk and impact.

Table 16-4 Social Media Risks

Issue

Mitigation

Information disclosure

Implement a carefully designed social media policy that limits who can speak and post on the organization’s behalf, coupled with user training.

Introduction of malware to the enterprise

Train users concerning safe social media practices and install anti-malware software on all systems that connect to the network.

Cloud-Based Collaboration

Cloud-based collaboration is primarily used by enterprises and small teams as a means of storing documents, communicating, and sharing updates on projects. The benefits to this are:

  • Allows you to pay by usage

  • Speeds deployment of new tools, applications, and services to workers

  • Can be absorbed as an operational expense rather than a capital expense

  • Boosts speed of innovation

  • Enhances productivity

  • Increases operational efficiencies

Some of the issues or challenges posed by moving to a cloud-based collaboration solution rather than using a premises-based solution are:

  • Potential need to redesign networks to accommodate cloud services

  • Data security concerns

  • Difficulty enforcing security policies

  • Challenges of providing an audit trail

  • Meeting regulatory requirements

Because of these concerns, using cloud-based collaboration is not the best solution for many highly regulated industries, such as banking and healthcare. The following types of information should not be stored in a public cloud-based solution:

  • Credit card information

  • Trade secrets

  • Financial data

  • Health records

  • State and federal government secrets

  • Proprietary or sensitive data

  • Personally identifiable information

When a cloud-based collaboration solution is appropriate, the following measures should be taken to secure the solution:

  • Ensure that you completely understand the respective security responsibilities of the vendor and your organization.

  • If handling sensitive information, ensure that either the vendor is providing encryption or that you send data through an encryption proxy before it is sent to the provider.

  • Require strong authentication on the collaboration site.

  • If the vendor also provides data loss prevention (DLP) services, strongly consider using these services.

  • When databases are also in use, consider implementing database activity monitoring (DAM).

Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction, you have a couple choices for exam preparation: the exercises here and the practice exams in the Pearson IT Certification test engine.

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 16-5 lists these key topics and the page number on which each is found.

Images

Table 16-5 Key Topics for Chapter 16

Key Topic Element

Description

Page Number

List

Issues with and mitigations for desktop sharing

619

List

Security issues with web conferencing

621

List

Security measures for web conferencing

621

List

Additional security measures for video conferencing in high-security networks

623

List

Security issues with video conferencing

623

Table 16-1

Issues with and mitigations for instant messaging

626

List

Issues with and mitigations for presence

626

Define Key Terms

Define the following key terms from this chapter and check your answers in the glossary:

802.11e

Advanced Encryption Standard (AES)

cloud-based collaboration

desktop sharing

email spoofing

Extensible Messaging and Presence Protocol (XMPP)

instant messaging

phishing

Point-to-Point Protocol (PPP)

presence

private branch exchange (PBX)

Real-Time Transport Protocol (RTP)

remote access

remote assistance

Secure Real-Time Transport Protocol (SRTP)

Sender Policy Framework (SPF)

Serial Line Internet Protocol (SLIP)

Session Initiation Protocol (SIP) server

Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions (SIMPLE)

spam

Spam over Internet Telephony (SPIT)

spear phishing

telephony system

video conferencing

virtual private network (VPN)

Voice over IP (VoIP)

web conferencing

whaling

Review Questions

1. Your company is planning to procure a web conferencing system to cut costs on travel. You have been asked to investigate the security issues that should be considered during this process. Which of the following is not an issue to consider?

  • Preventing uninvited guests at meetings

  • The dangers of data being stored on a vendor’s shared server

  • The potential for the solution to affect network performance

  • The possibility of information being captured during transmission

2. Your users use a VPN connection to connect to the office for web conferences. Several users have complained about poor performance during the meetings. Which of the following actions could help improve the performance of the video conference for all participants without reducing security?

  • Change the encryption used from AES to DES.

  • Disable split tunneling.

  • Enable read/write desktop mode.

  • Change the hashing algorithm to SHA-1.

3. Your organization just deployed an enterprise instant messaging solution. The CIO is concerned about the transfer of worms, Trojans, and other malware through the IM connections. Which of the following would not be a measure that could help mitigate the introduction of malware through the IM system?

  • Disable the ability to transfer files through the system.

  • Purchase a product that performs encryption.

  • Install an anti-malware product that can plug into the IM client.

  • Train users in the dangers of using IM.

4. Your organization is planning the deployment of a new remote assistance tool. The security team is trying to determine the level of encryption the selected product must support. Which of the following factors should be the most important consideration?

  • the type required by industry regulations

  • the strongest available

  • the opinion of the third-party vendor

  • the level supported by the desktops

5. To improve the security of products providing presence information, which protocol could you use?

  • SPF

  • XMPP

  • SPIT

  • SKRT

6. What type of traffic is the SIMPLE protocol designed to secure?

  • IM

  • presence

  • video conferencing

  • email

7. The email administrator has suggested that a technique called SPF should be deployed. What issue does this address?

  • spear phishing

  • whaling

  • email spoofing

  • captured messages

8. Your organization is planning the deployment of a VoIP phone system. During the risk analysis, which of the following is not a valid consideration?

  • increased threat of snooping in VoIP

  • increased threat of theft of service

  • access through unsecured maintenance ports on the PBX

  • increased threat of DoS attacks

9. Your company is determining what data to make accessible in the new cloud-based collaboration solution. Which of the following types of information should not be stored in a public cloud–based collaboration solution?

  • price lists

  • financial data

  • catalogues

  • company forms

10. Which of the following combines voice, video, email, instant messaging, personal assistant, and other communication features?

  • remote access

  • VoIP

  • telephony

  • unified communication

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.215.186.30