Peer-to-peer (P2P) communications, instant messaging (IM), short message services (SMS), and collaboration tools must be directly addressed in any comprehensive security plan. The dangers are very real, as is the probability that at least one of these technologies is in use on almost every information system.

35.2 GENERAL CONCEPTS AND DEFINITIONS.

This chapter is designed to present enough information and resources to aid in integrating the defense of each function into the organization's security plan. A list of resources is provided at the end of the chapter to aid in further research.

35.2.1 Peer to Peer.

Peer-to-peer networking, also referred to as P2P, is not a new concept or technology. The term was contained in some of the original designs and proposals for the Internet as an efficient and logical way to exchange information from one resource, or peer, to another, on a large interconnected network. Today, the term is most associated with applications that transfer multimedia files across the Internet.

Peer-to-peer networks generally consist of different computers, or nodes, that communicate directly with each other, often with very little, if any, need for a central computer to control the activity. Often utilizing an application with a client-server appearance, the two computers set up a direct connection between each other for file transfer. A central indexing computer may or may not be needed to help these computers “find” each other, to index and publish their contents, or to facilitate the connection. However, what is most important, the two computers must have a direct, logical connection to transfer the file or files. File transport may take place over a local network (LAN), a wide area network (WAN), a value-added network (VAN), or via the Internet.

Peer-to-peer technologies and applications were much more common in the early days of networking when it was not financially possible for many organizations to have expensive servers and complicated network topologies. This is especially true of personal computer networks that performed simple file sharing from computer to computer in a one-to-one model instead of today's much more common one-to-many server-to-client setup. However, there are legitimate uses for peer-to-peer technologies. One common example is the sharing of Linux distribution software images. Peer-to-peer sharing of these often very large ISO disk images requires much fewer resources for the distributor because there may be thousands of computers distributing the software among themselves, instead of every user trying to download the file from a single server.

35.2.2 Instant Messaging.

Instant messaging, or IM, has become one of the most widely used communication mediums. This technology allows users to communicate with each other in a real-time, live, instantaneous fashion via computer. Today's IM applications are not the first generation of IM. The concept of communicating, or chatting, in real time made its appearance on multiuser computer systems, when users could initiate a text-based conversation with each other. The most common example of this type of communication was a host-based system such as a mainframe environment or UNIX system using programs like talk or ytalk. Initially, users may have been restricted to messaging each other when logged into the same machine; eventually users were able to communicate with each other, either via peer-to-peer or over the Internet. The first widespread uses of IM were made possible with the advent of the PC and were used mainly for informal, personal conversations.

With time, IM has become a business tool and, in some organizations, a necessity. The need to communicate with coworkers, colleagues, salespeople, clients, customers, and the like has transformed a gimmick technology into ubiquity. With this change, it is necessary for security management to change and adapt accordingly. Users are able to send messages, files, real-time streaming video and audio, and just about anything else developers can think of, almost instantly. Essential to the organization or not, IM can become a very dangerous medium for security breaches.

35.2.3 Short Message Service.

Short message service, or more commonly SMS, is another previously minor technology that has become ubiquitous and a large part of everyday life for many people. Although some mobile phone standards and companies had different ideas for the uses of SMS, a common early use was to notify customers of information one way, from the mobile phone provider to the user. A popular example was alerting the user of a missed call or voicemail message. Many carriers never dreamed customers would actually be able to send text messages from one mobile phone to another, nor did the carriers think users would ever want to do such a thing. The name, short message service, also implied a limited amount of text a message could contain. Originally, users were limited to 160 characters or less.

SMS has morphed into something much larger. The commonality of mobile phones has pushed the original concept far beyond its original meaning and function. Today, two-way communication between mobile phone customers, often on different mobile phone carrier networks, between customers and mobile phone providers, and between customers and other information systems has become a way of life. Customers expect instant, always-on, reliable SMS services. Many mobile phones are capable of SMS text messages, taking and sending pictures, instant alerts, and a number of other services that utilize or expand on the original concept of short message service.

35.2.4 Collaboration Tools.

People working together have created a need for even more technology to aid them in completing their tasks. There are many products in today's market to facilitate sharing, collaboration, and organization of data. As some information security professionals joke, “Computers and technology are generally safe and secure, until you let a human near them.” Humans are inevitable when it comes to collaboration tools and systems. Many collaboration tools and systems are designed to aid workgroups that are physically far apart. Once a system has requirements that contain the words “open,” “via the Internet,” or “access from anywhere,” information security managers are alerted. Securing collaboration tools can be very difficult, especially when it comes to balancing functionality versus security. Google has begun offering free, highly functional, Web-based tools intended to aid users in online productivity. These include many powerful, and potentially dangerous, tools to share information and to collaborate with other online users. A recent example is the feature for Google calendar users to make events or calendars public. However, if the user is not careful, private data may be readily available to any user via Google's calendar search feature.¹

35.3 PEER-TO-PEER NETWORKS.

One of the earliest mass applications of P2P was for free file-sharing of music through Napster, LLC. Despite difficulties over copyrights, and a subsequent bankruptcy, Napster's technology, in substantially the same form, is still in widespread use. Practical applications have expanded beyond music downloads into the business world, such as allowing small groups of users to share files without the interaction of a systems administrator and distribution of open source software. Likewise, it may be possible that employees are utilizing the organization's high-speed Internet connection to supplement their at-home movie collection via P2P downloads.

35.3.1 Dangers to the Business.

Using P2P technology without proper care and controls, an organization may face serious consequences. There are many threats to an organization that does not properly control P2P networking, as for any other network configuration or protocol. Many problems are discussed in Chapters 21, 25, and 26 in this Handbook. However, this section contains several important issues that information security management should consider while performing risk analysis and policy implementation for P2P networking.

35.3.1.1 Abusing Company Resources and Illegal Content.

Organizations must have an acceptable usage policy in place, one that limits what employees can do with the technology resources provided to them. The policy should clearly state the kinds of technology and applications that are prohibited or restricted in specific ways. In most cases, P2P technology used to download music or videos for personal use will violate the policy.

P2P technology is a specific danger to company technology resources because the inherent nature of P2P technology is to use every resource to the maximum extent possible. For example, a single P2P application, configured properly, will use every bit of bandwidth that is made available to it. This would include local area network bandwidth, wide area network bandwidth, and Internet bandwidth. One of the most popular uses for P2P technology still remains the sharing of extremely large files, especially multimedia files including full-length movies. These large files can take hours to download in full. This fact can have an extremely negative impact on an organization's network infrastructure—including expensive Internet bandwidth.

In practice, a single P2P application has been demonstrated to completely saturate a 10-megabit Internet connection, virtually denying, or severely limiting, access to all other computers. In this case, these dangers to the business are common to many areas of information security management:

Threat to availability. If an organization's resources, including network resources, are not available, the business cannot properly function.
Threat to integrity. If the organization's resources are crippled or misused by employees utilizing P2P technology, data may suffer from a breakdown of integrity and usability.
Threat to the organization's image. If the organization's information systems and infrastructure cannot be relied on because of interruptions from P2P abuses, there is a risk of financial or public image degradation. Some organizations are not able to overcome a substantial loss of image, credibility, or both.
hreat from litigation. It is very common to see illegal content being shared via P2P technology; illegal music and video sharing is often credited with having made P2P technology popular. An organization may suffer legal troubles, including copyright and intellectual property suits, if its resources are involved with the sharing of illegal materials. Some antipiracy groups have become extremely aggressive in combating illegal sharing of copyrighted content.

35.3.1.2 Loss of Confidentiality.

There are many ways an organization may suffer a loss of confidentiality from P2P technology. One common mistake is a mis-configured P2P application. The case study in Section 35.3.4 describes one situation. However, the dangers of a misconfigured P2P application are very real—it is quite easy for data to be shared inadvertently. When users are in a hurry or do not understand what they are doing, a P2P application may allow for unauthorized access to information because its restrictions are too lax or missing altogether. A common mistake in a Microsoft Windows environment may be to share the entire “My Documents” folder when a user intended to share only photos. It is also possible for a P2P application to be hijacked or altered by malware. An attacker may be able to alter the configuration or operation of a P2P application to reveal data that were not intended for sharing, distribution, or transmission. A misconfigured or compromised P2P application may also become a conduit or access point for an attacker to enter an otherwise secure network environment.

Another, less well known and often overlooked threat involves the amount of data a P2P application can reveal to unauthorized persons. For example, a P2P application may offer detailed information about its host, including:

Operating system, version, and configuration
Corporate IP address scheme, host naming convention, DNS information
Detail about the P2P application version or build (useful for attackers to exploit known vulnerabilities in a “buggy” release or version)
Network routes
Open network ports in the organization's firewall

Although many of these examples may seem rather benign by themselves, the P2P application may be revealing information that an attacker can use as part of a bigger attack. Chapter 19 of this Handbook details how small pieces of information can be gathered and used together in an information security breach. The very nature and functionality of P2P applications leaks sensitive information that otherwise would not be revealed.

All P2P applications are not created equal; a P2P application may be very different from the user's expectations. Can the P2P application actually be a reliable, malware-free, secure application—especially when the application is a free download from the Internet? It is possible that a backdoor exploit, malware, spyware, or the like may be built into the P2P application, or introduced later. This was especially true in the days of Napster; many applications included unwanted malware that ranged from innocent to downright dangerous.² Similar exploits are still possible.

35.3.1.3 Consequences.

Any organization that does not protect against data loss via P2P networking is at great risk of public disclosure and scrutiny, financial penalties, regulatory penalties, and so on. The functionality and nature of P2P applications may provide an investigator or, worse yet, the press with definitive evidence of the use of P2P technology within an organization. A majority of the public may only understand P2P technologies to be used in conjunction with illegal music sharing; even this simple, negative perception can greatly influence public opinion on the organization. It would be very difficult to refute packet analysis or screen shots containing an organization's IP address in which the computer was compromised, used for illegal software or media sharing, or the computer was used by an unauthorized entity to extract data. In the age of P2P applications commonly used to illegally share and distribute the intellectual property of unwilling participants, organizations are taking aggressive steps to find and prosecute offenders. See Chapter 55 in this Handbook for a discussion of cyber investigations; see Chapter 61 for guidance on working with law enforcement.

35.3.2 Prevention and Mitigation.

Protecting the organization from information security breaches via P2P technologies is one of many important parts to an overall security plan. Depending on an organization's structure, leadership, function, and similar factors, methods for preventing and mitigating P2P threats can range from simple to very complicated. Obviously, each organization must perform a risk analysis and determine its threat threshold when it comes to P2P technology. Chapter 62 provides means for risk assessment. The guidelines that follow can help an organization defend against the threat of P2P technology causing security breaches.

35.3.2.1 Policy.

It is important for every organization to address the use of P2P technology in a policy, such as an acceptable use policy, a personnel guideline policy, or security policies. The relevant policy, along with all other security-related policies, should be clearly stated, clearly communicated to the entire organization, uniformly and equally enforced, and updated as necessary.

35.3.2.2 Complete Ban on Peer-to-Peer Technology.

In most cases, the organization can ban the use of P2P completely, especially through enforceable policy. Care should be taken to ensure all employees and computers are in compliance with the ban. It should be forbidden or, even better, impossible to install P2P applications on personal computers, servers, and all other information systems that could be used to send and receive P2P-related traffic. If employees are allowed to install software on their workstations, regular inventories and audits of the computers should take place. Removal should be immediate, and appropriate corrective actions taken. Several technologies may also aid in disallowing P2P traffic, although no technological solution is completely foolproof. These measures are additional safeguards, not complete solutions. Firewalls should be configured to block those ports common to P2P applications, and although many P2P applications are able to tunnel through TCP/IP ports such as those used by HTTP or other common protocols, this is a necessary first defense. Packet-shaping technologies can also be useful to identify P2P-related traffic and block its communications. Packet-shaping and traffic management devices are often able to detect the signature of P2P traffic, no matter what TCP/IP port the application may be using. Some intrusion-detection and intrusion-prevention systems may also be able to identify and block P2P traffic, as would many Internet filtering devices. Logs and reports should be examined daily and infractions should be quickly remedied.

35.3.2.3 Information Security and Information System Audits.

All information systems and components should be audited regularly to ensure that they are not configured, intentionally or unintentionally, to participate in P2P file sharing. This task should be part of every organization's regular information system and information security audit processes. If possible, external and neutral resources are most useful to ensure all systems are audited in a uniform, exact, repeatable, and objective fashion.

35.3.2.4 Legitimate Business Use Must Be Managed.

There are times when an organization does not wish to completely ban or block the use of P2P technologies. One increasingly common and legitimate use for P2P involves open source software distribution via BitTorrent. BitTorrent is a P2P-based protocol for the distribution of data—often very large amounts of data. A widespread use includes the distribution of the Linux open source operating system. Software distribution of Linux often involves obtaining CD-ROM or DVD images to create install discs. By utilizing BitTorrent technology, software vendors and distributors are able to provide large amounts of data to their clients without carrying the entire burden of distribution, bandwidth, and computing resources. However, the organization must manage how this technology is used to ensure resources are not abused and that the P2P applications are used for only allowed, legal ends.

This can be accomplished through policy, auditing, and various network access and control technologies. Each organization must define its own level of acceptable risk for legitimate P2P technology usage and must find solutions that will match the acceptable level. Some examples include:

Use of encryption
“Anonymous” P2P routing technologies such an ONION routing (see Chapter 31 in this Handbook)
Network isolation for computers used to obtain software with P2P applications
Company-acquired DSL or cable modem connections to the Internet, avoiding the use of corporate network resources

35.3.3 Response.

It is necessary for all organizations to define exactly how to respond to security breaches and policy violations, including situations where P2P technology is involved. Not only should the process be included in the overall security plan, but also technological processes should be in place to remove offending systems from the network. In some cases, the rebuilding of a compromised resource may be necessary, but some organizations may choose to completely remove the compromised machine from the organization or to archive the machine for legal, forensic, or investigative processes.

35.3.4 Case Study.

Misconfiguration, unintentional use, curiosity, and experimentation with P2P in the workplace do happen, with consequences. Although this case is only one type of specific security incident involving P2P technology, it should serve as an example of how such a situation can occur.

An employee of one organization reported a very slow-running computer to the help desk. All of the usual help desk suggestions and tricks were exhausted with little effect on the performance of the computer. The usual symptoms of a very slow computer were present—massive wait times to accomplish simple tasks, random errors and shutdowns, lockups, and other operational problems. However, there was one difference: After a reboot, it would take several minutes for the computer to slow down and become unresponsive. After some time, an employee commented, “I did try installing a music sharing program last week, but I didn't like it and uninstalled it.” This led the engineer to examine each and every process that was running on the computer.

Although it appeared that the P2P application had been uninstalled, it actually had not been; it was still installed and running in a stealth mode. The uninstaller only masked the P2P application. Not only was the P2P application still running, but it was misconfigured to share the entire contents of the C: drive. There were literally thousands of other P2P users attached to the machine actively searching, uploading, downloading, and altering the contents of the computer's hard drive. The computer was not only giving away all of its data, it was being used for a server to host thousands of media files. Since the computer was on a network segment that had full TCP/IP 1-to-1 network address translation, it was effectively completely open to the outside world—and the outside world was taking full advantage of the opportunity. The hard drive was virtually full, and files were being added and deleted at will by remote users.

It is unknown if the user's personal data was actually accessed, downloaded, or used for any malicious activity, but the capability was certainly there. Because of a user's unauthorized downloads, inadequate network security, and other policy violations, the organization could not be sure of the confidentiality or integrity of the computer or its data. Necessary steps were taken to prevent this incident from occurring again, but this scenario has played out at other organizations, and will continue to do so as long as the P2P risk exists.

35.4 SECURING INSTANT MESSAGING.

Instant messaging has become an integral part of communications—both business and personal—for many people. Although personal usage in a business environment usually carries with it a waste of time and resources, IM does have legitimate uses in the business world, from sales contacts to interoffice real-time communications, with rapid response. From executives to interns, IM may be found on many desktops, but it must be managed and secured on all.

35.4.1 Dangers to the Business.

With any technology, especially those that make connections to the Internet, there is a risk to the organization. Instant messaging is not a petty annoyance that should be taken lightly; if the technology is not controlled by the organization, a serious breach of security could occur. Instant messaging technology has come a long way since its inception. IM applications are capable of transmitting much more than just interpersonal text banter.

35.4.1.1 Loss of Information.

Information loss and loss of confidentiality, intentionally or unintentionally, is most likely the biggest threat of IM to the business. There are several ways information can be harmfully conveyed via IM:³

Revealing secrets via text chat, especially given the instant transmission when compared with e-mail, which usually allows a configurable delay between hitting send and actually having the message sent.
Copy-and-paste functions used to transmit confidential or secret information.
File transfers.
Screen sharing and real-time collaboration functions such as shared whiteboards.
Relaying voice, video, or both to another party (unintentional or intentional).
Use of Webcam technology to relay visual information within a secure facility.
Downloading malware to collect and steal data.
Impersonation. (This tactic usually involves stealing a known IM account or creating a fake account to impersonate someone the victim knows.)
Subpoenas or search warrants executed to collect IM logs, conversations, and so on may be harmful to the organization, or to certain employees, but of benefit to others.

Although this is not a complete list, it should serve to aid in security planning. There are many good resources on the Internet to further explain similar threats and consequences, but the preceding list should encourage thoughtful brainstorming about the ways in which an organization may lose control of data, including a complete loss of the data altogether. Some of the listed methods would be extremely difficult to detect and remedy. With high-speed networks and high-speed Internet links at most organizations, a massive amount of data can be conveyed within a very small amount of time.

35.4.1.2 Consequences.

Like other security threats, the consequences of not securing IM technology can be serious. Many organizations have experienced a security breach that involved IM, and there are probably more to come. Instant messaging security breaches can be deadly to an organization by themselves or as part of a much larger attack on the business. Stealing or transmitting information through IM is no less risky than any other form of information theft. One single file, whether sent through an IM file transfer or meticulously cut and pasted, bit by bit over a great period of time, can destroy a company's reputation and standing in the public eye. A breach from a single IM conversation has the potential to depress a corporation's stock price in a matter of hours or days. There have even been cases where a chief executive officer's confidential information was captured and posted on the Internet for all to see.⁴

35.4.1.3 Denial of Service.

IM cannot be written off as a tiny application with no real footprint on network resources. Instant messaging can be a tool used to create a denial of service attack on an organization, resulting in a loss of availability. IM technology can be a very powerful and useful tool for an attacker, including the use of IM clients with a direct connection to the Internet. With the right combination of malware and access, an attacker may be able to exploit one of many vulnerabilities discovered in IM applications, including the ever-popular buffer overflow. The National Vulnerability Database listed 12 vulnerabilities in instant messaging software as of March 2008.⁵

35.4.2 Prevention and Mitigation.

Every organization must guard against the threats caused by IM technology. Proper review and analysis of the risks associated with IM must be carried out within the organization, and the organization must determine the amount of risk it is willing to take. It is also necessary to evaluate the costs and efforts associated with the prevention and mitigation of this threat. Different organizations will judge the risks and rewards of using IM differently. There is no set standard for every organization or business; there is no universal set of rules that can be applied in all situations. (For a discussion of risk assessment and management, see Chapter 62 in this Handbook.) The next sections provide strategies, tactics, and considerations for securing IM.

35.4.2.1 Policy.

Before all else, policy should come first, especially with the popularity and widespread use of IM. Without adequate policies, the organization has no chance of actually protecting itself. Policy must be the foundation that all other considerations rest upon. Clearly defined, well-communicated, and equally enforced policy is one of the most important fundamentals information security relies on. No matter what the organization decides when it comes to IM rules, it must be stated in a policy.

Instant messaging, while risky, is one of the most visible policy decisions a business will make. While it might be best, and preferred for best security, to completely disallow IM, which could lead to frustrated employees, unable to use the facility for personal use, business use, or both. Every management team should be conscious of the potential ramifications of an overly strict policy. Conversely, allowing unfettered IM is certainly not the best solution.

Compliance and governmental regulations must be taken into consideration. If IM communications are to be allowed, they become part of the organization's digital information, and therefore may be subject to subpoena, search warrant, and document retention requirements. New regulations and legal rules may greatly affect policy decisions. It is important to remember that instant messaging logs and conversations may be subject to legal discovery, search, and seizure. Consult counsel for proper legal advice.

35.4.2.2 Complete Ban.

A ban on all IM technology would be the best way to ensure better enterprise security. However, this will only produce dissatisfied users, without being effective. Users can become technology-savvy in a hurry if they are determined to circumvent a policy. A block on IM communications often causes users to do just about anything they can to accomplish their goal of unobstructed IM. Many IM clients will help users avoid technology put in place to block communications. The software may be configured to bypass firewall rules, detect and avert packet-shaping technology, and tunnel its way to the Internet. Many IM services also provide Web-only interfaces that do not require software to be installed while communicating via HTTP. Unfortunately, this technology can be a very difficult and frustrating one to ban within the organization; a complete ban is probably not a practical solution.

35.4.2.3 Prevent Installation of Instant Messaging Software.

Although a complete ban may not be possible, or even desirable, one step that a more secure organization can take is to prevent users from installing IM software. This tactic is not going to solve the whole problem, but it certainly will help. Controlling the installation of IM software should be part of the organization's overall software installation policy. In general, installing software without permission should be denied. If it is feasible, local workstation administrator rights should be denied for most employees. In many user or system management solutions, it is also possible to block software installation through individual, group, or workstation policy templates and procedures. Universal software installation prevention is much easier than trying to define policies or templates for every possible IM peer, application, group, or tool.

35.4.2.4 Fight Technology with Technology.

This suggestion on its own will not provide the organization with an all-in-one solution for securing IM. However, there are a number of network devices, appliances, traffic monitoring software, and other technologies to help an organization minimize IM use. Do not believe marketing claims that any device or technology can guarantee IM blocking; very few can deliver on this promise. The only true way to guarantee an IM-free company is to block access to the Internet completely—which is not very realistic.

35.4.2.5 Limit Risk and Exposure.

For most organizations, limiting IM through policy and technology is the solution to the threats that IM introduces. Combining those two approaches will help to reduce the possibility of data loss. Security managers and administrators should agree on what can and what cannot be allowed within the organization. An organization may choose to block file transfers, Webcam functions, or screen-sharing functions for IM communications. These types of actions will not prevent IM security breaches, but they could limit data loss. As with any policy and risk management, proper audit, reporting, and compliance controls must be in place.

35.4.2.6 Providing Secure Instant Messaging.

In environments where IM is needed to run the business, the best strategy is to provide secure, managed IM services to the employees. Of course, the needs will vary among different organizations for different levels of IM connectivity, functions, and software. Many of today's popular corporate e-mail and collaboration systems have built-in or optional IM services. When properly deployed, these IM systems can meet many of these secure IM best practices:

Encrypt IM communications wherever possible: client to server, server to Internet, and so on.
Encrypt logs and chat conversations at the workstation and server.
Ensure that all logs, chat conversations, file transfers, and archives meet data transmission, retention, and destruction policies.
Ensure that “presence awareness” features (software features that allow the user to communicate his or her presence or availability, such as “online,” “away” or “out to lunch” to all users) comply with corporate personnel policies.
Administratively disable features that cannot be encrypted or properly managed (screen sharing, file transfer, whiteboard, etc.).
Where possible, lock or force configuration settings to ensure policy compliance.
Establish procedures for periodic monitoring and auditing of IM systems; do not ignore logs.
Enforce prudent password policies for IM systems.
Properly secure IM communication systems with Internet connectivity; consider placing systems in demilitarized zones (DMZ); ensure appropriate server lock-down policies and procedures.

Corporate-owned and managed IM systems may not be possible in all situations. In those cases, the organization must form policies and procedures to limit risk and exposure with commercial IM systems. Some systems do provide “secure” IM, but be skeptical of exactly how much protection they provide. Consider limiting commercial IM needs to nonessential computers with limited network access, limiting or restricting users to specific IM applications or services, and monitoring instant message network traffic and usage. Some commercial IM services also provide “corporate” or “business” IM services, often for a fee. These premium offerings may provide the organization with the necessary or acceptable level of functionality and security.

35.4.3 Response.

Instant messaging breaches and compromised systems generally do not require special handling after a security incident. In general, normal policies and procedures can be followed to properly investigate, clean, and document security breaches. There are many commercial tools, including forensic software, to aid in incident response. Infected or compromised systems, if no longer needed for investigation should be reimaged before redeployment to an employee or, if allowed by policy, destroyed. There is no guarantee that a machine has been cleaned up or that all malware has been removed. Format the storage elements, and start clean—it is just better practice to do so.

35.4.4 Safe Messaging.

Although most users at the organization are generally satisfied with mainstream IM systems, clients, and services, there are dangers to be considered. There seems to be almost an unlimited number of open source IM clients, Web-based IM and chat providers, social networking Web sites providing IM, and the like. When considering policy and management of IM within the organization, it is important to judge the source and intentions of all of the possible services. All IM software and services are not created equal; some may originate from untrusted sources and may contain malware and other security risks. Instant messaging software or providers may be logging information without the user's knowledge or consent.

Also, if the organization will utilize commercial IM software and services, it is critical to carefully examine the provider's terms of use and license agreements. The responsibilities and liabilities of both parties should be carefully weighed by information security managers, company executives, and legal counsel before allowing use of the software and associated services.

35.5 SECURING SMS.

Few technologies are more ubiquitous than short message services. Virtually all mobile phones are capable of sending and receiving SMS communications. Since mobile phones are virtually everywhere, security considerations must be in place to guard against the threats that they present. A technology with a relatively minor footprint can cause a world of destruction when used as a weapon. Today, SMS technology, and its associated complementary services, has grown exponentially. Securing, and defending against SMS must be included in every organization's comprehensive security plan.

To understand SMS security, it is important to look at the underlying devices most associated with SMS. SMS does not require a cell phone to utilize the technology. Many phone carriers allow SMS messages to be generated and sent from an unsecured, public Web site. SMS messages may also originate from e-mail messages, instant messaging services, and the like. Today's mobile phones, including smart phones, are more powerful and contain many more features than prior years' phones. Phones are increasingly gaining processing power, memory, complex operating systems, and other features that essentially could redefine the device as a personal computer. Phones are able to access the Internet, install applications, communicate from phone to phone, and even access corporate data networks. Information security managers and professionals should never underestimate the power or versatility of a mobile phone. They are a threat to all of an organization's information security.

35.5.1 Dangers to the Business.

SMS can introduce many types of security threats into an organization. SMS can cause a data breach by innocent mistakes or by deliberate attacks. This technology can be used as a criminal tool to deliberately steal information, to extract data, to extort information, and to deceive. It may also be a conduit for inadvertent data loss. The consequences of data lost via SMS are relatively the same as any other data breach: loss of confidence in the organization, loss of image, bad public relations, financial penalties, and so on. A serious or even minor data breach may appear to communicate to the world that the organization does not have a comprehensive security plan in effect, or the company does not abide by such a plan—whether true or not. Some investors, customers, or people in the general community may look at a breach of such a simple technology and ask, “How could the company not have proper security for something as simple as a cell phone?” A missing laptop with confidential data is a serious security breach, but a mobile phone, with all its capabilities, must be treated as nearly the same type of critical infraction.

35.5.1.1 SMS as a Tool for Deliberate Data Loss.

One danger an organization may face involves an individual or group of people utilizing SMS technology to ferry critical data to unauthorized persons, usually outside the organization. This action would replicate an age-old tactic of stealing information piece by piece from within the organization to someone who should not possess the information. Consider classic tricks of criminals, such as copying information in tiny pieces over great amounts of time to avoid causing suspicion. Any number of technologies can be used to move data, including flash or thumb drives, iPods, scraps of paper, photographs, screen printouts, embedded code, or even memorization. Disgruntled employees may use SMS to send confidential information to an accomplice or even to themselves for later use, such as selling the data, extortion, and the like. It would be virtually impossible to know that an employee is slowly leaking data outside the business from a mobile phone. What may appear to coworkers as a serious text-messaging addiction may actually be a serious data breach.

Another fact information security management must consider is that SMS service, whether exactly true to the original definition or not, has expanded well beyond messages of only 160 characters. Mobile phone users are able to send real-time video streams, recorded video, photographs, substantially longer text messages beyond 160 characters, Web page links, and just about anything else the phone carriers can implement. If the mobile phone industry considers all of these features to be synonymous with SMS, the organization's security plan should as well. Business risk has increased greatly with every new technology addition.

35.5.1.2 Inadvertent Data Loss via SMS.

Data loss can occur by mistake, badluck, stupidity, misinformed user, or misunderstanding of features as well as by theft of the data device itself. Both deliberate data theft and inadvertent data losses are extremely dangerous, with potentially serious consequences. Search engines reveal many different tactics and war stories of data loss from a mobile phone as well as other SMS-specific security issues. These are scenarios and techniques to consider:

SMS via e-mail or the Internet
SMS snooping or sniffing
Recovery of improperly deleted data
Stolen, mixed up, or lost phones
Misdialed numbers
Wi-Fi connectivity
Unattended phone with no password
Malware installed on phone (keyloggers)
Recipient's phone is lost, stolen, or borrowed
Impersonation

35.5.2 Prevention and Mitigation.

SMS technology is not going to disappear anytime soon, so every organization must come up with a plan to prevent data loss and protect itself from this risk. Once again, the organization's leadership, security management, and security professionals must evaluate the risk of SMS versus the need to operate the business and maintain an amiable group of employees. Every organization must decide for itself exactly what kind of practices to put into place for SMS security and the cost/benefit of each practice. Everything must be considered, from policy and procedures, to deployment of security technologies and mobile phone company-provided services. With today's varying needs, newly emerging technologies and an array of mobile phones, it is very difficult for any two organizations to adopt the same prevention and mitigation strategies. However, the next suggestions can be used to begin, update, or enhance the organization's security plan when addressing SMS technology.

35.5.2.1 Policy.

It is impossible for information security managers to provide any security whatsoever if there is limited or no SMS policy. Human resources also will have difficulty dealing with an employee, current or separated, who is perceived as having broken a policy that does not exist in writing. Vague acceptable use policy will not be enough. A clearly stated position must be written, adopted, and communicated to all employees. The policy should apply to every employee, new or old, executive or trainee, with no exceptions. The policy should regularly be reviewed, updated, and redistributed, with recurrent training as necessary, especially in a rapidly changing world such as SMS.

A good policy must also address an important distinction common to mobile phone use in the organization: personal phones versus company-provided phones. The policy must address: what is acceptable for employee conduct on the job; whether personal phones are allowed on the premises; what type of phone is allowed (usually refers to whether employees are allowed to have camera phones); where, when, and for what purposes can they use personal mobile phones; what is allowed on business-provided phones; and the like.

35.5.2.2 Mobile Phone Ban.

In some cases, security needs may necessitate prohibiting the use or even possession of mobile phones on company grounds or in certain areas. This type of action should be included in company policy and should be clearly communicated. It may be necessary to remind employees with signs and repeated communication as well. This is a common practice to prevent data loss from any mobile phone function, including SMS. The organization should be sure to make distinctions for employee-owned phones and emergencies. If an area requires a very high amount of security, err on the side of caution, and forbid mobile phones completely. The policy must extend to visitors, vendors, contractors, and other outside entities as well as to every employee—regardless of rank.

35.5.2.3 Providing Secure SMS.

Providing “secure” SMS can prove to be difficult, and it can be easy to fall into a false sense of security. Information security managers must know exactly how their mobile phone infrastructure works before declaring the system secure. Although one component of a phone's connection may be secure—for example, from the phone to its messaging server—the entire path of a SMS message may not be secure. Some devices, such as the BlackBerry from Research in Motion (RIM), provide encrypted transport for messaging. However, e-mail or messages to users on different phone networks or other messaging servers may not be encrypted. Information security professionals must clearly understand the technology they are deploying, and they must test for proper installation and configuration. If a solution is to be encrypted end to end, it is prudent to double check to prove the solution really is as secure as it is believed to be. Organizations may also need to work closely with the solution providers and mobile phone carrier to properly implement necessary security solutions. However, it is important to remember that if a solution is not as secure as the organization's policies and needs require, SMS, mobile phones, or both should be banned. Some phones or smart phone solutions allow administrators to “block out” services such as SMS or to install secure communications software. Carefully consider and evaluate all options and solutions.

35.5.2.4 Ubiquitous BlackBerry.

There are many smart phones on the market, but probably none is as popular as the BlackBerry. A device so ubiquitous and addictive to users that it earned the nickname “crackberry” surely is a concern for security managers. The device is meant for business users, and more and more organizations have adopted it. Its services, however, go well beyond SMS, so that security measures must cover anything of which the device is capable. As of this writing, several devices, including the BlackBerry, have been introduced with the capability to connect with both cellular wireless technology (such as Enhanced Data rate for GSM Evalution (EDGE) and Collision Detection Multiple Access Evalution Data Only (CDMA EVDO) etc.) and 802.x Wi-Fi communications. Now security managers have twice the communication pathways to secure.

As far as information security is concerned, the BlackBerry is a mobile computer with wireless communications. Security features and software included with enterprise-wide deployment of the BlackBerry should be utilized, upgraded when necessary, and extraordinarily well managed. The BlackBerry, and all of its communications, applications, features, and the like, must be secured exactly as well as a laptop with the same features.

35.5.2.5 Other Considerations.

The next list provides points to consider when planning for SMS security, many of which are from NIST Special Publication 800-48, “Wireless Network Security.”⁶

Create policies and procedures to deal with lost mobile phones. The phone may contain sensitive data, including stored and deleted SMS messages.
If cell phones are banned from the organization's premises, ensure that physical security has procedures and rules for checking visitors and employees for mobile phones.
Many mobile phones have the capability to back up and synchronize their contents to the desktop. Ensure proper procedures to secure data and data leakage.
Policies and procedures should be in place to limit and manage the acquisition of mobile phones by employees—information security may not be aware of the existence of new phones in the environment.
Mobile phones are not easily audited, nor is there much software to aid in the auditing process.
Despite proper labeling of a company-owned device, if lost it will rarely be returned to the organization. Plan to mitigate damage caused by a lost mobile phone; utilize security features such as remote wiping the device after loss via “poison pill” features or “auto-destruct” features after several invalid password attempts.
If a mobile device supports screen-lock and power-on passwords, use these simple protections wherever possible.
Through policy and education, prevent as much sensitive and private information on the organization's mobile phones as possible, including SMS messages.
Utilize Public Key Infrastructure (PKI) technology where possible.
Install antivirus software where possible.
Utilize VPN and firewall technology for safer data communications.
If a phone is to be carried on international travel, SMS messaging should be prohibited if it all possible. The risks associated with taking a mobile phone to international destinations increase exponentially.

35.5.3 Reaction and Response.

When a security incident involving a mobile phone and SMS does happen, it may be best to work with the mobile phone provider, possibly also the manufacturer. Procedures and correct processes associated with data retrieval, preservation, investigation, and so on are best handled by those most qualified. Most of the large mobile phone companies have special divisions with specially trained personnel who can assist the organization. If necessary, involve law enforcement. This is an area where a long-standing good relationship with local, state, or federal law enforcement is extremely beneficial—even if the investigation would not necessarily require law enforcement investigation. For more information on this subject, see Chapter 61 of this Handbook.

Investigating SMS issues, including tracking messages, tracking phone location, and tracking the path an SMS message took, can often be accomplished with the help of the mobile phone carrier. Law enforcement and court-ordered subpoenas may be necessary, depending on the situation.

Compromised devices should be carefully reviewed before returning them to regular use. Mobile phone providers can assist in “wiping” the device clean of all software, including malware. Specific practices and procedures vary by phone and provider, but some organizations may choose to archive or destroy devices involved with a security breach of any kind.

35.6 SECURING COLLABORATION TOOLS.

Information systems that provide online facilities for collaboration are increasingly valuable business tools. Although these tools provide excellent conduits for increased information sharing, they also have the potential to increase security threats. Even the Internet itself, with many Web sites dedicated to information sharing, groupware, shared tools, and data storage, has become a collaboration workspace. New features and movements such as Google Apps, “Web 2.0,” and even conference calling services must be taken into account in any organization's security plan. The nature of collaboration and the need to get critical business done efficiently is critical to most of today's organizations. Many companies and organizations are trying to get more work done with less people. Technology has become an important partner to allow employees to work together and to accomplish more in less time. Collaboration tools have become even more critical as businesses expand to include people working together from very different geographical locations.

35.6.1 Security versus Openness.

One of the longtime battles for security managers is security versus openness or functionality. The nature of collaboration requires uninhibited data and information sharing, which can be very difficult to secure. Organizations have to find the right balance between allowing users free and open information exchange and providing the required level of security. Finding this balance takes cooperation and respect between the two groups: those who use the tools and those charged with securing the organization. The two groups must fully understand each other's position; without this understanding, finding a middle ground and negotiating compromise cannot take place. The goal of the organization surely must be efficient, uninterrupted business, but not at the expense of good security. The only way to work through this complication is with good-natured, open, goal-oriented communication. This is not an information technology–only a problem or process. Finding that optimum balance of security and functionality will require all types of management and staff to work together. Although this may be true of all information security domains, it is especially true of collaboration tools security. Without this important balance, the tools are essentially worthless: too secure and they will not be used, too open and the business could suffer catastrophic data and integrity loss. Some businesses are not able to recover from such a loss.

35.6.2 Dangers of Collaboration Tools.

Collaboration tools are very powerful, and they must be given full security considerations. These tools should not be installed or integrated into the business without the proper planning, risk analysis, security configurations, and testing; ad hoc, unmanaged systems, installed without the knowledge of security personnel, must be prohibited, and violators punished. Collaboration tools can easily become a nightmare for security management, especially if securing these tools is not a primary consideration from the beginning. Designing and implementing security measures on an already-deployed production system is invariably a frustrating exercise in futility for both the users and the information security personnel.

Some of the features and general dangers associated with many of these systems include loss of confidentiality, integrity, or availability. These dangers can occur due to any of these problems:

Lack of authentication requirements, rules, or procedures. A wide-open system or one with poor authentication would allow for unauthorized persons to gain access.
Data snooping or capture. Transmission of data to and from the system could be intercepted by unknown persons.
Impersonation. Proving exactly who the user is may be difficult if not well managed, especially with weak authentication and authorization methods.
Unauthorized posting of confidential information in unsecure or public areas.
Misconfiguration. A simple mistake in setup could reveal private information. (See Google calendar example from this chapter's introduction.)
Search engines. Documents or other information may be subject to search engine crawlers/agents/spiders if proper security is not established.
Rogue collaboration systems. If a department or group deploys its own tools, privately or publicly, without the knowledge of the security group, proper security cannot be guaranteed.
Internal threats. One cannot be concerned only with external threats. One department's collaboration system may be another department's limitless temptation.
Users. Users may not always have security in mind. Small mistakes or shortcuts could lead to major security breaches.

When deploying or evaluating collaboration tools, risk analysis must be performed to determine if the organization is able and willing to accept the associated risks. Security groups should thoroughly brainstorm and research as many possible security threats to the collaboration system as possible. It may be very beneficial to work with the solution provider's support group to minimize or eliminate as many security risks as possible.

Workgroups utilizing collaboration tools place a great amount of trust in the application and the tools. Many of the applications available today are light on security and heavy on marketable features. Although many online companies have become much more serious about data security, they are not the owners or protectors of the organization's data; that is still up to the organization.

35.6.3 Prevention and Mitigation.

Collaboration tools and systems should receive the same security care as any other information system. Although the nature of collaboration may be somewhat open, the same policies, procedures, and careful controls should apply. The goal must still be the confidentiality, integrity, and availability of the data and the information system. Collaboration tools must still benefit the business while ensuring the business will not be harmed by a security incident. By taking the necessary steps to prevent and mitigate security issues, collaboration tools can be invaluable to the organization.

The next suggestions can be utilized to aid an organization in securing collaboration tools and systems.

35.6.3.1 Policy.

It is debatable whether collaboration tools necessitate specific, separate policies. What is more important is that a complete, well-written, and well-communicated policy exists, one that includes provisions for collaboration tools, systems, and associated technology. Clear understanding and communication of collaboration tool security must be well researched, well written, concise, well communicated, and updated regularly. It is critical that the policy remain valid as new and more complex collaboration tools are developed and deployed.

Policies should also include security options that may otherwise be out of the control of the organization. For example, if a company forbids using public file-sharing services, the policy should cover users attempting to use the service from outside the organization as well as within it. Employees should not be able to use services or systems that do not comply with the policy, no matter where or how the service is to be used.

A good policy should be inclusive, especially when defining exactly what the organization considers a collaboration tool. It would be easy to forget applications such as e-mail, IM, online meetings, blogs, social networking, shared network resources, remote access software, peer-to-peer file sharing, and the like. Many technologies have collaboration components that must be considered to ensure security.

35.6.3.2 Prevent Access or Use.

Another option, in conjunction with policy, is to block the use of collaboration tools, depending on the organization's needs. This may involve deploying technology to accomplish this goal, including content blocking, firewalls, or both. This should disallow installation or use of rogue collaboration tools. Periodic review of networked systems and network traffic should be conducted to ensure compliance with prevention or limitation of collaboration tools.

35.6.3.3 Limit Access.

Many collaboration tools can be deployed as an internal-only system, external-only system, or both. Organizations will want to choose how users will access these systems. For example, disallowing unsecured communications from the Internet may help increase security. Likewise, it may be necessary to block access to public services from within the organization's network. Or technical solutions, such as VPN connections from outside the organization's network, may be used to meet communication needs.

35.6.3.4 Deploy or Enhance Security Frameworks and Technologies.

Wherever possible, install solutions that will increase collaboration tool security and that can be integrated into existing security frameworks. If the organization has a high-security, single sign-on solution, integrate the collaboration systems into it. Another example would be to integrate the collaboration systems into a new or existing PKI infrastructure. Utilize well-known and reliable solutions such as Secure Sockets Layer (SSL) and encryption for the host and all participants. This greatly reduces the risk of security breaches during data transmission.

35.6.3.5 Audit.

No matter what level of policy, procedures, or preventions are put into place, every organization must audit for compliance. Procedures for auditing collaboration tools and their use should be included in the organization's regular, structured, information security auditing functions. Any deviations from the policies and procedures mandated for collaboration tools must be acted on in a timely manner.

35.6.3.6 Monitoring.

Any organization that deploys collaboration tools must monitor and report on the system's usage, audit results, and data contents. (The organization must examine the actual data contents to ensure compliance with protections such as Protected Health Information (PHI) or Social Security Number (SSN). Many new products have rules written for this very reason.) Monitoring and reporting work to ensure that collaboration tools and systems are being used for their intended purposes. Monitoring and reporting of active projects should look for unusual patterns of use, policy violations, inactive users, inactive or outdated systems, and the like. Proper system management should already be in place, but it is important to check the systems periodically. For example, if a group is utilizing a collaboration system for a project, once the project has been completed, all project materials and users should be removed from the system. Reports from system monitoring and auditing should be acted on at once.

35.6.3.7 Consider Outsourcing Carefully.

Some organizations are tempted to use commercial online-only collaboration systems or hosted solutions. This decision should not be made lightly; consider the risks versus the returns. The organization should carefully review all terms of service, license agreements, service-level agreements, and legal responsibilities carefully. Legal counsel must be involved to ensure the organization is protected, especially in the area of data ownership, possession, legal discovery, and subpoena power.⁷

35.6.3.8 Penetration Testing.

As with most information systems, providing necessary security should involve regular, external, third-party penetration testing. Collaboration tools and associated systems should be tested and evaluated for their security fitness. Any problems discovered should be documented and swiftly remedied. Allowing a neutral, external entity to test the system independently is superior to internal testing, so that bias can be ruled out.

35.6.3.9 Keep Collaboration Tools Current.

Keeping collaboration tools and their associated information systems up to date is critically important. Applying patches for vulnerabilities is good information technology and information security best practice. After thoroughly testing patches in a test environment, they should be applied to production environments as soon as possible. Do not ignore software vendor patches, especially those for known vulnerabilities.

35.6.4 Reaction and Response.

Once a security breach has been discovered involving collaboration tools, the organization's usual policies and procedures should be followed. Procedures for compromised information systems should be well-formed, repeatable processes to preserve evidence, provide for rapid discovery and investigation, and meet necessary regulatory guidelines. When necessary, law enforcement, legal advisors, or both should be utilized to ensure proper evidence collection and documentation. Policies should also dictate the procedures for postinvestigation tasks as well, such as requiring compromised systems to be copied, archived, destroyed, reimaged, or reinstalled. It is generally not advisable to try simply to “clean up” a compromised system. It can be very difficult to guarantee that a compromised system once again has integrity.

35.7 CONCLUDING REMARKS.

This chapter introduces security managers and professionals to securing peer-to-peer technologies, instant messaging, short messaging services, and collaboration tools. The suggestions and information in this chapter are meant to aid in making decisions regarding these tools within the organization's overall security plan. Many of the examples and concepts are meant to aid in the planning, policy development, and review of the organization's exposure to these technologies and their dangers. This chapter should serve as only a starting point for the organization's research on each topic and to ensure that information security managers at least have a brief understanding of each concept, its risks, prevention and mitigation strategies, and suggestions for response. It is very difficult to recommend solutions for every type of business, so each organization must make its own judgment for securing these technologies. The popularity and ubiquity of P2P, IM, SMS, and collaboration tools ensures that they will be part of every security plan for many years to come.

35.8 FURTHER READING

Kunz, T., and S. S. Ravi, eds. “Ad-Hoc, Mobile, and Wireless Networks.” 5th International Conference, ADHOC-NOW 2006, Ottawa, Canada, August 17–19; 2006 Proceedings. New York: Springer, 2007.

Piccard, P., B. Baskin, G. Spillman, and M. Sachs. Securing IM and P2P Applications for the Enterprise. Norwell, MA: Syngress, 2005.

Rittinghouse, J., and J. F. Ransome. IM Instant Messaging Security. Burlington, MA: Elsevier/Digital Press, 2005.

Taylor, I. J., and A. Harrison. From P2P to Web Services and Grids: Peers in a Client/Server World. New York: Springer, 2004.

35.9 NOTES

1. R. McMillan, “Google Corporate Calendar Leaks Corporate Data,” CSO Online, April 17, 2007. Available: http://www2.csoonline.com/article/216451/Google_Corporate_Calendar_Leaks_Corporate_Data?page=2&.

2. J. Borland, “‘Spyware’ Piggybacks on Napster Rivals,” CNET News.com, May 14, 2001. Available: http://news.com.com/2100-1023-257592.html.

3. N. Hindocha, “Instant Insecurity: Security Issues of Instant Messaging,” Security Focus, January 14, 2003. Available: www.securityfocus.com/infocus/1657.

4. P. Festa, “ICQ logs spark corporate nightmare,” CNET News.com, March 15, 2001. Available: http://news.com.com/2100-1023-254173.html?legacy=cnet.

5. National Vulnerability Database, http://nvd.nist.gov/nvd.cfm.

6. K. Scarfone and D. Dicoi, Wireless Network Security for IEEE 802.11a/b/g and Bluetooth (DRAFT), NIST Special Publication 800–48 Revision 1 (Draft), 2007. Available: http://csrc.nist.gov/publications/drafts/800-48-rev1/Draft-SP800-48r1.pdf.

7. M. Rasch, “Don't Be Evil,” SecurityFocus, 2007. Available: www.securityfocus.com/print/columnists/447.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for CHAPTER 35: SECURING P2P, IM, SMS, AND COLLABORATION TOOLS

Create new playlist

Sign In

Sign Up

CHAPTER 35

SECURING P2P, IM, SMS, AND COLLABORATION TOOLS

35.1 INTRODUCTION.