E-mail, Web, Facsimile, and Telephone Security
The CISSP candidate should understand common issues associated with e-mail, web, facsimile, and telephone security.
E-mail security
E-mail has emerged as one of the most important communication mediums in our global economy, with over 50 billion e-mail messages sent worldwide every day. Unfortunately, spam accounts for as much as 85 percent of that e-mail volume. Spam is more than a minor nuisance — it’s a serious security threat to all organizations worldwide.
The Simple Mail Transfer Protocol (SMTP) is used to send and receive e-mail across the Internet. It operates on TCP/UDP port 25 and contains many well-known vulnerabilities. Most SMTP mail servers are configured by default to forward (or relay) all mail, regardless of whether the sender’s or recipient’s address is valid.
Failing to secure your organization’s mail servers may allow spammers to misuse your servers and bandwidth as an open relay to propagate their spam. The bad news is that you’ll eventually (it usually doesn’t take more than a few days) get blacklisted by a large number of organizations that maintain real-time blackhole lists (RBLs) against open relays, effectively preventing most (if not all) e-mail communications from your organization reaching their intended recipients. It usually takes several months to get removed from those RBLs after you’ve been blacklisted, and it does significant damage to your organization’s communications infrastructure and credibility.
Using RBLs is only one method to combat spam, and it’s generally not even the most effective or reliable method, at that. The organizations that maintain these massive lists aren’t perfect and do make mistakes. If a mistake is made with your domain or IP addresses, you’ll curse their existence — it’s a case in which the cure is sometimes worse than the disease.
Failure to make a reasonable effort towards spam prevention in your organization is a failure of due diligence. An organization that fails to implement appropriate countermeasures may find itself a defendant in a sexual harassment lawsuit from an employee inundated with pornographic e-mails sent by a spammer to his or her corporate e-mail address.
Other risks associated with spam e-mail include
Missing or deleting important e-mails: Your boss might inadvertently delete that e-mail authorizing your promotion and pay raise because her inbox is flooded with spam and she gets trigger-happy with the Delete button — at least it’s a convenient excuse!
Viruses and other mail-icious code: Although you seem to hear less about viruses in recent years, they’re still prevalent, and e-mail remains the favored medium for propagating them.
Phishing and pharming scams: Phishing and pharming attacks, in which victims are lured to an apparently legitimate website (typically online banking or auctions) ostensibly to validate their personal account information, are usually perpetrated through mass mailings. It’s a complex scam increasingly perpetrated by organized criminals. Ultimately, phishing and pharming scams cost the victim his or her moolah — and possibly his or her identity.
Countering these threats requires an arsenal of technical solutions and user-awareness efforts and is — at least, for now — a never-ending battle. Begin by securing your servers and client PCs. Mail servers should always be placed in a DMZ, and unnecessary or unused services should be disabled — and change that default relay setting! Most other servers, and almost all client PCs, should have port 25 disabled. Implement a spam filter or other secure mail gateway. Also, consider the following user-awareness tips:
Never unsubscribe or reply to spam e-mail. Unsubscribe links in spam e-mails are often used to confirm the legitimacy of your e-mail address, which can then be added to mass-mailing lists that are sold to other spammers. And, as tempting as it is to tell a spammer what you really think of his or her irresistible offer to enhance your social life or improve your financial portfolio, most spammers don’t actually read your replies and (unfortunately) aren’t likely to follow your suggestion that they jump off a cliff.
Although legitimate offers from well-known retailers or newsletters from professional organizations may be thought of as spam by many people, it’s likely that, at some point, a recipient of such a mass mailing actually signed up for that stuff — so it’s technically not spam. Everyone seems to want your e-mail address whenever you fill out an application for something, and providing your e-mail address often translates to an open invitation for them to tell you about every sale from here to eternity. In such cases, senders are required by law to provide an Unsubscribe hyperlink in their mass mailings, and clicking it does remove the recipient from future mailings.
Don’t send auto-reply messages to Internet e-mail addresses (if possible). Mail servers can be configured not to send auto-reply messages (such as out-of-office messages) to Internet e-mail addresses. However, this setting may not be (and probably isn’t) practical in your organization. Be aware of the implications — auto-reply rules don’t discriminate against spammers, so the spammers know when you’re on vacation, too!
Get a firewall for your home computer before you connect it to the Internet. This admonishment is particularly true if you’re using a high-speed cable or DSL modem. Typically, a home computer that has high-speed access will be scanned within minutes of being connected to the Internet. And if it isn’t protected by a firewall, this computer will almost certainly be compromised and become an unsuspecting zombie in some spammer’s bot-net army (over 250,000 new zombies are added to the Internet every day!). Then, you’ll become part of the problem because your home computer and Internet bandwidth are used to send spam and phishing e-mails to thousands of other victims around the world, and you’ll be left wondering why your brand-new state-of-the-art home computer is suddenly so slow and your blazing new high-speed Internet connection isn’t so high-speed just two weeks after you got it.
Your end-users don’t have to be CISSP-certified to secure their home computers. A simple firewall software package that has a basic configuration is usually enough to deter the majority of today’s hackers — most are using automated tools to scan the Internet and don’t bother to slow down for a computer that presents even the slightest challenge. Size matters in these bot-net armies, and far too many unprotected computers are out there to waste time (even a few minutes) defeating your firewall.
Spam is only the tip of the iceberg. Get ready for emerging threats such as SPIM (spam over instant messaging) and SPIT (spam over Internet telephony) that will up the ante in the battle for messaging security.
Several protocols exist for secure e-mail, including S/MIME, PEM, and PGP. We discuss several of these protocols in the section “Application Layer (Layer 7),” earlier in this chapter, and also in Chapter 8.
Other e-mail security considerations include malicious code contained in attachments, lack of privacy, and lack of authentication. These considerations can be countered by implementing antivirus scanning software, encryption, and digital signatures, respectively.
Web security
The two principal protocols that make up the World Wide Web are the HyperText Transport Protocol (HTTP) and the HyperText Markup Language (HTML). HTTP is the command-and-response language used by browsers to communicate with web servers, and HTML is the display language that defines the appearance of web pages.
HTTP and HTML are the means used to facilitate all sorts of high-value activities, such as online banking and business applications. It should be of no surprise, then, to know that these protocols are under constant attack by hackers. Some of the types of attacks are
Script injection: Hackers attempt to inject scripting language commands into form fields on web pages in an attempt to fool the web server into sending the contents of back-end databases to the hacker.
Buffer overflow: Hackers try to send machine language instructions as parts of queries to web servers in an attempt to run those instructions. If successful, the hacker can execute commands of his or her own choosing on the server, with potentially disastrous results.
Denial of Service (DoS): Hackers can send specially crafted queries to a web server in order to cause it to malfunction and stop working. Another form of Denial of Service involves merely sending huge volumes of queries to the web server in an attempt to clog its inputs and make it unavailable for legitimate use.
These and other types of attacks have made web security testing a necessity. Many organizations that have web applications, especially ones that facilitate high-value activities (such as banking, travel, and information management), employ tools and other methods to make sure that no vulnerabilities exist which could permit malicious attacks to expose sensitive information or cause the application to malfunction.
Facsimile security
Facsimile transmissions are often taken for granted, but they definitely present major security issues. A fax transmission, like any other electronic transmission, can be easily intercepted or re-created. General administrative and technical controls for fax security include
Using cover pages (that include appropriate routing and classification markings)
Placing fax machines in secure areas
Using secure phone lines
Encrypting fax data
Many faxes are lost in situations in which the recipient doesn’t know a fax is coming, and someone else in the office takes too many pages from the fax machine, including the fax destined for the unaware recipient! If you’re sending a fax that contains sensitive information, inform the recipient in advance so that he or she can be sure to grab it from the fax machine!
PBX, POTS, and VoIP fraud and abuse
PBX (Private Branch Exchange) switches, POTS (Plain Old Telephone Systems), and VoIP (Voice over IP) switches are some of the most overlooked and costly aspects of a corporate telecommunications infrastructure. Many employees don’t think twice about using a company telephone system for extended personal use, including long-distance calls. Personal use of company-supplied mobile phones and pagers is another area of widespread abuse. Perhaps the simplest and most effective countermeasure against internal abuses is to publish and enforce a corporate telephone-use policy. Regular auditing of telephone records is also effective for deterring and detecting telephone abuses.
PBX, POTS, and VoIP are information systems, too. Unless security measures are taken, such as strong passwords and security patches, attacks on telephone switches and systems are more likely to succeed, resulting in toll fraud and other headaches.
Caller ID fraud and abuse
A new and growing problem is that of forged caller IDs. Several methods are available for hiding a caller ID — in some cases, in a way that can be deliberately misleading or used to perpetrate fraud. These methods include
Using a calling card: Using a long-distance calling card often masks the true origin of a call.
Using caller ID services: A number of commercial services are available that will generate any desired caller ID.
Blocking caller ID: Many wireline and wireless telephone services have means that can block caller ID, either on a per-call basis or universally.
Reconfigure your telephone switch: Often, a telephone switch that is connected via a trunk to a telephone network can send Caller ID data that is configured into the telephone switch.
VoIP: Simple IP smartphone or PC software can often be used to generate false caller ID data from VoIP phones.
The use of caller ID spoofing as part of a scheme to commit fraud is in its infancy and may grow over time.