CISSP For Dummies

The CISSP candidate should understand common issues associated with e-mail, facsimile, and telephone security.

E-mail security

E-mail has emerged as one of the most important communication mediums in our global economy, with over 50 billion e-mail messages sent worldwide every day. Unfortunately, spam accounts for as much as 85 percent of that e-mail volume. Spam is more than a minor nuisance - it is a serious security threat to all organizations worldwide.

The Simple Mail Transfer Protocol (SMTP) is used to send and receive e-mail across the Internet. It operates on TCP/UDP port 25 and contains many well-known vulnerabilities. Most SMTP mail servers are configured by default to forward (or relay) all mail regardless of whether the sender’s or recipient’s address is valid.

Failing to secure your organization’s mail servers may allow spammers to misuse your servers and bandwidth as an open relay to propagate their spam. The bad news is that you will eventually (it usually doesn’t take more than a few days) get blacklisted by a large number of organizations that maintain real-time blackhole lists (RBLs) against open relays, effectively preventing most, if not all, e-mail communications for your organization. It usually takes several months to get removed from those RBLs after you’ve been blacklisted and does significant damage to your organization communications infrastructure and credibility.

 Remember   RBLs is only one method used to combat spam, and generally not even the most effective or reliable method, at that. The organizations that maintain these massive lists are not perfect and do make mistakes. If a mistake is made with your domain or IP addresses, you’ll curse their existence - it’s a case where the cure is sometimes worse than the disease.

Failure to make a reasonable effort towards spam prevention in your organization is a failure of due diligence. An organization that fails to implement appropriate countermeasures may find itself a defendant in a sexual harassment lawsuit from an employee inundated with pornographic e-mails sent by a spammer to their corporate e-mail address.

Other risks associated with spam e-mail include:

Countering these threats requires an arsenal of technical solutions and user awareness efforts and is - at least for now - a never-ending battle. Begin by securing your servers and client PCs. Mail servers should always be placed in a DMZ and unnecessary or unused services should be disabled - and change that default relay setting! Most other servers, and almost all client PCs, should have port 25 disabled. Implement a spam filter or other secure mail gateway. Also, consider the following user awareness tips:

 Remember   Your end users don’t have to be CISSP certified to secure their home computers. A simple firewall software package with a basic configuration is usually enough to deter the majority of today’s hackers - most are using automated tools to scan the internet and won’t bother to slow down for a computer that presents even the slightest challenge. Size matters in these bot-net armies and there are far too many unprotected computers out there to waste time (even a few minutes) defeating your firewall.

 Tip   Spam is only the tip of the iceberg. Get ready for emerging threats like SPIM (Spam over instant messaging) and SPIT (Spam over internet telephony) that will up the ante in the battle for messaging security.

 Cross-Reference   Several protocols exist for secure e-mail, including S/MIME, PEM, and PGP. We discuss several of these protocols in the earlier section “Application Layer (Layer 7)” of this chapter and also in Chapter 8.

Other e-mail security considerations include malicious code contained in attachments, lack of privacy, and lack of authentication. These considerations can be countered by implementing antivirus scanning software, encryption, and digital signatures, respectively.

Web security

The two principal protocols that make up the World Wide Web are the HyperText Transport Protocol (HTTP) and the HyperText Markup Language (HTML). HTTP is the command-and-response language used by browsers to communicate with Web servers, while HTML is the display language that defines the appearance of web pages.

HTTP and HTML are the means used to facilitate all sorts of high-value activities such as online banking and business applications. It should be of no surprise, then, to know that these protocols are under constant attack by hackers. Some of the types of attacks are

These and other types of attacks have made Web security testing a necessity. Many organizations with Web applications, especially one that facilitates high value activities such as banking, travel, and information management, employ tools and other methods to make sure that no vulnerabilities exist that could permit malicious attacks to expose sensitive information or cause the application to malfunction.

Facsimile security

Facsimile transmissions are often taken for granted, but definitely present major security issues. A fax transmission, like any other electronic transmission, can be easily intercepted or re-created. General administrative and technical controls for fax security include

 Tip   It is our experience that more faxes are lost because the recipient didn’t know they were coming, and some other recipient accidentally took too many pages off the fax machine, including faxes destined for others! If you are sending a fax containing sensitive information to another recipient, inform them in advance so that they can be sure to grab it off the fax machine!

PBX fraud and abuse

PBX fraud and abuse is one of the most overlooked and costly aspects of a corporate telecommunications infrastructure. Many employees don’t think twice about using a company telephone system for extended personal use, including long distance calls. Personal use of company-supplied mobile phones and pagers is another area of widespread abuse. Perhaps the simplest and most effective countermeasure against internal abuses is to publish and enforce a corporate telephone use policy. Regular auditing of telephone records is also effective for deterring and detecting telephone abuses.

PBXs are information systems too. Unless security measures are taken, such as strong passwords and security patches, attacks on PBXs are more likely to succeed, resulting in toll fraud and other headaches.

Caller ID fraud and abuse

A new and growing problem is that of forged caller ID. There are several methods available for hiding one’s caller ID, in some cases in a way that can be deliberately misleading or used to perpetrate fraud. These methods include:

The use of Caller ID spoofing as part of a scheme to commit fraud is in its infancy, and may grow over time.

Категории