CompTIA CASP+ CAS-004 Certification: A Simple Guide To Securing Communication and Collaborative Solutions

Increasingly, workers and the organizations for which they work are relying on new methods of communicating and working together that introduce new security concerns. CASP experts need to be familiar with these new technologies, understand the security issues they raise, and implement controls that mitigate the security issues. This guide describes these new methods and technologies, identifies issues, and suggests methods to secure these new workflow processes.

Key topics:
- Remote access
- Unified collaboration
- VoIP, Web, and video integration

Objectives
After studying this guide, you will be able to understand the following:
- Remote access: Describes the measures to ensure secure remote access, resources and services, desktop and application sharing, and remote assistance.
- Unified collaboration tools include those for web conferencing, video conferencing, audio conferencing, storage and document collaboration, and unified communication. This section also covers instant messaging, presence, email, telephony and VoIP integration, and collaboration sites.

Remote access
Users may connect to an organization’s resources through remote access using remote access software. These distant connections may be dial-in connections, but they are increasingly leveraging the Internet as the data transmission network. If an organization enables remote access to internal resources, the data must be encrypted when it is sent between the remote access client and the remote access server. Remote access servers may demand encrypted connections from remote access clients, which means that any attempt to connect without encryption would be rejected. Remote access to the business network is a well-established technology with well-defined security safeguards.

The figure below illustrates remote access:


Figure: Remote Access

Dial-up
The public switched telephone network (PSTN) is used for dial-up connections. If the connection is established via an analog phone line, it will need a modem on the sending end to convert the digital data to analog, and a modem on the receiving end to convert it back to digital. These lines have a maximum speed of 56 kbps. Layer 2 protocols for dial-up connections include Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP). SLIP is an ancient protocol that has been superseded by PPP. Authentication and multilink capabilities are provided via PPP. The remote access server verifies the caller’s identity. A Terminal Access Control Access Control Server Plus (TACACS+) or a Remote Authentication Dial-in User Service (RADIUS) server may be used to centralize the authentication process.

Some basic measures that should be in place when using dial-up are as follows:
- Have the remote access server call the original caller back at a pre-determined number. Allowing call forwarding, which may be exploited to circumvent this security feature, is not allowed.
- To prevent war dialers, configure modems to respond after a certain number of rings (automated programs that dial numbers until a modem signal is detected).
- For physical security, gather all modems in one location and turn off those that aren’t in use.
- Make use of the most robust authentication techniques feasible.

VPN
The information is protected by robust authentication procedures and encryption techniques over a virtual private network (VPN) connection that utilizes an untrusted carrier network. While we often utilize the Internet as the most untrustworthy network, and most VPNs do go over the Internet, they may also be used with internal networks where traffic has to be secured from prying eyes, as shown below:


Figure: VPN

Resource and services
Telecommuting has grown increasingly frequent in today’s environment, necessitating the deployment of remote access solutions to guarantee that employees have access to company resources and services. The Remote Access role on Windows servers, the Remote Desktop service on Windows clients and servers, Virtual Network Computing (VNC) or ssh on Linux, and a variety of other techniques may be used to offer remote access resources and services, depending on the deployment strategy.

Security experts should collaborate with management to define the organization’s remote access requirements and implement the right solution and controls to meet those requirements while ensuring the security of remote access transactions.

Desktop and application sharing
Desktop sharing is a collection of related technologies that enable remote login to a computer as well as real-time collaboration on a distant user’s desktop. A graphical terminal emulator is used in both functions. Some of these solutions are incorporated into operating systems, such as Microsoft’s Remote Desktop technology, while others, such as LogMeIn and GoToMyPC, are third-party programs.

A distant administration software is one of the most popular attack vectors used by hackers. While these solutions make controlling remote machines and users simpler, they are also one of the most common attack vectors used by hackers.

Remote assistance
Remote help is a function that is often based on the same technology that is used for desktop sharing. One of its advantages is the ability for a technician to share a user’s desktop with the user for the purpose of either teaching the user something or resolving a problem.

Naturally, some of the same problems that plague desktop sharing software also plague remote support sessions.

- For starters, the screen data passed back and forth between the user and the technician is usually in common formats, making it simple to reconstruct a recorded picture. Many products use proprietary encryption, although this form of encryption may be illegal in regulated businesses. Always employ the encryption level mandated by your industry, such as Advanced Encryption Standard (AES).
- Second, many remote help platforms lack adequate auditing features, which are crucial in areas like banking and healthcare. If auditing is a problem in your sector, look for a tool that can capture the level of data you need for legal reasons.

Many tools have limited access restrictions. When a technician connects to a remote computer, he has complete control over the system, just as if he were sitting at the console. A breach of the Health Insurance Portability and Accountability Act (HIPAA) arises if he views patient information at any time. You should choose a solution that enables you to control precisely what remote technicians can see and do. If any information is lost or if another issue emerges that seems to be the technician’s responsibility, the technician may be held liable.

Consider creating a standard statement that a user sees and must accept before enabling the connection, outlining your level of responsibility for any difficulties that happen after the remote session.

Tools for unified collaboration
New challenges for security experts are being introduced by two overlapping developments. People are collaborating or increasingly working together, while also becoming more mobile and working in non-traditional ways, such as from home. This means sensitive information is being exchanged in ways we’ve never had to safeguard before. The parts that follow go through the unique security concerns that different collaboration tools and approaches pose, as well as the controls that need to be implemented to keep these solutions safe.

Web-based video conferencing
Companies have been able to save money on travel while maintaining real-time touch with conference attendees because of web conferencing. Web conferencing services and software often provides extensive meeting facilities, such as the ability to communicate, share documents, and observe the presenter’s screen. Many of them also have video capabilities.

When the information and documents you’re discussing are of a sensitive nature, security concerns emerge, and you should exercise extra caution throughout the web conference, as shown below:



Figure: Web Communication

Some of the security concerns are as follows:
- Data leakage: Because web conference data is often stored on a shared server for a short period of time, there is always the risk of the data falling into the wrong hands.
- Unauthorized visitors: Because most systems rely on a basic conference code for entry, there’s always the chance that uninvited people may show up.
- Data collection en-route: There is a good chance that information will be collected en route. This may be avoided by using encryption technology.
- Denial of Service (DoS) attack: When a web conferencing solution is linked with current applications, there is a risk of DoS assaults on local servers.

To deal with these problems, you should implement the following:
- Take charge of the web conferencing solution selection process. Other departments often choose a product, and IT and security teams are left to deal with whatever flaws the solution may have.
- Choose products that employ standard security and networking components, such as SSL, to ensure interoperability with all devices in your network.
- Make sure the underlying network is safe.

- Establish a method for choosing and using the product.

The following four stages must be carried out:

- Step 1: Define the solution’s permitted applications.
- Step 2: Determine your security requirements before deciding on a product.
- Step 3: Make sure the request for proposal includes use scenarios and security requirements (RFP).
- Step 4: Involve security professionals in planning and decision-making.

- If the product supports it, disable or heavily audit read/write desktop mode. Other meeting attendees may access the host desktop in this mode.
- Sign non-disclosure agreements for conferences that include the revealing of sensitive information or intellectual property.
- Create unique passwords for each conference to prevent passwords from being reused for unauthorized conference attendance.

To attend conferences, consider needing a VPN connection to the workplace network. By disabling split tunneling on the VPN concentrator, you may give better performance for the participants if this strategy is used. While split tunneling permits simultaneous access to the LAN and the Internet, it does so at the expense of each session’s bandwidth.

Video conferencing
While most, if not all, video conferencing devices released in the last decade employ 128-bit AES encryption, it’s vital to realize that no security solution is perfect. The National Security Agency (NSA) of the United States was recently accused of breaking military-grade encryption (greater than AES 128) in order to eavesdrop on a United Nations video conference. According to the same source, the NSA determined that the Chinese were working to break the encryption as well. While it is still unclear if the NSA or the Chinese were successful, this tale underlines the dangers that are present at all times. However, on high-security networks (such as those used by the US Department of Defense, Homeland Security, and others) when video conferencing is used, extra security steps are often employed to supplement the solution.

The following are a few examples:
- Physical encryption keys at the device level must be input each time the system is used and are normally swapped every 30 days.
- Additional password keys that restrict access to the operations and systems of a device.
- Session keys are produced at the beginning of each session and are automatically altered during the session.
- Data is sent across secure data networks that use modern encryption techniques.

Since 128-bit AES encryption is safe, video conferencing systems are often secure right out of the box. Extending the H.323 standard to allow DES encryption is a non-proprietary technique to safeguard video conferencing and VoIP data. H.323 is an audiovisual communications standard that includes web conferencing, video conferences, and VoIP. H.235 extensions may offer security for these sessions. The ability to negotiate services and functionality in a generic way is included in H.235. It permits both conventional and custom encryption techniques to be used. It uses a security profile that consists of either a password, digital certificates, or both to identify a person rather than a device.

Most security vulnerabilities aren’t caused by flaws in contemporary goods, but rather by the following:
- Encryption is not enabled.
- Using antiquated video systems that lack encryption.
- Failure to keep linked software on video systems and other devices up to date.
- The system’s connected devices (such as gateways and video bridges) do not support encryption or have encryption turned off.
- Using software solutions or services that don’t encrypt data or use weaker encryption.
- Ineffective password management.

Creating and implementing a method for choosing and utilizing the product may help avoid these problems.

Conferencing via audio
The majority of today’s video collaboration platforms may be used just to offer audio capability. However, in high-security networks that produce and retain audio data (for example, the Department of Defense and the Department of Homeland Security), extra security steps are often employed to supplement the solution.

The following are a few examples:
- Encrypting audio files at the file level to guarantee that only authorized users may access and listen to them.
- Using multi-factor authentication on the systems that hold the files.
- Collaboration and document storage tools.

Teams and whole enterprises may exchange documents using storage and document collaboration solutions, regardless of where team members or people are working. Popular examples of this sort of technology are Google Drive and Microsoft SharePoint. These technologies, in most instances, provide real-time updates to all users who are reading the papers, as well as capabilities that enable users to remark on particular sections of the text.

The following are some of the security issues associated with these tools:
- Breach of login credentials: The username/password paradigm is used by the majority of tools. If attackers gain credentials, they will have access to whatever information that the user has access to. Single sign-on (SSO) may assist guarantee that login credentials for collaboration tools are consistent with business login credentials.
- Web-based dangers: Malware and illegal tracking are examples of web-based threats. Many of these concerns may be avoided by using a VPN to connect to the collaborative platform.
- Issues with URLs: Default site names and other default settings make it easier for attackers to find a site. Furthermore, metadata in the site URL may disclose sensitive information.
- Reports or summaries: While reports and summaries are useful for rapidly determining the status of documents, they may also endanger data if they are sent by email or other insecure ways. The practice of sending these reports by email should be avoided.
- No or limited encryption: Carefully check the encryption provided by a tool. Encryption isn’t always complete in certain tools.

Furthermore, most instruments are designed to be one-size-fits-all. If your company is required to comply with rules or legislation that require encryption or other restrictions, be sure the tool you choose gives the coverage you need. Before choosing a tool, security experts should collaborate with others in their business to verify that the products have been thoroughly examined. Furthermore, any known concerns should be investigated to see if there are any mitigating measures that can be introduced to reduce the effect of the issues.

Unified communication
Voice, video, email, instant messaging, personal assistant, and other communication functions are often combined in unified communication platforms. Document collaboration is included in some of the newer systems. Individually customizable modules are often bought with these tools. If your firm does not need the personal assistant function, for example, that module might be turned off.

You should look at the following security risks:
- Datacenter vendor security is at a bare minimum.
- Insufficient data encryption.
- Internet connection’s inability to meet demand at peak hours.
- Inadequate access or security controls.
- On-demand account management is neither automated nor is only partially automated.
- Experience as a vendor.


Figure: Video Conferencing

While unified communication solutions may seem to be a fantastic way to connect all business activities, their installation and data integration might be a headache. Management should be aware of the difficulty of installing and safeguarding these technologies, according to security specialists.

Instant messaging
When talking with colleagues, instant messaging (IM) has grown so popular that many users prefer it over email. Many email services, such as Google mail, have incorporated IM systems since it is so popular. Users expect it, therefore security experts must understand how to protect it. To show a user’s availability, several collaboration platforms incorporate presence functionality.

A presence-based system informs other users if a person is online, busy, in a meeting, and so on. When enabled across several communication tools, such as instant messaging, phone, email, and video conferencing, it may also help detect which communication channel the user is presently using and, as a result, which channel has the highest chance of receiving a rapid answer. While the information in a presence system about each person is necessary for the system to work, it is also information that may be misused.

The following are some of the specific issues:
- During the status update procedure, systems that do not verify presence sources.
- Systems that do not need recipients of presence information to be authenticated (also called subscribers, or watchers).
- Systems that do not ensure the security and integrity of presence data.
- Systems that rely on insecure techniques to verify a user’s identity.
Implement the following principles when choosing a presence product or analyzing a system with a presence feature:
- Choose a product with a secure protocol. Extensible Messaging and Presence Protocol (XMPP) over TLS and Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions (SIMPLE) are two examples.
- Choose a product that authenticates with your company’s public key infrastructure (PKI). When feasible, using certificate-based authentication is the best option.
- Encrypt internal communications as well as conversations via the Internet.
- Check to see whether the product authenticates both presence sources and subscribers.
- Use grouping to regulate the display of presence information among groups if the system enables it.

Email
Without a question, email is the most extensively utilized mode of communication in the workplace. As shown below, it employs three conventional communications protocols. To construct a secure communication channel, each of them may be operated over SSL. The port numbers used when they are executed over SSL are different. The following sections go through these procedures in detail.

The figure below illustrates the email process:


Figure: Email process.

IMAP
Internet Message Access Protocol (IMAP) is an application layer protocol for retrieving email from a server on a client. IMAP4 is the most recent version. Unlike POP3 (described in the following section), which can only get messages from the server, IMAP4 enables the user to download a copy and leave a copy on the server. Port 143 is used by IMAP4. IMAPS (IMAP over SSL) is a secure version that utilizes port 993.

POP
Post Office Mechanism (POP) is an email retrieval protocol at the application layer. The most recent version is POP3. It just enables you to download messages and does not allow you to use IMAP4’s extra features. Port 110 is used by POP3. There is also a secure version that operates over SSL and utilizes a port.

SMTP
When email servers talk to each other, they use Simple Mail Transfer Protocol (SMTP), a standard application layer protocol. POP and IMAP are client email protocols for retrieving email, but when email servers talk to each other, they use Simple Mail Transfer Protocol (SMTP), a standard application layer protocol. Clients utilize this protocol to send emails as well. When using SSL, SMTP utilizes port 465 instead of port 25. Unfortunately, persons with bad intent may use email to launch a variety of attacks. Because many of these attacks are based on poor security practices among users, user training and awareness is usually the greatest method for avoiding them.

Email spoofing
The technique of sending an email that appears to originate from one source but really comes from another is known as email spoofing. It’s accomplished by changing email header fields like From, Return Path, and Reply-To.

Its goal is to persuade the recipient to trust the message and respond with sensitive information that they would not reveal to an untrustworthy source. Email spoofing is often used as part of an attempt to get usernames and passwords for banking or financial websites. There are numerous methods to protect yourself from such assaults.

One option is to activate SMTP authentication, which prevents users who are unable to authenticate with the sending server from sending emails. Implementing the Sender Policy Framework (SPF) is another viable mitigating strategy. SPF is an email validation method that uses the Domain Name System (DNS) to detect whether an email has been sent by a host that has been sanctioned by the domain’s administrator. It is not transmitted to the recipient’s inbox if it cannot be authenticated.

Phishing
Phishing is a social engineering assault in which a receiver is persuaded to follow a link in an email that appears to go to a trustworthy website but really leads to a hacker’s website. The purpose of these attacks is to collect usernames and passwords. Spear phishing is when a phishing assault is directed at a single individual rather than a group of people at random. Details about the individual gathered via social media might be used to make the assault more credible. To combat spear phishing, you may take the following steps:
- Implement a system that validates the security of all email links. Invincea FreeSpace is an example of this, since it opens all links and attachments in a safe virtual container, protecting users’ PCs from damage.
- Teach people to be wary of all emails, even if they seem to be from friends.

Whaling
Whaling is a subset of spear phishing, just as spear phishing is a subset of phishing. The person targeted in whaling is someone of prominence or importance. For example, it might be a CEO, COO, or CTO. The assault is predicated on the presumption that these individuals are in possession of more sensitive information.

The figure below show that the same strategies that may be used to combat spear phishing can also be used to combat whaling:


Figure: Spear phishing vs. phishing whaling vs. phishing

Spam
You undoubtedly don’t enjoy how your inbox fills up with unwanted emails every day, many of which are attempting to sell you something. When you purchase anything or visit a website, you often cause yourself to get this email by not paying careful attention to all of the facts. Spam is defined as an email that is sent to a large number of people without their permission. Spam is more than an irritation; it may jam inboxes and force email servers to expend resources to transmit it. Because sending spam is against the law, many spammers attempt to disguise their origins by relaying over the email servers of other businesses. This not only conceals the real source but also puts the relaying firm in jeopardy. Today’s email servers may refuse to relay to any email servers that you haven’t specified. This may help prevent your email system from being used for spam. On your email servers, this form of relaying should be prohibited. Spam filtering should also be installed on all email servers.

Capturing messages
A protocol analyzer may collect email traffic in its raw form, just like any other sort of communication. It is possible to read an email if it is written in plain text. As a result, every email that contains critical information should be encrypted. While this may be done using the intended recipient’s digital certificate, it is usually only practicable if the receiver is a member of your organization and your firm has a PKI. Many email clients come with built-in support for digital signatures and message encryption utilizing digital certificates.

While email encryption applications such as Pretty Good Privacy (PGP) are available, many users find it difficult to utilize them appropriately without training. Encryption equipment or service that automates email encryption is another alternative. Regardless of the method used, the only way to prevent information from being leaked from captured packets is to encrypt communications.

Information disclosure
Information is sometimes leaked not because an unencrypted communication is intercepted, but because the email is exchanged with people who aren’t always trustworthy. Even if a policy for information sharing exists, it may not be implemented by all employees. You may sanitize all outgoing material for sorts of information that should not be revealed and have it deleted to avoid this type of exposure. Axway MailGate is one example of a product that can achieve this. For international organizations or corporations with hundreds of thousands of users, MailGate can safeguard email systems against virus assaults, botnets, spam, or Denial-of-Service attacks.

MailGate helps filter out up to 90% of unwanted emails before they reach corporate email infrastructure, preventing “accidents” or even deliberate data leakage that could harm a person’s reputation or violate intellectual property laws, as shown below:



Figure: Axway MailGate

Malware
Email is a popular carrier of malware; in fact, email is the most prevalent way for malware to infect computers. Malware scanning software should be installed on both the client PCs and the email server. Malware may still get through despite these precautions; therefore, it’s critical to educate consumers on how to handle emails safely (such as not opening attachments from unknown sources).

Integration of telephony and VoIP
Traditional analog phone lines and digital, or Voice over IP (VoIP), telephony systems are also available. Analog phones link to a private branch exchange (PBX) system in conventional telephony. The organization’s IP data network is independent of the phone network. While analog phone networks may seem to have some security advantages, the US Federal Communications Commission (FCC) is in the process of deconstructing the analog phone infrastructure that has existed since the days of Bell Labs. While there is no specific date for definitive discontinuance, it seems silly to implement a system that will soon be outdated, no matter how safe it is. Furthermore, as stated in the following section, many of the security vulnerabilities with VoIP seem to be being addressed.

The figure below showcases the SIP protocol for VoIP:



Figure: SIP Protocol for VoIP

VoIP phone systems have several benefits, but they also pose a security risk. VoIP spam, often known as Spam over Internet Telephony (SPIT), is one sort of assault. Unsolicited pre-recorded phone messages are sent in this form of assault. The only way to detect these assaults is to analyze Session Initiation Protocol (SIP) traffic on a regular basis. For call setup and teardown, SIP is utilized. If you’re utilizing Secure Real-Time Transport Protocol (SRTP), encryption, integrity, and anti-replay protocol for Real-Time Transport Protocol (RTP) communication, you should do an SRTP traffic analysis as well. RTP is used to carry audio and video communication. Some protocol analyzers, such as GL Communications’ PacketScan, are specifically designed for these protocols. This kind of analysis may aid in the detection of SPIT attacks.

While the danger of spying, service theft, and denial-of-service assaults is greater with VoIP than with classic analog, there are steps that can be implemented to alleviate the concerns and lower the risks; these steps are as follows:
- Separate the phone and data networks physically.
- On infrastructure equipment, secure all management interfaces (for example, switches, routers, and gateways).
- In high-security environments, use a secure phone of some kind (to provide end-to-end encryption).
- Use network address translation (NAT) to mask the phones’ genuine IP addresses.
- Keep your operating system and VoIP software up to date with the latest updates.
- Turn off any services or features that you don’t need.
- Use 802.11e to provide Quality of Service (QoS) for VoIP packets when they transit a wireless segment, just as you would for all wired segments, to avoid performance difficulties, particularly during DoS assaults on the network.
- Use a firewall to protect the SIP servers, which are the servers responsible for generating voice and video sessions.

Sites for collaboration
Users are increasingly collaborating on cloud-based technologies employing web technology. Organizations are also using social media to communicate with consumers and share information with the rest of the world. While both social media and cloud-based collaboration have their advantages, they also have their drawbacks. The sections that follow examine these challenges and mitigating measures, as well as provide advice for responsible usage of social media and cloud-based collaboration.

Social media
While the words “social media” may bring up images of Facebook and Twitter, the usage of both public and private social media poses significant security risks. Although the security risks of public social media are more obvious than those of private social media sites, the fact that most enterprise social media tools allow for tight integration with public social media means that many of the issues that plague public social media can easily become your problem if you have an enterprise social media site.

Several scenarios highlighting the security challenges and risks of social media in the workplace are divided into two categories – the publication of critical company information and the introduction of malware. Allowing corporate devices carrying sensitive data to access social media sites is one method an organization might become vulnerable to a disclosure event in terms of information disclosure.

For further information on integration and cooperation, see below Figure:



Figure: Business and social media integration

Collaboration in the cloud
The figure below illustrates that cloud-based collaboration is largely utilized by companies and small teams to store documents, communicate, and share project updates:


Figure: Collaborations in the cloud

The following are some of the advantages:
- Allows you to pay based on how much you use it
- Increases the speed with which new tools, apps, and services are deployed to employees
- Can be absorbed as a cost of operations rather than a capital expenditure
- Increases the rate of innovation
- Boosts productivity
- Improves operational effectiveness

The following are some of the concerns or obstacles that come with switching to a cloud-based collaboration system rather than a premise-based solution:
- Networks may need to be redesigned to accommodate cloud services
- Concerns about data security
- Security rules are difficult to enforce
- Issues in providing an audit trail
- Complying with legal regulations

For many highly regulated businesses, such as banking and healthcare, cloud-based collaboration is not the optimal answer due to these considerations.

Information of the following sorts should not be kept in a public cloud-based solution:
- Information about credit cards
- Business secrets
- Financial information
- Medical records
- Secrets of the state and federal governments
- Confidential or proprietary information
- Information that may be used to identify you

When a cloud-based collaboration solution is acceptable, the following security steps should be taken:
- Make sure you understand the vendor’s and your organization’s respective security obligations.
- If you’re dealing with sensitive data, be sure the vendor offers encryption or that you pass data via an encryption proxy before sending it to the provider.
- On the collaborative site, need robust authentication.
- If the vendor offers data loss prevention (DLP) services, you should seriously consider employing them.
- If you’re using databases, consider incorporating database activity monitoring (DAM).

Conclusion
In this guide, we discussed Remote Access measures and services for desktop and application sharing along with unified collaboration tools such as Web, video, and audio conferencing, document collaboration, and unified communication. Instant messaging, email, telephony, and VoIP integration were also discussed.