CompTIA CASP+ CAS-004 – Chapter 05 – Implementing Security for Cloud and Virtualization Technologies Part 5
- Storage and Document Collaboration
Storage and document collaboration tools are going to allow teams and entire companies to share documents no matter what location they are working from, where the team members are. These are excellent tools from a business perspective and many organizations are using them. A lot of smaller and organizations are just using Google Drive, but larger organizations typically have gone towards Microsoft SharePoint. Those are just a couple of examples of this type of tool. In most cases these tools allow live updates to all the users viewing the documents. So if you and I are working on a PowerPoint spreadsheet or a spreadsheet, a PowerPoint slideshow, then we can both have the same file open. That’s what that means. Both have the same file open, both making changes and have those changes be doing kind of a live merge.
Assuming that the file is on a SharePoint site and I’m using a recent version of Office, we can also have obviously commenting to specific parts of the document and things of that nature. So from a business perspective it’s a great tool, but there are some security risks that are related to those tools. So first would be Login Credential Breaches. Most of these tools are going to use a username password model. So if I can get your credentials, then I can access any information to which you have access. SSO can be used to help ensure that the login credentials follow the same guidelines as enterprise login credentials. A lot of your larger organizations will tie their Office 365 and Azure Ad implementations to their on prem organization using federation. It’s not overly difficult to do and then login attempts will be redirected back to the local network and authentication is actually still happening locally even though the resources are out in the cloud. Web based threats include malware and unauthorized tracking.
You can implement a VPN if you would like for connection to the collaboration tool that can cut down on a number of those issues. We can have URL related issues because default site names and other default settings often make it easier for an attacker to discover a site. In addition to that, you can have metadata and the site URL that can reveal confidential data, reports and summaries. These are important to help you quickly see the status of documents.
But those same tools can be used to compromise data if the reports are transmitted over email or other insecure methods. So emailing of those reports really should be discouraged and in some cases we’re just dealing with a lack of encryption or minimal encryption. So security professionals need to work with others in the organization. We need to make sure these products that are being used are fully analyzed prior to selecting a tool. We need to identify known issues about a particular product and research those to determine if there are controls we can use to mitigate them and then we can implement them. All of that is just going to help to minimize the impact of issues within your organization.
- Unified Communication
Unified communication tools are tools that combine voice, video, email, instant messaging, personal assistant, and various other communication features. And they put them all in a single tool. Some of the newer tools even actually offer the document collaboration. Now, you can often purchase individual configurable modules, so if you don’t need the personal assistant feature, then you can just disable that module. But unified communication as a whole will make a number of these things available in one software package.
Security risks that you should examine in relation to unified messaging include minimal vendor data center security, inadequate data encryption, lack of support on the Internet connection at peak times, inadequate security or access controls, lack of or minimal automation of on demand account management. So the inability to automate that process, needing to create new accounts. You can automate the process. It means you have templates. It means you’re following certain security policies and guidelines, et cetera. Vendor Experience unified communications tools sound like a wonderful way to integrate all your business processes.
But often the implementation of these, the data integration with these tools can be a nightmare. So we need to make sure that management understands the complexity in deploying and securing these types of solutions. We’re not spending a lot of time on this, but those are some of the security risks you need to fully vet every software product that you’re looking at and make sure that we’ve got people in house that know how to utilize and work with these products.
- Instant Messaging
Instant messaging has become a really popular way to communicate. In fact, a lot of users inhouse will prefer that to email when communicating with coworkers. Most of your email systems like Google Mail have integrated Im. Of course, Outlook in Office 365 uses Skype and now Teams in order to integrate I am into the the email system. Im is great for real time communication. Who knew 20 years ago that email wasn’t even going to be fast enough for us? But now I want to be able to see that you read it. I like that visual that you’ve read this message and I can see that you’re typing a response to me, or I can get presence information as to what you’re doing.
So it’s understandable from a business sense why instant messaging is so useful. But there are a slew of security issues related to instant messaging systems. So let’s talk about those and then we’ll talk about the Mitigation technique. So the first actually, I’m going to talk about them together here. So the first security issue is the transfer of malware worms, Trojans, other malware through an instant messaging connection.
One of the ways to Mitigate that would just be to turn it off, disable the ability to transfer files through the system. If there is the business need to transfer files through the system, then we need to train users and we need an anti malware product that will actually work with the Im client. But if nobody needs to use this, if there’s not an actual valid use for it, then we just turn it off. The second potential issue is hijacked user accounts. After a user account is stolen, maybe through social engineering of some type. And so what we want to do to Mitigate that is just tell people never to share their account information. That’s easy enough.
Some users are not going to listen to you necessarily, but everybody should be taught not to share account information over instant messaging. In reality, even if you think you know or you’re somewhat familiar with the person you’re talking to, unless we’re talking about your best friend here biggest confidant, then there are certain stuff that should not be shared ever between you and another individual, especially via Im. We can also get hijacked user accounts from a password stealing Trojan. And in that case, the Mitigation technique would be to have updated antimalware installed Dos attacks, sending multiple messages to a user account. So we want to teach users to share their account name only with trusted parties. Disclosure of information en route is another security issue. And we would want to try to use a product that provides encryption because that would prevent the disclosure of that information.
Now many of your collaboration solutions and definitely your Im products are going to use presence functionality and that indicates the availability of the user. So the system uses presence signals to other users when a user is online, when they’re busy, when they’re in a meeting, and so forth. And many times it is enabled across multiple communication tools like your Im, your phone, email, video conferencing, et cetera. And you can figure out which communication channel is active and which channel provides the best possibility for an immediate response. Right? And so it’s very useful from a business sense. If my Outlook Calendar says I’m busy, then my Skype Instant messaging client says I’m busy. If my Outlook client says that I’m actually in a meeting and I have webex going, then my Skype system says I’m in a meeting. If I’m on the phone, it says I’m on the phone.
If I’m connected to my Hotspot, it has learned that and it sets my presence to being on site. If I’m on my home network, it says home. So it’s giving my location and it’s giving whether I’m available, what I’m doing. So the information is very helpful, but it could also be used maliciously. Specific Issues the systems that don’t authenticate present sources during the status update. So the lack of authentication, they might not authenticate either the source or the receivers. The source is just where it’s coming from. The receiver is sometimes called a subscriber or watcher another systems that don’t provide confidentiality and integrity of presence information or ones that use weak authentication methods to authenticate a user.
So when you’re selecting a presence product or when you’re evaluating a system that includes presence features, then you need to follow certain guidelines. First is to just try to select a product that uses a secure protocol, like the Extensible Messaging and Presence protocol XMPP over TLS. Another one is another example is the session initiation protocol for instant messaging and presence leveraging extensions. What a mouthful. Simple. Both of those are simply protocols that will provide encryption, provide secure authentication and secure the data that’s being transmitted. You also want to select a product that uses your internal PKI, assuming you have one.
And then you can use certificate authentication when possible. That is the best option. Encrypt all communications internally and across the Internet. Make sure we’ve got authentication of both sources and subscribers. And if the system supports presence groups, you can use grouping. That gives you the ability, gives users ability to control the viewing of presence information with other individuals in the organization. So, as I said, these are great tools with all of these, they’re great tools, but they just raise some security concerns. So if you’re going to use them, then these are the issues that we need to address.
Email is still without a doubt the most widely used method of communication in the enterprise. And so as security professionals, we need to be familiar with the different protocols that are used, as well as not limitations, but the issues that can arise. Okay, so I don’t have the protocols on the slide, but let’s just talk about them quickly. Your primary protocol for sending and receiving email is going to be SMTP send Simple Mail Transfer Protocol. I almost gave you the way that I always remembered it was you send mail to people, but it’s simple Mail Transfer protocol. In the past that was the protocol that was used to send and then organizations would use Pop or IMAP to retrieve.
So pop post Office protocol. IMAP Internet Message access protocol. Both of those are application layer retrieve only protocols. Latest version is IMAP four and Pop three. But these are actually quite a bit older now, and so typically that’s not how people are connecting to their mailbox. In fact, the most common method of connection to a mailbox is going to be Https, a webmail. And I don’t mean necessarily that you’re using a web browser to access your mail, although that’s possible, but you are probably using Https behind the scenes from like an Outlook client, or the Windows Mail program or third party mail programs or your phone. The vast majority of these devices are actually connecting via Https, and SMTP is not even used any longer. I take that back, sorry. It is used, but it’s used between the servers. It’s not used between the client and the server. If you do use IMAP or Pop, you definitely want to be sure that you’re using the SSL version of that. The SSL version of IMAP operates on port 933 or excuse me, 993, and the SSL version of Pop is on 995. With SMTP, it’s port 25 by default and the SSL version is typically on port 465. Https is always going to be on 443. Because email is the primary method of communication, it is then the attack vector that is chosen in many cases. So let’s walk through some email based attacks.
The first is email spoofing. Email spoofing is just a name that says you’re sending an email that appears to come from one source when it really comes from another. How do they do this? Well, they alter the email headers like the from the return path reply to. The purpose is to try to convince the recipient of this message to trust it and reply to it with some sensitive information that normally that person wouldn’t share. They definitely wouldn’t share with an untrusted source. Email spoon is often one step in an attack that’s trying to harvest usernames and passwords for banking websites, credit card websites, and those can be mitigated in a number of different ways. One is just to use SMTP authentication. When you use SMTP authentication, it disallows the sending of an email by a user that can’t authenticate. Okay, that sounds good and all.
And we might think, well why don’t you always do that? There’s one primary reason that you typically will not turn that on, and that is that you will generally cease to receive about 95% of the email that your server gets. Okay, so that’s, I mean, that’s an option. It is an option that is listed on the, the exam objectives, but it’s not a very good one. SMTP is anonymous by default, right? I don’t know. I’m a mail server. I don’t know who’s going to try to send me messages. So my users are communicating with people in other organizations. I have no way of knowing unless it’s a really tightly closed environment, who’s sending messages. So I have to accept unauthenticated messages. So there’s got to be a better way. And there certainly is. I mentioned SMTP authentication because it is an option. But the best mitigation technique against email Spoofing is what’s called sender policy framework SPF. SPF is an email validation system that works by using DNS.
So essentially the message claims to come from Joe@adventureworks. com and I’m going to do a reverse DNS lookup looking for an SPF record for adventure works. com. And what I’m actually not even concerned about the Joe at, what I’m concerned with is the server, the server that just sent me this message that claims to be from adventure works. com. I’m checking to see if that server is authenticated or, excuse me, is authorized to send mail for that particular domain name. And if that SPF record lookup fails, then you can configure your server to bump up the spam confidence level on the message or to completely reject the message. The organization that I am currently working for, they reject. I know this from experience. If you try to send me an email and you don’t have an SPF record configured, then my email system will bounce. That email, they’ve got it, it’s configured that way. I take that back. It’s not if it’s missing, if it’s incorrect, if it’s a hard fail.
So you’re claiming to come from this server and your SPF record says another IP address or another domain name, then that’s a hard fail. So SPF though is heavily used today. It’s something that you should always add in your own domains. It’s a real quick ad and it helps to cut down and reduce spam. Phishing of course, is a problem that most often utilizes email as its attack vector. This is a social engineering type of attack where the recipient is just being convinced to click on the link to an email that appears to go to a trusted site but actually goes to hacker site. And then they’re typically there just to harvest usernames and passwords. Reputable banks, reputable credit card companies. They do not send you emails asking you to click on links and then validate your login credentials.
They don’t send you emails. They don’t do that. If you think, this is what I think the best mitigation is, or if a user thinks that it’s real legitimate, then don’t click the links in the email. Go out to the web browser and open it up there. Go directly to the site, don’t go and follow any of those links. If you pay close enough attention to those emails though, you usually can spot what’s wrong with them. Spear phishing is the process of pushing a phishing attack on a particular person rather than a set of random people. And this attack can be made more convincing by using details about the person learned through social media. And there are several ways we can mitigate that. We can deploy a solution that verifies the safety of all links and emails, and we can also just train users to regard all emails suspiciously, even if they appear to come from friends. Spearfishing is a subset of phishing. So is whaling. Whaling is actually a subset of spearfishing and whaling. The person targeted is of some significance. They are a whale. CEO, COO, CFO, CTO, some executive that has high level privileges. And so we’re basically just going after them because they’re the big fish, so to speak.
Spam is obviously an email based attack. You don’t have to use email for very long to know that there’s a lot of unsolicited email that gets through the spam filters. A lot of it you subscribe for, and it comes in in many cases when an email is actually sent out on a mass basis that is truly not requested. Totally unsolicited. That is spam newsletters that you signed up for and can’t figure out how to unsign up for. That’s not spam. Even though we all kind of use the term broadly, spam is really more of an annoyance. It can clog up email boxes. If you manage your own email servers, it takes them a while to deliver it. But sending spam is illegal. It’s relayed through servers that are not who they claim to be, and so it is something that we can try to stop. It’s also a predominant source for phishing and for malware attacks, and so we want to try to get rid of those.
Get rid of spam by having a good, valid antispam product. And cloud based antispam products work pretty well as well. Email traffic, like any other traffic, can be captured in its raw form. SMTP is sent in plain text by default, so if it’s in clear text, it can be read. Really, if you’re using any sort of if you’re using email for any sort of sensitive information, you should utilize encryption. Encryption can be set up in a couple of different ways. Sometimes it’s organizational based. I just recently had a request organization, hey, when I send in either of these three domains, I have to make sure it’s encrypted. Great, done. Easy. We set it up on the server that says, hey, if you got outgoing messages to this domain, we’re going to force TLS. And so it uses SMTP. With TLS and forces encryption, the users don’t have to worry about it at all. But that was because that worked, because it was going between particular domains. Sometimes it’s not that easy. So I also dealt with a credit union, and in their case, they needed to encrypt messages. But sometimes it’s going to customers.
I mean, these messages could be going to a Gmail, Yahoo or Outlook. com address. We don’t have any way of defining exactly where they’re going. So in that case, we used Office 365 Message Encryption and instructed the users to put a keyword in. If they typed in the word encrypt in the subject line with percentage signs before and after it, then it would automatically apply the Office 365 Individual Message Encryption. And there are a lot of third party products that work like that, too. It’s looking for keywords that the user would add, and then it’s encrypting the message. Okay, some of those products encrypt the message, but they store it securely on a server. On Prem. They don’t actually send them out. What they send the user is a link. That link is unique and uniquely identifies the individual when they come back, and then they’re able to access that.
They’re able to access that email. So sensitive information should never be sent an email unless we’ve already taken steps to secure it. Now, SMIME is another user based method. PGP would be a user based method where they could encrypt individual messages, but both of those are a little bit more tedious. And maybe if you’re dealing with one or two people that have to send encrypted items, then that would be a good idea. But otherwise, it’s a little bit too difficult to deal with. So captured messages, disclosure of information, encryption will help those things.
And of course, malware. With malware, you’ve got potential issues. I’m sorry, with email, you have malware coming in, and there’s always the possibility for malware to be distributed via email. So instruct people not to click on links and download attachments, individuals that you don’t know. So, as we said, a whole slew of communication technologies. And with every one of these technologies, we just need to be careful as to how we go about choosing products and how we configure those products to maximize security.
- Chapter 05 Review
In this chapter we looked at implementing security for cloud and virtualization technologies. We began by talking about the different options for the cloud and the importance of that choice, whether you use a public or a private cloud as it relates to the security of your network and the security of your data. We discussed different service models and how they relate to cloud technologies, the choice of hypervisors, and the extended use of virtualization, along with security considerations.
Then we looked at securing remote Access and collaboration with remote access deal with dial up and VPN connections, predominantly the latter, and discussed how to go about securing those. But with collaboration, we talked about a number of unified messaging types of components, whether it’s email or instant messaging, and press information web conferencing. All of them are heavily used in today’s environments, and all of them, as we saw, have a unique set of security considerations that we need to be able to address.