Web-based Communications Technologies
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
7 hours 15 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
>> Hi there and welcome to
00:00
our next lesson, web-based communication technologies.
00:00
What we'll be covering in this lesson,
00:00
will be communications over the web in general forms,
00:00
voice-over IP and private branch exchange, email,
00:00
peer to peer computing,
00:00
instant messaging, social media, and Cloud computing.
00:00
Let's begin. Communications over the web.
00:00
Originally, the web was very much a read only system.
00:00
It contained data such as documents where images,
00:00
and perhaps some video.
00:00
But certainly in recent decades
00:00
there's been a convergence of
00:00
voice and data over the web.
00:00
What we're seeing now in organizations is there's
00:00
a single communications line for both and
00:00
with that obviously is with
00:00
most computer system changes these days,
00:00
it will introduce risks that must be managed.
00:00
Let's have a look at some of the options here.
00:00
We have voice over IP.
00:00
This is referred to as IP telephony.
00:00
In this basically voice traffic is carried
00:00
on top of existing data infrastructure.
00:00
In this case, sound is actually
00:00
digitized into IP packets,
00:00
just like other forms of data.
00:00
Now, they can be implemented in both hardware or
00:00
software depending upon the size
00:00
of the system and the nature of the system.
00:00
It will often incorporate
00:00
messaging and text chat functionality
00:00
that you would see an instant message or programs.
00:00
A couple of security issues.
00:00
Basically VoIP is assumed to have
00:00
the same level of security as traditional voice lines,
00:00
but that's not always the case.
00:00
It really depends on the implementation and
00:00
the type of system that's being used.
00:00
There's also the risk for any loss of
00:00
destruction of enterprise data
00:00
through to any errors or through
00:00
the system failures or malfunctions of devices.
00:00
Also disclosure of sensitive information that can be
00:00
basically exfiltrated from the system
00:00
just like any other form of data.
00:00
That brings it also into a loss of
00:00
productivity due to unavailability of the system.
00:00
Phone lines or phone systems can
00:00
now go down and just as easily as computer systems
00:00
and also security breaches and there is
00:00
malware that can be transmitted across VoIP systems.
00:00
Just covering the VoIP audit concerns.
00:00
Now often, realistically it's the same
00:00
as data security audit requirements.
00:00
You are looking at data just the
00:00
same as you would look at any other network system.
00:00
There's also issues of
00:00
OS patching and antivirus signature updates,
00:00
just like you would any other system.
00:00
They're also initiatives to look
00:00
for network segregation and design.
00:00
Is the VoIP traffic
00:00
securely isolated way on
00:00
a segment of the network from the rest of the system?
00:00
Or is it basically mixed
00:00
with the rest of the traffic on the system itself?
00:00
Private branch exchange.
00:00
Now, this is basically an in-house computer based switch.
00:00
It is essentially a small private phone company
00:00
that exists with inside an organization.
00:00
All the infrastructure and
00:00
all the standard system
00:00
that you would see in a phone company,
00:00
but just on a smaller scale and
00:00
self-contained within an organization.
00:00
These are mostly being phased out now,
00:00
but there's still some that you may come across.
00:00
Now security risks,
00:00
often cases you'll see theft of service.
00:00
You can have cases where people
00:00
from outside the organization are able to
00:00
obtain access into the PBX
00:00
and use it for telephone for services.
00:00
There's also disclosure of information so such as again,
00:00
just basically exfiltration of data and theft.
00:00
Data modification.
00:00
Messages can be modified in transit, unauthorized access,
00:00
denial of service, and also traffic analysis which
00:00
can elicit information from an organization.
00:00
Email security issues.
00:00
Now we're all very familiar with
00:00
email by this stage I would imagine.
00:00
SMTP is a protocol that drives
00:00
most email systems today and it is inherently insecure.
00:00
It was never designed with security in mind.
00:00
Security is actually added on in
00:00
the transport layer at a later stage.
00:00
But basically, SMTP is the equivalent of writing
00:00
your secret messages on the back of
00:00
the postcard and dropping it into the letter box.
00:00
Anyone who is processing that letter
00:00
can read what's on the back of it.
00:00
Other issues are obvious ones,
00:00
phishing and spear phishing,
00:00
which are quite common.
00:00
I'm sure we've all experienced those instances before.
00:00
Mail server configuration errors
00:00
can also cause network compromise.
00:00
Just like any other system on the network,
00:00
an incorrect configuration can
00:00
result in a compromise of not just the mail system,
00:00
but also further access into the network.
00:00
Also denial of service attacks
00:00
can be directed at the mail server.
00:00
If you think about the criticality of
00:00
email in most organizations,
00:00
the loss of a mail server for any amount of time,
00:00
who would have a significant impact
00:00
on business and productivity.
00:00
There's also the risks of
00:00
information being intercepted between the email,
00:00
client, and the server.
00:00
Again, reinforcing the fact
00:00
that SMTP is not a secure protocol.
00:00
There's also the alteration of
00:00
information and there's certainly been
00:00
some cases where a legitimate attachment
00:00
has been substituted for malicious attachment on
00:00
the illegitimate email prior to
00:00
getting to the recipient and that
00:00
also brings us viruses and malware which are
00:00
common forms of attack with email.
00:00
There's also the issue of users sending
00:00
inappropriate or sensitive information
00:00
through the email system.
00:00
Peer to peer computing.
00:00
This is a distributed architecture computing system,
00:00
where tasks and workloads are shared between peers.
00:00
There's no specific server that you connect to,
00:00
you connect to a peer to peer network and you are
00:00
able to share information
00:00
over that network from other peers.
00:00
As opposed to client server,
00:00
only peers exist in the system.
00:00
Now, currently the use is primarily for
00:00
file sharing most often of copyrighted material.
00:00
From an enterprise perspective,
00:00
there is little to no legitimate use for this.
00:00
Certainly as an auditor finding,
00:00
this type of system within
00:00
an enterprise would be something that would be
00:00
a finding and a red flag to alert the people to.
00:00
Instant messaging, which is just like an email.
00:00
I'm sure we're all fairly familiar with the concept here.
00:00
Basically, it just provides
00:00
a messaging capability between users on a network.
00:00
It's quite a popular collaboration mechanism
00:00
within organizations and is now seen being
00:00
used more for collaboration or
00:00
actual interaction with businesses and customers.
00:00
It's enables a quick response.
00:00
>> It's basically considered more
00:00
direct and efficient than e-mail.
00:00
It's very much conversational as
00:00
opposed to a letter paradigm.
00:00
Now, it has similar security issues to
00:00
other communication systems and one of
00:00
the key aspects here is it can
00:00
result in productivity loss if misused.
00:00
An important thing from an auditor's
00:00
perspective is to look for
00:00
a policy and standards on how
00:00
this is used within the organization.
00:00
Social media, so social media basically,
00:00
it involves the creation,
00:00
dissemination of content through
00:00
social networks over the Internet.
00:00
Social media of which there are many,
00:00
many types of examples, but most commonly,
00:00
you'll see things such as Facebook or Twitter,
00:00
it provides a high level
00:00
of interaction and interactivity.
00:00
In a business context,
00:00
a lot of businesses will have
00:00
Facebook or Twitter accounts and
00:00
enables them to interact directly with customers.
00:00
In often cases, it can be used
00:00
by news organizations and they are able
00:00
to elicit some real-time feedback and
00:00
comments from news stories as they happen.
00:00
A few examples of social media
00:00
are basically image and video sharing,
00:00
social networking, and even professional networking.
00:00
One commonality across all platforms
00:00
regardless of the organization,
00:00
is that the company provides
00:00
the platform but the users provide the content.
00:00
It's very important to remember that on a social network,
00:00
the users are actually part of the network itself.
00:00
Talking about social media security risks.
00:00
We have viruses and malware,
00:00
and that's quite common on
00:00
most communications platforms, of course.
00:00
There's also the risk of hijack social media presence,
00:00
which could cause reputational damage
00:00
if a company's Facebook account, for example,
00:00
or any other social media account,
00:00
was taken over by a malicious actor who then used it
00:00
to damage the reputation
00:00
of the company by posting malicious content.
00:00
Now some social media sites will also have
00:00
unclear or at least undefined
00:00
ownership rights of content.
00:00
In other words, the content that you post
00:00
on the social media may not
00:00
necessarily fully belong to
00:00
you after it's been posted on that side.
00:00
There's also an issue of use of personal accounts
00:00
to communicate work-related information.
00:00
Users may see very little difference between
00:00
their internal messaging applications
00:00
and also the message or
00:00
applications on their social media site,
00:00
which means that sensitive company information
00:00
may be transmitted across these sites.
00:00
There's also the issue that employees posting
00:00
pictures from sensitive areas within the enterprise
00:00
or at least giving away
00:00
location information from the pictures that they post.
00:00
Now Cloud Computing, which has certainly
00:00
come a long way in the last 10 years or so.
00:00
There's a couple of service models that
00:00
you can look for on Cloud Computing.
00:00
Is Infrastructure as a Service where infrastructure that
00:00
would traditionally have been in a data center
00:00
can now be provided via Cloud.
00:00
Platform as a Service where entire systems can
00:00
be provided through the Cloud
00:00
and simply Software as a Service,
00:00
so things such as software applications can now
00:00
be provided via iCloud by system.
00:00
You have a number of different Cloud types.
00:00
There is a Private Cloud which is essentially owned
00:00
entirely and wholly and solely by one customer or client.
00:00
A Community Cloud which may be split
00:00
across multiple customers or clients.
00:00
A Public Cloud, which will generally allow
00:00
any person to sign up and obtain
00:00
services or there could be
00:00
a Hybrid Cloud which
00:00
it could be any combination of those three.
00:00
Clouds will have different characteristics.
00:00
There's often cases you'll see on-demand self-service.
00:00
So particularly with Infrastructure as a Service,
00:00
it can scale up to meet user requirements or user needs.
00:00
There's broad network access, so it's generally,
00:00
commonly available from anywhere
00:00
there's internet. Resource Pooling.
00:00
If there's sudden load on an Infrastructure as
00:00
a Service system from multiple users coming on,
00:00
it can basically expand the resources automatically.
00:00
It's also a measured service.
00:00
There is usually a fee for some metric
00:00
that is applied to the service.
00:00
Some security considerations for the Cloud.
00:00
Confidentiality, availability, and integrity
00:00
of data stored in the Cloud is certainly a key one.
00:00
Data ownership, so just like social media,
00:00
it just needs confirmation that the user
00:00
owns the actual data that's being put into the Cloud.
00:00
Privacy and certainly that under
00:00
some jurisdictions where there are privacy regulations,
00:00
Cloud Computing may not
00:00
be something that would be suitable.
00:00
There's also some concerns around eDiscovery.
00:00
If a company is brought into legal action,
00:00
Cloud Computing systems or
00:00
data stored on Cloud Computing could
00:00
be involved in eDiscovery for any court proceedings.
00:00
There's also issues regarding
00:00
the geographic location of data.
00:00
Certainly, some countries may have
00:00
rigid legislation which requires
00:00
the data of their citizens to
00:00
be handled in a certain way.
00:00
The Cloud Computing could potentially move
00:00
that data to another jurisdiction entirely.
00:00
There's also an issue of multi-tenancy
00:00
and isolation failure.
00:00
If you have multiple customers
00:00
on a Community Cloud, for example,
00:00
there could be risks that
00:00
some failures of the system result
00:00
in data from one customer
00:00
being available to the other and vice versa.
00:00
There's also a physical security,
00:00
just like you would have in
00:00
a data center that was in your own organization.
00:00
Basically, you need to ensure that there is
00:00
physical security around the system,
00:00
likewise with personnel security.
00:00
Even though there is technical controls,
00:00
there still needs to be people who are employed
00:00
by the Cloud company to actually manage
00:00
the systems and you need to ensure
00:00
that the personnel have been vetted.
00:00
There's also software security,
00:00
ensuring that the actual software is
00:00
maintained and free from issues or vulnerability,
00:00
and an exit strategy.
00:00
If you're engaging with a Cloud and you're
00:00
engaged with a Cloud provider for a number of years,
00:00
you need to have a methodology
00:00
that basically will ensure that you can
00:00
continue your business outside of the Cloud by retrieving
00:00
your data or moving it to
00:00
another Cloud provider if that's what you desire.
00:00
That's our lesson. We talked about
00:00
communication over the web for
00:00
both data and voice and
00:00
the convergence of telephone systems onto the Internet.
00:00
We've talked about Voice Over IP and
00:00
Private Branch Exchange, those two examples.
00:00
We've spoken a little about some of the issues regarding
00:00
e-mail security, peer-to-peer computing,
00:00
instant messaging, and social media, and also,
00:00
the various different models of
00:00
Cloud Computing that you could encounter.
00:00
I hope you enjoyed our lesson
00:00
and I will see you at the next one.
Up Next
