Module 5 - Technical Security Controls
The course is part of this learning path
This course defines the different types of malware and outlines the impact that each one can have on an organization’s computer systems. It also details the different methods through which networks can be accessed, and how the related security risks can be controlled. Finally, it defines what cloud computing is and explains the different deployment models, before looking at the security requirements of an organization’s IT infrastructure and the documentation required to support this.
The objectives of this course are to provide you with and understanding of:
- The different types of malware and the impact each one can have on an organization’s computer systems
- Methods of accessing networks and how related security risks can be controlled
- The security issues related to networking services, including mobile computing, instant messaging and voice over IP
- Cloud computing deployment models and the security implications of cloud services
- The security requirements of an organization’s IT infrastructure and the documentation required to support this
This course is ideal for members of information security management teams, IT managers, security and systems managers, information asset owners and employees with legal compliance responsibilities. It acts as a foundation for more advanced managerial or technical qualifications.
There are no specific pre-requisites to study this course, however, a basic knowledge of IT, an understanding of the general principles of information technology security, and awareness of the issues involved with security control activity would be advantageous.
We welcome all feedback and suggestions - please contact us at firstname.lastname@example.org if you are unsure about where to start or if would like help getting started.
Welcome to this video on external services.
We’ve already looked at the fundamentals of networking and communications, and seen the different methods through which networks can be accessed and security risks can be controlled.
This video looks at the security issues related to services that use networking, like:
· Mobile computing;
· Public Switched Telephone Networks;
· Supervisory Control and Data Acquisition;
· Instant Messaging;
· Voice Over Internet Protocols; and
· Web services.
We’ll also look at the countermeasures that can be used to mitigate risks in each area.
Here are some of the typical network services that an organization might use. It includes a range of communications technologies and illustrates:
· Networks used to connect to the mobile phone network, or to provide data connections to the Internet. These use a wide range of technologies, including GSM, GPRS, HSDPA, EDGE, 3G and 4G;
· Public Switched Telephone Network, or PSTN, the fixed telephone network which includes copper, fibre-optic, satellite and microwave carriers. It’s possible to have leased lines from network providers which, in effect, provide private circuits;
· Supervisory Control and Data Acquisition: SCADA systems are industrial control systems that can monitor and control processes. These can be industrial, infrastructure or facility-based processes and include the Building Management Systems used by many organizations;
· CCTV security cameras used to transmit a continuous feed of images to a limited set of monitors;
· Video or video conferencing which includes a range of technologies;
· Voice Over IP – or VoIP – technology used for the delivery of voice communications and multimedia sessions over Internet Protocol networks, such as the internet;
· Instant text messaging services, for example Skype and MSN;
· Users in an organization accessing external webservers, or customers and partners accessing an organization’s webservers;
· Web Services which are application-to-application communications using web technologies, for example HTTP and XML; and
· E-mail, exchanging electronic messages from an originator to one or more recipients.
Now we’ll look at the risks created by these network services and how they can be mitigated. The main risks of mobile computing relate to the use of portable devices and wireless networking. They include:
· Connecting to a rogue public Wi-Fi hotspot; it might look legitimate but could be under the control of an attacker and is still a risk if a TLS connection is used; and
· Losing a device or having it stolen.
Some security controls that might help mitigate the risks of mobile computing include:
· Confirming wireless access points under the organization’s control are configured to use WPA2. This ensures that traffic is encrypted and each channel is secure. Connections which use Wired Equivalent Privacy, or WEP, encryption shouldn’t be allowed because they’re easily hacked;
· Ensuring laptops have encrypted hard disks so that, if the device is lost or stolen, the information is safe. Full disk encryption should be a requirement when new hardware is procured; and
· Educating users on how to avoid social engineering attacks. Users should know how to calculate the risks of using open-access internet zones, how to protect their devices when they’re travelling and how to assess the risk of transporting confidential or personally identifiable information, including large datasets.
Public Switched Telephone Networks are telecom technologies that enable digital circuit switching.
Historically, PSTN could only transmit data using modems which were installed at either end of a telephone line.
The most common type of modem was used for dial-up connections and worked by placing a call to the remote modem which would transfer the data as audio tones when the remote modem answered, switching it from digital to analogue.
Engineering control systems, known as SCADA systems, and building management systems might still use this technology today. So, in terms of assessing the risks of these older environments some of the attack methods used by hackers in the 1980s are still relevant.
For example, war dialling was a technique made famous in the movie ‘War Games’. Through a modem, the hacker sequentially calls a series of phone numbers in a certain area code, looking for another modem to respond. Once a modem responds, the hacker knows it’s a computer and not a person and tries multiple username and password combinations until they gain access.
Because the PSTN consists of so many diverse technologies it’s difficult to know if sensitive traffic is being intercepted. However, there are two possible control measures to consider depending on how the PSTN is being used in the organization:
· Dial-back security, if modems are still being used. Instead of answering to any caller, the modem is programmed to hang up when it receives a call, then it calls back on a pre-programmed number. This can be used in conjunction with usernames and passwords; and
· Various forms of encryption to mitigate the risk of interception, such as virtual private networks.
Supervisory Control and Data Acquisition, known as SCADA or Industrial Control Systems, haven’t typically been included in the security risk assessments. However, these systems have become increasingly integrated with other IT and network systems so the risk of them being attacked have increased significantly.
One of the most notorious attacks was the Stuxnet worm. This attacked Windows systems and Siemens industrial software, which suggested that it was a co-ordinated, targeted activity crafted specifically for the Iranian Nuclear Enrichment systems that it infected.
The primary risk associated with SCADA systems is that an attacker can log into the equipment and change the settings. This could lead to a change in the threshold value of a temperature alarm which could, over time, cause the device to overheat.
In theory, if this occurred in a building management system, plant equipment might catch fire, so a simple configuration change could lead to a catastrophic outage.
Since the discovery of Stuxnet, the security industry is more aware of these dangers. As a result, the risk assessment should consider the following possible attacks:
· Turning off equipment;
· Disrupting energy supplies; and
· Overheating and blowing-up equipment.
Countermeasures can include:
· Separating the SCADA equipment and network from the general IT network. Networks should communicate through a DMZ;
· Implementing good password management and security awareness training;
· Protecting remote access channels, including PSTN controls and, if possible, restricting remote access; and
· Implementing VPNs to protect the connection between the components in the SCADA network.
CCTV systems are becoming more integrated into general IT systems as footage is streamed over an IP network. So, like SCADA systems, the risks are increasing. These risks are different to those related to SCADA systems and include:
· An attacker intercepting or redirecting the feed from a CCTV camera;
· CCTV clips and images stored on IT systems being tampered with, deleted or viewed by inappropriate people; and
· An attacker replacing the camera feed with their own feed, with the intention of hiding activity from a CCTV operator.
Countermeasures when designing a CCTV solution can include:
· Encrypting the camera feed to the control centre;
· Implementing logical and physical identification and authentication solutions on the network and in the control centres;
· Ensuring a strong password management regime; and
· Ensuring appropriate authorisation procedures for the storage system to secure archive footage.
The main risks from teleconferencing systems are similar to the risks of CCTV and Instant Messaging systems. The primary countermeasure for protecting teleconferencing systems is the protection of the link, which is typically through encryption and authentication mechanisms.
As Instant Messaging (IM) becomes more prevalent the risks increase. IM applications provide the ability to transfer text messages, but most systems also allow users to transfer files. As a result, they can be used to proliferate virus infections, worms and malware, as well as bypassing traditional controls for sharing sensitive company information.
Some of the risks posed by IM solutions arise because communication with external agents is possible without being monitored. In certain environments, the need for monitoring is critical, like the financial or military sectors.
Sarbanes-Oxley and the Financial Services Authority in the UK both require IM traffic to be recorded. Section 18 of the FSA’s Conduct of Business Sourcebook includes the requirement to record telephone and electronic communications, which includes IM.
As IM applications allow users to exchange files, including executable files, employees could use this mechanism to bypass controls implemented in the DMZ to install unauthorised programs. This risks unintentionally importing a worm, virus or Trojan.
Whilst most recorded phishing attacks have occurred via email, IM is a new vector that’s equally prone to this kind of attack. Potential control measures for IM include:
· Turning it off; many organizations configure their firewalls to block IM traffic altogether;
· Logging IM traffic according to the organization’s policy and legislative obligations;
· Using antivirus software to scan IM traffic and identify malware in IM file transfers; and
· Educating users so they know the risks.
The primary risk associated with Voice Over IP, like Skype and Microsoft Teams, is interception of traffic. Countermeasures can include:
· Separating the Voice Over IP traffic from data, for example using VLAN technology; and
· Encrypting Voice Over IP traffic during transport over the IP network.
There are a number of secure Voice Over IP products available which can be assessed prior to implementation.
Clearly there are risks related to inbound and outbound Internet traffic. In the context of web access these include:
· Users downloading unauthorised programs or importing malware from external websites;
· Inbound or outbound traffic being intercepted and revealing sensitive information, usernames and passwords;
· Attackers defacing a website, causing considerable reputational damage; and
· Hackers posing as legitimate users to perform fraudulent transactions. Financial institutions and ecommerce sites are particularly at risk of this.
Mitigating controls can include:
· Using TLS when external users log in to a website, especially if they need access to sensitive information or to execute transactions;
· Using a VPN for external partners to browse an internal web server;
· Using stronger authentication mechanisms for high-value websites or two-factor authentication with tokens; and
· Ensuring the website has been implemented according to good practice and penetration testing has been undertaken.
Web services allow applications to communicate with each other using web-based protocols.
The risks associated with web services are similar to Internet traffic and include:
· Traffic being intercepted, and sensitive information revealed; and
· An attacker creating fraudulent transactions by modifying or inserting new transactions into the traffic between communicating parties.
The mitigating controls are the same as those for Internet traffic. There are many risks in using email, predominantly from emails received by the organization. Examples of these include:
· Emails being intercepted and sensitive information exposed;
· An attacker impersonating another user and generating false emails;
· Users receiving phishing emails requesting they provide authentication or account details through an embedded URL; and
· Email attachments containing malware.
Countermeasures to these risks can include:
· Implementing boundary controls, especially filtering incoming emails and checking for malware;
· Implementing antivirus controls on all endpoints. Many antivirus products, including those that would be installed as boundary controls, can detect spam emails and phishing attacks; and
· Implementing secure email. Many products, including Microsoft Outlook, provide the ability to encrypt and digitally sign emails. However, many organizations prefer to accept the risk of interception rather than implement this measure. If they need to send sensitive information to another party, organizations often use PGP or ZIP technology to encrypt attachments.
Users should also be made aware of the following risks:
· Opening attachments from an unknown origin;
· Following hyperlinks embedded in an email that link to a phishing site; and
· Not sending sensitive information in an email unless some protection is applied.
We’ve looked at the risks associated with different electronic data exchange services. In summary, the implementation of one or more of the following technologies should be considered:
· Creating a VPN between the organization and its partners;
· Using TLS to protect communications, in particular, access to websites;
· Using secure mail if email is used to exchange sensitive information with another organization; and
· If secure email can’t be used, consider encrypting attachments.
Selecting the appropriate solutions to fit the organization’s needs, budget and appetite for risk is an important job for the security manager. When exchanging data, both parties should use a similar level of protection and agree on the same standards.
Although we’ve concentrated here on technologies to protect confidentiality and integrity, don't forget about availability. As well as ensuring the organization has suitable business continuity and disaster recovery plans, external companies should be suitably covered to avoid introducing further risk.
Finally, let’s look at contractual and legal requirements when obtaining services from an external provider. All applicable legal requirements and directives relating to a particular market or services provided, should be passed onto suppliers. As an example, an organization operating in the UK would consider the following requirements:
· Third party suppliers should uphold the principles of data protection and be audited to validate how they’ll protect the organization’s data, and to check their review, retention and destruction policies;
· The Data Protection Act 2018;
· The Financial Services Act: section i82 concerns disclosure of information;
· The Official Secrets Act
s 1911 to 1989 which is pertinent to local and central Government projects;
· The EU Markets in Financial Instruments Directive which, along with various FSA documents, such as The Conduct of Business Sourcebook, and Disclosure and Transparency Rules, should be understood by all suppliers and sub-contractors; and
· The Freedom of Information Act which creates a public right of access to information held by public authorities.
The organization should also consider the exit strategy when the contract expires or is terminated.
That’s the end of this video on external services.
About the Author
Fred is a trainer and consultant specializing in cyber security. His educational background is in physics, having a BSc and a couple of master’s degrees, one in astrophysics and the other in nuclear and particle physics. However, most of his professional life has been spent in IT, covering a broad range of activities including system management, programming (originally in C but more recently Python, Ruby et al), database design and management as well as networking. From networking it was a natural progression to IT security and cyber security more generally. As well as having many professional credentials reflecting the breadth of his experience (including CASP, CISM and CCISO), he is a Certified Ethical Hacker and a GCHQ Certified Trainer for a number of cybersecurity courses, including CISMP, CISSP and GDPR Practitioner.