bcs-ismp-bk-en-GB March 30, 2010 - 08:51 138
Information Security Management Principles
EXTERNAL SERVICES
LEARNING OUTCOMES
The intention of this section is to provide the reader with an understanding of
the security issues surrounding services that use the network, often bought
in from external suppliers.
Securing real-time services
The rapid rise in popularity of services such as Instant Messenger (IM) and
video conferencing have added another dimension to the challenges facing
Information Security managers. There are already examples of IM being used:
to extract data;
to insert malware onto networks;
as a channel for phishing attacks;
for unauthorised purposes leading to legal action against the perpet-
rators.
Video conferencing isn’t necessarily quite as vulnerable. Many organisations
still use separate ISDN or other data connections that are not linked to their
data networks. The data can still be the subject of eavesdropping, leading to
a loss of confidentiality. Systems using webcams or sharing data connections
have the same risks and threats as the data channel and can be used as an
easy backdoor into the network if not properly segregated and protected.
Other real-time services, such as ordinary telephony, Voice Over IP (VOIP)
and Closed-Circuit TV (CCTV) feeds, are also possible avenues of attack.
VOIP is especially vulnerable if it is integrated into a single messaging system.
Those with data connections can be used as a route into the organisation’s
data networks. Ordinary PABX systems can be the subject of various tech-
nical attacks (some of which are known, such as phreaking and dial-through
fraud), leading to losses in the millions, if they are not configured, protected
and monitored effectively. Just because it isn’t like other data formats, in
documents for example, does not mean it won’t be attacked. The enterpris-
ing attacker has known for a long time that anything related to telephony is
vulnerable to attack. All you have to do is find the right number, dial it and
you have a connection.
Quite often attackers will use a tactic called ‘war dialling’, which is to ring
every number the company has and see which ones have a modem attached
or which will allow access to the Main Telephone Exchange control system.
War dialling can also be a useful tactic for the Security Manager; security aud-
itors have quite often used this technique and found unauthorised modems,
connected by users, that the IT department knew nothing about.
Since many of these services are quite new, the technology available to
protect them is also new and may not be as mature as products that protect
118

Get Information Security Management Principles now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.