E-mail, Web, Facsimile, and Telephone Security

The CISSP candidate should understand common issues associated with e-mail, facsimile, and telephone security.

E-mail security

E-mail has emerged as one of the most important communication mediums in our global economy, with over 50 billion e-mail messages sent worldwide every day. Unfortunately, spam accounts for as much as 85 percent of that e-mail volume. Spam is more than a minor nuisance - it is a serious security threat to all organizations worldwide.

The Simple Mail Transfer Protocol (SMTP) is used to send and receive e-mail across the Internet. It operates on TCP/UDP port 25 and contains many well-known vulnerabilities. Most SMTP mail servers are configured by default to forward (or relay) all mail regardless of whether the sender’s or recipient’s address is valid.

Failing to secure your organization’s mail servers may allow spammers to misuse your servers and bandwidth as an open relay to propagate their spam. The bad news is that you will eventually (it usually doesn’t take more than a few days) get blacklisted by a large number of organizations that maintain real-time blackhole lists (RBLs) against open relays, effectively preventing most, if not all, e-mail communications for your organization. It usually takes several months to get removed from those RBLs after you’ve been blacklisted and does significant damage to your organization communications infrastructure and credibility.

 Remember   RBLs is only one method used to combat spam, and generally not even the most effective or reliable method, at that. The organizations that maintain these massive lists are not perfect and do make mistakes. If a mistake is made with your domain or IP addresses, you’ll curse their existence - it’s a case where the cure is sometimes worse than the disease.

Failure to make a reasonable effort towards spam prevention in your organization is a failure of due diligence. An organization that fails to implement appropriate countermeasures may find itself a defendant in a sexual harassment lawsuit from an employee inundated with pornographic e-mails sent by a spammer to their corporate e-mail address.

Other risks associated with spam e-mail include:

• Missing or deleting important e-mails: Your boss might inadvertently delete that e-mail authorizing your promotion and pay raise because her inbox is flooded with spam and she got trigger happy with the delete button - at least it’s a convenient excuse!

• Viruses and other mail-icious code: Although you seem to hear less about viruses in recent years, they’re still prevalent and e-mail remains the favored medium for propagating them.

• Phishing and pharming scams: Phishing and pharming attacks, in which victims are lured to an apparently legitimate Web site (typically online banking or auctions) ostensibly to validate their personal account information, are usually perpetrated through mass mailings. It’s a complex scam increasingly perpetrated by organized criminals. Ultimately, phishing and pharming scams cost the victim their moolah and possibly their identity.

Countering these threats requires an arsenal of technical solutions and user awareness efforts and is - at least for now - a never-ending battle. Begin by securing your servers and client PCs. Mail servers should always be placed in a DMZ and unnecessary or unused services should be disabled - and change that default relay setting! Most other servers, and almost all client PCs, should have port 25 disabled. Implement a spam filter or other secure mail gateway. Also, consider the following user awareness tips:

•  Tip   Never unsubscribe or reply to spam e-mail. Unsubscribe links in spam e-mails are often used to confirm the legitimacy of your e-mail address, which can then be added to mass-mailing lists that are sold to other spammers. And, as tempting as it is to tell a spammer what you really think of their irresistible offer to enhance your social life or improve your financial portfolio, most spammers don’t actually read your replies and (unfortunately) are not likely to follow your suggestion that they jump off a cliff.

   Remember   Although legitimate offers from well-known retailers or newsletters from professional organizations may be thought of as spam by many people, it is likely that at some point a recipient of such a mass mailing actually signed up for that stuff - it is technically not spam. Everyone seems to want your e-mail address whenever you fill out an application for something, and that often translates to an open invitation to tell you about every sale from here to eternity. In such cases, senders are required by law to provide an Unsubscribe hyperlink in their mass mailings, and clicking it does remove the recipient from future mailings.

• Don’t send auto-reply messages to Internet e-mail addresses (if possible). Mail servers can be configured not to send auto-reply messages (such as out-of-office messages) to Internet e-mail addresses. However, this may not be (and probably isn’t) practical in your organization. Be aware of the implications - auto-reply rules don’t discriminate against spammers, so the spammers will know when you’re on vacation, too!

• Get a firewall for your home computer before you connect it to the Internet. This admonishment is particularly true if you are using a high-speed cable or DSL modem. Typically, a home computer with high-speed access will be scanned within minutes of being connected to the Internet. And if it isn’t protected by a firewall, this computer will almost certainly be compromised and become an unsuspecting zombie in some spammer’s bot-net army (over 250,000 new zombies are added to the Internet every day!). Then you will become part of the problem as your home computer and Internet bandwidth are used to send spam and phishing e-mails to thousands of other victims around the world, and you’ll be left wondering why your brand new state-of-the-art home computer is suddenly so slow and your blazing new high-speed internet connection isn’t so “high-speed” just two weeks after you got it.

 Remember   Your end users don’t have to be CISSP certified to secure their home computers. A simple firewall software package with a basic configuration is usually enough to deter the majority of today’s hackers - most are using automated tools to scan the internet and won’t bother to slow down for a computer that presents even the slightest challenge. Size matters in these bot-net armies and there are far too many unprotected computers out there to waste time (even a few minutes) defeating your firewall.

 Tip   Spam is only the tip of the iceberg. Get ready for emerging threats like SPIM (Spam over instant messaging) and SPIT (Spam over internet telephony) that will up the ante in the battle for messaging security.

 Cross-Reference   Several protocols exist for secure e-mail, including S/MIME, PEM, and PGP. We discuss several of these protocols in the earlier section “Application Layer (Layer 7)” of this chapter and also in Chapter 8.

Other e-mail security considerations include malicious code contained in attachments, lack of privacy, and lack of authentication. These considerations can be countered by implementing antivirus scanning software, encryption, and digital signatures, respectively.

Web security

The two principal protocols that make up the World Wide Web are the HyperText Transport Protocol (HTTP) and the HyperText Markup Language (HTML). HTTP is the command-and-response language used by browsers to communicate with Web servers, while HTML is the display language that defines the appearance of web pages.

HTTP and HTML are the means used to facilitate all sorts of high-value activities such as online banking and business applications. It should be of no surprise, then, to know that these protocols are under constant attack by hackers. Some of the types of attacks are

• Script Injection: Hackers attempt to inject scripting language commands into form fields on Web pages, in an attempt to fool the Web server into sending the contents of back-end databases to the hacker.

• Buffer Overflow: Hackers try sending machine language instructions as parts of queries to Web servers, in an attempt to run those instructions. If successful, the hacker can execute commands of his own choosing on the server, with potentially disastrous results.

• Denial of Service: Hackers can send specially crafted queries to a Web server in order to cause it to malfunction and stop working. Another form of Denial of Service involves merely sending huge volumes of queries to the Web server in an attempt to clog its inputs and make it unavailable for legitimate use.

These and other types of attacks have made Web security testing a necessity. Many organizations with Web applications, especially one that facilitates high value activities such as banking, travel, and information management, employ tools and other methods to make sure that no vulnerabilities exist that could permit malicious attacks to expose sensitive information or cause the application to malfunction.

Facsimile security

Facsimile transmissions are often taken for granted, but definitely present major security issues. A fax transmission, like any other electronic transmission, can be easily intercepted or re-created. General administrative and technical controls for fax security include

• Using cover pages (with appropriate routing and classification markings)

• Placing fax machines in secure areas

• Using secure phone lines

• Encrypting fax data

 Tip   It is our experience that more faxes are lost because the recipient didn’t know they were coming, and some other recipient accidentally took too many pages off the fax machine, including faxes destined for others! If you are sending a fax containing sensitive information to another recipient, inform them in advance so that they can be sure to grab it off the fax machine!

PBX fraud and abuse

PBX fraud and abuse is one of the most overlooked and costly aspects of a corporate telecommunications infrastructure. Many employees don’t think twice about using a company telephone system for extended personal use, including long distance calls. Personal use of company-supplied mobile phones and pagers is another area of widespread abuse. Perhaps the simplest and most effective countermeasure against internal abuses is to publish and enforce a corporate telephone use policy. Regular auditing of telephone records is also effective for deterring and detecting telephone abuses.

PBXs are information systems too. Unless security measures are taken, such as strong passwords and security patches, attacks on PBXs are more likely to succeed, resulting in toll fraud and other headaches.

Caller ID fraud and abuse

A new and growing problem is that of forged caller ID. There are several methods available for hiding one’s caller ID, in some cases in a way that can be deliberately misleading or used to perpetrate fraud. These methods include:

• Calling card: Using a long distance calling card often masks the true origin of a call.

• Caller ID services: A number of commercial services are available that will generate any desired Caller ID.

• Block Caller ID: Many wireline and wireless telephone services have means that can block Caller ID, either on a per-call basis or permanently.

• Reconfigure your PBX: Often, a PBX that is connected via a trunk to a telephone network can send Caller ID data that is configured into the PBX.

• VoIP: Simple IP smartphone or PC software can be used to generate false Caller ID data from VoIP phones.

The use of Caller ID spoofing as part of a scheme to commit fraud is in its infancy, and may grow over time.