13. Environmental Security
Something that goes hand in hand with physical security is environmental security. And lots of folks don’t really think about that so much. But when you’re looking at security, you’re not just looking at locked doors. You’re also looking at how good the environment is. Is it too dusty? Is it too hot? Is it too humid? Is the equipment exposed to the weather or just to the environment itself? So let’s talk about power issues and failures, water damage and flooding, fires, and structural damage. Power issues happen all the time. I have been in towns where, because the power grid wasn’t very good, one good lightning strike actually blew up machines and a bunch of installations. If you actually put a meter on an outlet—the kind that actually prints the paper very, very slowly—and you look over a 24-hour period, you’ll be amazed at how much the power can vary. There can be 30,000-volt spikes, but they’re so short that they don’t really cause much damage. When we’re looking at the environment, we’re looking at, “Okay, what are you doing about it?” So, like, when I was working in Africa, the power was actually not very good. As a standard course, we ensured that all machines had an uninterruptible power supply (UPS) that was compatible with the machine.
Now, of course, how long do the batteries last? two or three years, maybe. And so you’ve got these machines out in the field, and the UPS doesn’t work, so they just bypass it. Well, okay. Now, we are not protecting against environmental issues. We don’t have power protection, and we don’t have good surge protectors. One good lightning strike, and it can take out the power supply or even the motherboard of a computer. The power goes out all the time. Yeah. And if you’re in the middle of writing to a database and the power goes off and you don’t have an UPS to provide a little bit of battery power just long enough for the OS to finish up and shut down nicely, then we’ve got corrupt data as well. So this sort of thing happens all the time when talking about water damage and flooding. A few years ago, of course, we had a terrible hurricane called Katrina in the US. And there were so many hospitals that kept their records down in the basement, and those records are gone, you know, so what do we do about this? Not too long ago, we basically had Wall Street in the dark because even the subways were flooded.
I mean, I remember looking at pictures and thinking, “Oh, my goodness, I was just there standing on that platform just a couple of months ago.” And so, yeah, water damage and flooding can happen. And maybe if you’re not in a floodplain, maybe if you’re not in an area vulnerable to hurricanes, tidal waves, and other natural disasters. You could still have sprinkler systems go off and flood things. So you have to be aware of all of this risk. Ultimately. What do you do if you’re in a high-risk area? The bottom line is, what are you doing to protect the data? And typically, you have offsite copies that are either taken offsite on a regular basis or are sent by a database log, shipping to another database, or something. You’ve got another mirror site. So, if you’re going to be in areas where there could be environmental disasters, make sure the data is stored somewhere else. I remember working for a Fortune 100 company.
I was there with a financial firm, and there were some environmental disasters there. And fortunately, they had so much data spread out with fault-tolerant copies in other locations and standby sites that they were able to weather it even though Wall Street went completely dark for a few days. So just see what people are doing to protect their data. Ultimately, it comes down to having accessible copies somewhere else and not just the data. If they use certain tape machines to backup, yeah, maybe you’ve got the tapes, but can you get those same tape machines? It’s easy to get a server if you have a service contract with Dell or HP. You can get a server in a couple of hours. That’s not hard. The hard part is, do those tape drives exist anymore? and you are stripping five of them together. Can you get five of them now?
So it’s not only the data, but how do you access the data? Not only that, but you should investigate whether they are restoring their data on a trial basis. I’ve seen plenty of cases where people were backing up. Yeah, backing up every day and swapping out the tapes The person was swapping the tapes, but they never bothered to test or do a test restore. And they never noticed the minor warnings in the backup log indicating that the backup had failed. So you really have to look at the environmental thing. And since environmental issues can be so big, what are you ultimately doing to protect the data and be able to access it if there is an environmental disaster? Not only was there water damage and flooding, but also power outages and fires. I also have to mention heat and dust. When I was working in Africa, the dust was terrible. and we knew that. So we never bought anything too expensive because we knew that we couldn’t maintain clean environments. That’s fine, but we always protect the data.
And the way we protected the data was such that we could restore the data to different locations and to people’s workstations. We knew that they were going to die because of the heat and dust. So we provided UPSs, and we just knew that we would have to recycle the workstations and replace parts on a regular basis, too. Not only that, but there’s also structural damage, too.I mean, in my native state, California, we’re an earthquake country. If you live along the whole Pacific Rim, if you’re in Japan or whatever, Alaska, you can be susceptible to earthquakes, which means you’ll have structural damage, which means that maybe the building is too unsafe to come back into to retrieve your data, or the equipment has been completely destroyed by the building falling down around it. So these are all environmental risks. Are we close to a source of water? Are we close to an airport where there could be a disaster?
Are we close to anything where there could be a disaster? Are we really close to a train track, even? Are we close to a major intersection where someone could drive a car through a front-plate glass window? Don’t laugh. I’ve seen cars get out of control, barrel through the reception area, through a wall, and into a manager’s office, wiping out computers along the way. So be aware of all of these things. And, hey, if it’s the risk we take, then, okay, what’s your contingency? If it’s a residual risk, then how do you deal with losing your data in the event of a catastrophe? These are the things the IS auditor is looking for. So, with the power issues, of course, we’ve got to make sure that, remember, power issues affect the security systems and the network infrastructure as well. So the power goes off. Everybody’s UPS is still running, but then we just go, “Oh, we didn’t put the router and the switches on a UPS.” Well, that’s fine because the ISP’s system is down anyway. We can’t communicate with each other anyway.
So you have to be thinking of anything with an on/off button that plugs in. It’s got to have some kind of contingency for power as well. There are various types of power issues now. You can have a blackout where, like, there is no power or a brownout, or a SAG where the voltage drops really low, too low for the systems to function properly. That’s where your UPS kicks in, right? or a SAG where it momentarily drops down. Or a spike that generates 30,000 volts in a short transient on a power line, blows away your motherboard and your power supply, and gets past the surge protector. You’ve got to realise that surge protectors are only designed to handle so much power going through them. This is where an UPS, even a cheap UPS, comes in handy because you’re feeding the machine from the battery rather than just leaving it in standby mode. So we can have surges. Of course, we can have spikes. A surge occurs when you have a more prolonged spike or when a device is started when we turn on something. Have you ever noticed that when you turn on something, the lights dim briefly? That’s because it causes a momentary drop. And then when the device is on, you’ll have this momentary spike or surge. So we want to protect all those UPS and alternate power sources with good surge suppressors and surge protectors, not just power strips. You’ve got to be looking at all those things to protect the equipment and the data that sits on them.
So for protecting our power, the generators, the surge protectors, and the power line monitors, keep an eye on it. Ups, which include a battery and a power converter, as well as additional power sources. And servers can have multiple power supplies attached to them. We can use heating, ventilation, and air conditioning (HVAC) systems to control our environment. Make sure that the HVAC in the server room is such that it stays cool. Ideally, you should have a relatively cool temperature and 50% humidity. So the humidity should ideally be in the high 60s, low 70s, and 50%. Because if it’s too dry, you build up static electricity. Now if it’s too wet, you know, then moisture will accumulate. Also, how do we drain stuff? And what kind of piping? I mean, do we have water piping going right along here in the ceiling? I’ve been at conferences where heavy rains have started to leak and the water is dripping down. On top of all that, a floor full of live computers So then they basically just hang up big tarps, and these things are heavy with water. And we joke like, “Oh, if the rope broke, it would just come down in this deluge on top of live computers.” So we have to be aware of that. Also, the lighting professionals realise that lighting will generate heat unless it’s a cool type of lighting. And lighting will generate electromagnetic noise as well. So you need to keep your cables away from it. What alarms do we have?
And the control panels for the alarms—we want to look at those. We want to look at the power in the computer room. If you’re going to have a computer room, your power needs are going to be much higher than just your average office. You have to actually get with the electrician and say, “We’re going to need 60 amps, 100 amps, 200 amps, or whatever, just for this room alone.” And so you need to actually start increasing your power consumption needs. And is it adequate? I’ve been at plenty of locations where they just ran extension cords and wondered why they kept tripping breakers or why the surge protectors, the breakers, and the surge protectors would keep tripping because we didn’t calculate the amount of power consumption. And also, where is the computer room located, and what fire prevention and detection do we have in a computer room? You’re not going to have a sprinkler system. You’re going to have some kind of oxygen displacement system. In the old days, we used halon. Now we have halon substitutes that basically, if the fire detector notices the fire, will set off a system that basically expands out gas really quickly from a tank and displaces all the oxygen. Now I’ve been at locations where they did that. It sounds like a hurricane in the next room. You probably don’t want to be in there because the gas will be something you can’t breathe. But anyway, what do we have to suppress fire in a computer room?
So, when it comes to environmental controls, we want to make sure that the computer room is checked for the presence of water, dust, heat levels, temperature levels, smoke detectors, and, of course, fire extinguishers. With electrical equipment, you never use a water-based extinguisher. You always use something that is made for electrical equipment. We want to check the fire suppression and detection systems and make sure that we have fireproof structures. Sometimes in the ceilings, they’ll have fire breaks, basically to help control the fire going through. Heavy doors will be installed to help control the fire that passes through them. Make sure that we have good surge protection in place and that the conditions in the room—the humidity, the temperature, etc.—are optimal for the machines. So these are all the things we have to look at as an IS auditor. When we look at the physical environment and the environmental controls, the next thing we’ll talk about is network security devices.
14. Network Security Devices and Network Components
You “Well ht say, well, ifit, sec does it, why L2TP?” Sometimes you just want L2TP to sign or encapsulate something without necessarily encrypting it. ven encrypt situations, n situations we that. May bet. Like maybe we want to send that’s notng -hat’snon IP based a network. IP network. And then a very these mday sow these da SSL-is using- SSL oVPNs. It’s a much higher-level protocol that encrypts your content, or payload, using SSL and TLS web-based technology. our payload. So these are very common securhere. ethods here. SecuriTheProtocol the idea of translaimightPmake you wonder: might think, how does translating an IP act as security Well, the way it works is that if I have a hidden private address that’s being translated, nobody out there knows my true address. And so I’m kind of hidden. So it’s sort of a simple security mechanism. So the next thing we’re going to talk about is a little bit more about how these things work. and we’ll look at some diagrams.
15. Network Address Translation
Now for the physical. And this is where a lot of just looking around and common sense can come in handy. Look at all of the physical grounds when you’re auditing. Look for opportunities for unauthorised entrance, sidedoors being propped open, or maybe a common restroom in a building. I can climb up into the ceiling and then come down into a secured area, looking for all the possibilities. Or perhaps a window that could be easily broken in order to gain entry. I mean, we’ve certainly had that, where we come in one morning and a window is broken, and now we’re looking for stuff that’s missing. But it’s not just access to your systems. It could also just be looking for ways to damage things or looking at damage that happens, vandalism, or theft. So do we have the cameras? Do we have the lighting? Do we have a high enough fence? Do we have the guard’s presence?
Or are we just in a place where that kind of activity is discouraged? And also, what kind of physical access do folks have to any sensitive data? I mean, I’ve walked into places where a server was sitting underneath a receptionist desk. In fact, I’ve been at a place where five servers were under a receptionist’s desk, and it was like, “What are you doing?” So lots of folks do that because maybe they don’t have a dedicated server room in a smaller environment or because a particular department or remote office doesn’t have it. Or maybe there’s no environmental control in the server room. It’s getting too hot.
So they moved the servers out. You’ve got to watch out for that kind of thing. I’ve gone into a brand new building where, yes, this was designated to be the server room, but they didn’t account for just how much heat was being generated. And so they had to move the servers out because the room was so hot and there wasn’t enough AC there. So it’s not just access to servers, data, and sensitive information, but also what kinds of threats your users face. So you can even think a little farther. You can think like, “Can people get access to things where they can embezzle or find out sensitive stuff from blackmailing people?”
So you’re going to be looking for all kinds of opportunities there. When you mention physical access, we can imagine using a card to gain entry. Actually, in this case, we have two things. The card is usually just swiped, and the door unlocks. But we can also see that there’s a keypad there that we can punch in a code to get in as well. And when people have this kind of entry control, make sure that people aren’t piggybacking behind the person.Five people enter after one person swipes their card. So when you’re looking for physical access control, look for all the very typical things. Are the doors locked? Are they closed? Is there any way to get around the doors? Climb through the ceiling, through the floor, or something along those lines? Are we logging people’s coming and going? Visitors? Do visitors have to be escorted with badges?
What kind of identification systems do we have? Do we have cameras to extend the guard’s presence? And do we have guards? Do we need guards? And then what kinds of personnel do we have? Like if we have companies come and destroy documents, carry our backup tapes, or store our documents offsite in another location, are they bonded, and then do we have man traps and dead man doors? So the idea then is that you enter one door and are stuck in a small area, and when the first door closes, only then does the second door open. I actually have a humorous story about that. This one, actually. I’m not going to name the organization, even though a high-ranking official wanted to bring in his favourite chair and did so at night when no one was around. However, the chair was large and heavy enough that the man trap mistook it for two people.
And this guy was locked in there with his chair until someone came along hours later. So the concept of the man trapper, the dead man door, and then what physical barriers, lighting, and alarm systems do we have? So be looking for all of these kinds of physical access controls. Users also need to understand their own responsibilities. And this is part of the care and diligence required to train users so that they understand their responsibilities. It’s not enough to just say, “Hey, security is your responsibility.” You’ve got to train them what to look for. And it’s not enough just to say there’s suspicious activity. They may know obvious things like someone breaking in, but they may not know something that’s a little more subtle. So you need to make sure users understand their responsibilities in terms of more than just physical access.
And 20 of us don’t come in on one person’s badge, but also on system access or device access, because people are very often faked into thinking that somebody who’s acting official, wearing a logo t-shirt, acting like they know what they’re doing, is an official person. and they might not be. So you’ve got to make sure users know this. And as an IS auditor, I will randomly sample and ask people, “If you see this kind of situation, what do you do?” So for securing information systems facilities, there are all kinds of locations that you need to physically secure. Not only the server room, but also the area where developers are programming or running systems, operators are running like mainframes, storage facilities, offsite backup locations, disposal sites, and any kind of communications closet will need to be secured. I mean, like I’ve said before, I came in one time, and the telco room was propped open on a Sunday by a ladder, and no one was around.
And, of course, all the hardware, the local area network, all the power sources, and the cables. So look for all of these places where there could be a vulnerability or where someone could sneak in some kind of equipment or sneak out some kind of equipment. I was at this one place. Yeah, they had a guard at the front door and nobody at the back door. Anybody could go out the back door just by pushing open the door, and there was nobody there. So you have to be thinking of all possible entry and exit points and all places where any of the IS equipment might be, including the infrastructure for monitoring physical access. We can have intrusion detection, we can have surveillance, and we can have entry security systems that log people in when they type in a code, itlogs in that code that time.You’ll probably want to be looking at those logs when you are auditing for physical security.
So when we are evaluating the design, implementation, and monitoring of physical access controls, some of the things we need to look at are: We need to tour the whole facility and see where everything is. Where are the printers, where are the doors, where are the servers, where is the telecom, and where are the telco codes down in the basement? Where is the stuff that is in and out of your control? We need to tour all the off-site locations. Where do you store things? Where are the branch offices? We need to look at all these things. Now, of course, it does depend on the scope that was determined by the charter, but within that scope, you need to tour everything and take a look at everything. We need to review all the physical access and ask people, “Is this door open all the time or how are people getting in?” We need to test these controls. Let’s actually test it. I went to a place where you had to press a certain keystroke, but if you pushed hard enough, the doors just popped open because of the way they were.
So, there was this key thing here, but I could just push it open. So, I mean, you have to test these things. You’ll have to look at all their documentation and all their logs and review the whole physical environment surrounding it. Yeah, your dumpsters are out there. But did you guys know that you’re throwing out sensitive documents that aren’t shredded there? Or the door to the loading dock is wide open, and by the way, people are sitting with their backs to a window and walking by, or, with a pair of binoculars, I can look straight at their computer screen. So you want to look at all of these possible things. when you’re evaluating physical security. The next thing we’ll talk about is environmental security.
16. Virtual Private Networks
So we talked about network address translation and how it allows us to reuse private addresses, conserve public addresses, and kind of hide from the world’s security through obscurity. And it also helps protect us because if there’s no translation in the router’s or firewall’s table, then it becomes very hard for someone from the outside to get into the inside. Let’s talk now about virtual private networks, or VPNs. Many people, including myself, work while travelling or from home; we work from a hotel, an airport, a coffee shop, or a hotspot. And we don’t want to just make a phone call and pay by the minute through a dial-up modem to connect to the corporate network. I mean, back in the old days, that’s what we had to do. I remember back in the 80s that there was a bank and a branch office, and they paid for a Pact then, which was a very high-speed modem, and they ganged up several modems together to multiplex the data, to divide the data up across several lines.
But it was slow, and they paid to leave that data line, that phone line, and that phone call running with, like, four lines multiplexed together day and night. Can you imagine a long-distance phone call with four lines, all day and all night, just so they could have a constant connection? The days of making a dial-up connection are over. I mean, that’s how we used to access the Internet and bulletin board services. But that’s way too expensive, even in today’s day and age. So it’s far better now to just use your Internet connection. But anything can happen on the Internet. It’s completely unsecured. It is the public network. So when you send your traffic, you want to protect it somehow. You should usually digitally sign it, encrypt it, and sometimes hide it inside another package. And so the idea with a VPN is that I, a mobile user, go through the Internet using an encrypted tunnel, wherever I am.
Now, a tunnel is just a fancy word for hiding my traffic inside and outside of a package. So, like, I’ll have my normal packet like this, and this is my data, and it has the usual header information with the IP address and the TCP sequence number and basically just information to get my data from one point to another. And what we’ll do is encrypt the whole thing and put yet another header on it. So we’re basically concealing it in an entire outer envelope. And this is the concept of an encrypted tunnel. I mean, you’re not actually driving through a tunnel; you’re basically hiding a packet inside of another packet and sending it across an open network. It means, of course, that when you get to your organisation’s network, there has to be something at the other end, and it can be a VPN server. It can be your router, or it can be a firewall that receives this, tears off the outer wrapper, decrypts all of this, and then sends it on into the network wherever its destination is. So, in this diagram, I have someone connecting to, say, corporate land.
They’re going through the internet; their connection is encrypted and hidden inside something else. The VPN server then tears off the outer wrapper, decrypts, and logs the person on against a domain controller, which is basically an authentication server. The term “domain controller” is a Microsoft term. And then the user just connects to the database, emails the file server, or whatever server or thing they’re trying to connect to. So that’s a very typical VPN. When we take a look at a typical packet, that’s your traffic, and your traffic goes out in a series of packets, not unlike cars going down a highway. But the packets are not limited in length; they’re limited in time. So it’s actually like a transmission—a packet is a transmission burst that stops, and another packet is another transmission burst that stops—as opposed to like little cars going down a freeway. But we’ll use the car analogy because it’s similar.
We’ll typically have the actual data itself, whatever the data is—my email client requesting email, my web browser requesting a web page, whatever it is—and then, looking in a very simplistic manner, my data will typically have something put in front of it, a little bit of data put in front of it. We call it a header. and in most connections, not all, and it’s beyond the scope of this class to get too deep in the networking. But you should be aware, from a security perspective, that in most cases, we use a protocol called TCP. And TCP sets up the connection; it makes sure no pieces get lost and retransmits if it needs to. And it tells both sides to speed up or slow down, or actually provides a mechanism for the two sides to tell each other they can speed up or slow down. And that information is stored in the TCP header right here. And then, this TCP header basically says, “What piece of this data is this in?” in a long data stream. So this is packet number one, number two, and number three.
In front of that is another little header, the IP header, which basically has the address of where this thing is headed and where it is coming from. And so the IP header is what the routers use to decide, “Okay, send it this way, send it that way, send it this way, send it that way.” So here’s your typical unencrypted data packet right here. And there are more headers. There’s a header for whatever the medium is, like an Ethernet header, a frame relay header, or whatever. But I’m just looking kind of in general in terms of a VPN now. What will happen when you create a VPN is usually that you encrypt the data payload so that you can’t really see what’s inside anymore. And you will typically digitally sign either or both the TCP header and the IP header. Some VPN protocols don’t digitally sign, like PPTP; some do, like IPsec and L two TP.
This is a basic VPN packet. Or you can get fancier and encrypt the data, the TCP header, and the IP header, digitally signing one, or you can put on a whole other protocol header for the VPN and a whole new IP header. In other words, you’re hiding your old packet inside a whole new package, and everything inside, including the destination, is all encrypted. So nobody knows what the final destination of this thing is. Now, like I said, when all this makes it to the VPN server, the VPN server is going to tear off the VPN header, and the outside IP header will decrypt everything so that you’re back to this. So here’s a simple view of a VPN packet or a packet in a VPN. Here is a little fancier view, which typically is what happens, and all of this is torn off when we finally get to the end. So that is the concept of using a virtual private network as an IS auditor. It is your responsibility to determine whether or not they use VPNs, what protocol they use, how strong their encryption is, and how strong their authentication is.
Because when you make a connection to a VPN server, either you, the user, or your computer—or both—have to prove your identity before the VPN server will even accept you. And then you also have to look around and say, “Okay, is anything sneaking in that shouldn’t be in there?” Because even VPN protocols have their own weaknesses, and VPN servers, depending on the product and the implementation, have their own weaknesses. So when you do a vulnerability scan, you can scan your VPN server to see if it’s doing things it shouldn’t be. Is it running with too many ports open that it shouldn’t be? And your vulnerability scan will help show that up. So the next thing we’re going to talk about is the vulnerabilities of a phone system, both voice over IP and a traditional phone.
17. Voice System Risks
Let’s talk from a security perspective about the risks to our voice systems. I mean, in the old days, we had the analogue telephone, and there was such a thing as wiretapping, right? Most phone systems nowadays are actually truly digital. And then we have something that’s really, really digital called voice over IP. And as an IS auditor, we need to be aware of the risks. And there are vulnerability scans and checks we can do for voice-activated phones. Once upon a time, an office would have one phone number, 1805, 51212, or whatever the phone number was. And yet there would be ten salespeople and different departments. And when a phone call would come in, there’d be a box right there connected to the phone line. And this box was the private branch exchange, the PBX, and the box would then go to the different extensions. And so when you’d come in, you’d make a phone call.
The PBX would hold you. And then you’d hear this autoattendant say, “For sales, dial one.” For help, dial 2-something. And then they’d press a number. And the PBX would then make a connection over here. And it would basically route the call to whatever internal department it was directed to. Or if you know the extension of the party you’re trying to reach, please dial it now, and it will route the call. So we’d have one public phone number, and we’d have all these little extensions inside. That was the purpose of the PBX. Rather than let everybody have their own phone number, we still have that. But we now also have a new implementation of that. So let’s talk a little bit about the role of PBXs as well as the role of voice over IP. Now, Voice over IP, or sometimes called VoIP, is a way, actually, of taking advantage of your existing network infrastructure and doing away with your old phone lines and using your existing network infrastructure to have voice calls. I’m currently generating audio as I speak. And as I speak, my speech can be broken down into the smallest units called a phoneme.
It takes four IP packets to carry the smallest unit of sound. A phoneme. Four IP packets So what happens is that my voice comes into my headset, my voice phone, whatever. And there’s some software or hardware that will take my voice sound waves and chop them up and sample them at a certain rate, not unlike how we sample stuff that goes on a music CD. It’s very, very similar; in fact, it samples it and captures it as digital information. And these samples are then placed as payloads in IP packets. And so then the IP packets are sent along a regular network to a VoIP PBX, and then they’re sent out to wherever they’re sent. Obviously, this can create some security risks. We’re going to talk about this in just a few seconds.
So let’s talk about the old-style PBX and VoIP and how we will integrate the two. Here is a diagram of a typical integrated system. I have the Internet here. I have the PSTN, or public switched telephone network, sometimes called the POTS, the plain old telephone system. This is the regular phone system. And then I have the Internet. And then I have a company LAN here. Now, regular telephones—and forgive the image of the old-style telephone—regular telephones connect to the PSTN, and at the company side, the PBX is connected to the PSTN. And then you have different telephones going to sales in the different departments with different extensions. Also connecting to the PSTN is the IP PBX. And what that will do is take a VoIP phone that looks like this and make it look like a fancy phone. But the cool thing about the VoIP phones is that most of them have a little display, so you can see who’s calling and what room number they’re in. I was at this hotel, and it was really cool.
A colleague of mine was calling from another room. I could see her name, I could see the room number, and I could see information about the call right there on this little display right here. Otherwise, it acted and sounded just like a normal phone. But my audio is actually not going through a regular voice circuit. It’s progressing as IP packets like this. So we can use the existing infrastructure. Now, in reality, you’re probably dedicating virtual lanes or switches specifically to voice traffic because voice traffic is critical. It’s real time. You don’t want to mix it in with file downloads and emails and this and that. Because then the voice will get lost. There will be big delays, it will get all choppy, there’ll be jitter, which is variable delay, things will be lost, and the sound quality will be terrible. But nonetheless, we still use a network that is typically dedicated in terms of a virtual land. We still use our IP infrastructure to send our voice calls.
You can well imagine the risk of simply sending voice traffic across a common network if you don’t encrypt every one of these. I can very easily sneak in some little device to sniff or pick up that traffic, reassemble the voice, and listen to your phone call. And it doesn’t take much searching on the Internet to hear examples of it and see tools that you can use to do that. Most voiceover IP products will now encrypt everything, so it’s much harder to sniff that. But the original voice-over-IP protocols never had encryption built into them. It was something that was bolted on afterwards. So, while we use voice over IP for convenience and can replace our ageing phone system with our network infrastructure, we must also consider performance, keeping it separate from other types of traffic, giving it always high priority, and encrypting it so that it cannot be sniffed even within our own internal network.
So these are the risks here. Of course, you can now send voice over IP out through your firewall into the internet and have it received by someone else. I just want to make a comment right now. If you choose to send voice over IP over the internet, you will experience significant packet loss due to the complexity of the Internet and router congestion, among other factors. You can expect the call quality to be very poor if you use the Internet. I know that many businesses want to use the internet so that they don’t have to pay for a dedicated line from here to there. You can expect a 20% packet loss. And I gotta tell you, from a human listening perspective, we notice at 1% that there are all kinds of packet loss concealment techniques to make up for that, but you can expect choppy calls, poor quality, and you can also expect huge amounts. Of latency, anyone who has ever used a headset to make a Skype call, which is a VoIP product, knows that it’s a free VoIP product where you just use a headset and use your computer to digitise your voice and send it. Anyone who’s ever done that knows that at any given moment, the call quality can be poor because you never know what’s happening to your packets as they go across the internet.
So just realise that there can be performance issues, but businesses still like to use it because you save so much money. Also, not only will there be performance issues, but there are going to be security issues as well. You’ve got to make sure that it’s encrypted, and those are the performance issues. So these are all risks of integrating voiceover IP with a regular phone system in your company. However, the PBX is also at risk because it is a box that can be dialled into from an administrative standpoint. They can call the PBX itself to configure it, not some salesperson or admin person, just like your vendor.
So many people leave those PBXs in their default configuration. It doesn’t take much searching on the Internet to figure out default passwords and default codes to get into these things. And I mean, I’ve even seen financial institutions that had their PBXes hacked. Now, ordinarily, what people do is if they hack your PBX, what they generally do is bounce their long-distance international phone calls through your system, and then suddenly you’re stuck with the bill. So it tends to be more of that inconvenience as opposed to true security breaches. But still, if I can hack the PBX there, I can possibly listen in on people’s calls. So there are all kinds of risks there. So the PBX, just like any other device, has to be locked down, with no default passwords changed and nothing left open. Unless it’s really needed. And that’s the way we harden all devices. Now, with voice communications, we have all kinds of vulnerabilities. So, for example, a war dialer There are plenty of automated tools. It takes very little searching on the internet to get these tools and to get a complete video tutorial on how to use them, which will just automatically dial numbers until it finds one that answers and will automatically try to break in.
So we have this concept of “war dialing,” where we’re just automatically dialling numbers with a hacking tool, trying to find one that we can break into, or we have default system settings on the PBX, or we can physically get in. Remember my story about when we were working in a phone room and somebody was there before us and broke the wiring, and we had to find another wire pair to connect the telephone and voice over? IP itself has its risks because you’re sending IP packets across a common network; even if it’s a dedicated network, it’s still a network that can be tapped into and sniffed. And then, of course, you have mobile devices—you have smartphones as well as these little cell phones here. All mobile devices have a risk because, when you’re using a smartphone or a mobile device, it is basically connecting via radio wave. At that point, who knows who’s listening in?
So you’ve got to encrypt this, you’ve got to make sure there are authenticated connections, and you just can’t send things in clear text. And there are always newer and newer hacking tools being released to break into these things, to find vulnerabilities, to find default settings, to basically break in, either to listen in on phone calls or to get contact lists off of phones. In fact, not too long ago, there was a highly publicised news story about a well-known public figure, a well-known celebrity (I’m not going to name the person who basically had her cell phone hacked and her whole contact list stolen). So we have to be aware of all of these things. And again, like I said, go to Sans.org or one of these places and look for the top vulnerability threats and tools that will help you scan and look for the open vulnerabilities on your mobile devices, on your VoIP system, and also on your PBX, your regular PSTN system. So the next thing we’re going to talk about is intrusion detection.
18. Intrusion Detection
We’ve talked about VoIP; let’s talk a little bit more about intrusion detection. We know that intrusion detection is basically surveillance cameras on your network, but it can be more than that. There are many, many intrusion detection tools. Some are free, some are paid, and some are highly sophisticated. The whole idea of intrusion detection is that you can’t monitor the network all the time. So I need devices that are out there, monitoring and logging all the traffic that goes by.
Remember, I had said before that for intrusion detection, I’d put my surveillance cameras, which are basically my sensors, in key locations around the network. I’ll put them right by the firewall, right by the VPN server, right by the servers, and right by the VoIP PBX. I’ll put it in all key locations—key entry and exit points—and put it right by wireless access points, basically, so I can monitor the important traffic. It’s just kind of like in a metropolitan area, where you’ll see that they’ll have cameras around key intersections on the city streets. You don’t put it in a neighborhood; you probably don’t put an ID where the less important but centrally important traffic is, such as some workstations. You probably don’t put an ID there unless you can afford to put it everywhere, but you put it in the key locations. Now we know that the sensors have been placed. These are basically little cameras that capture and log, and they’re controlled by a central console unless they’re individually configured. But usually, it’s a central console that tells them what to look for, and you as an admin will configure what you want the IDs to look for. So these things are watching all the traffic as it goes by for signs of attack, and they’re logging it. And if it’s intrusion prevention, they are then reporting it.
And possibly the console is telling the firewall to reconfigure itself to stop the traffic. But IDs don’t have to be just network-based. They can also be “host-based,” meaning that you can have network-based IDs where you place sensors around the network in key locations and they report to a central console. However, on individual servers, host-based IDs can be used to monitor what’s going on within the server. See, a network-based ID does not care what goes on inside a server. It doesn’t care if people are altering files, deleting things, or changing passwords. It doesn’t care or know about that. It cares about traffic out on the street, so to speak. A host-based ID doesn’t care that someone is scanning a server’s port. It matters that somebody just deleted a file, somebody just changed the operating system, somebody just changed a security policy in the operating system, and somebody just changed an administrator’s password. That’s what a host-based ID does. So if you’re going to have a comprehensive intrusion detection system, you’ll have both network-based and, on key machines, host-based detection. And there are a whole bunch of products. Some are free, some are paid, and some are better than others. Some of them, when you install them, are pretty much impossible to take off. and that’s by design. So then you can look at the logs and see, okay, what’s been going on. Some host-based IDs forward their logs to another location, essentially putting them in a secure location. Even if the hacker compromises that one box, the log has already been moved to an unknown location. And even if you can figure it out, you can’t get to that server. That server won’t allow the connection. So you can have two approaches to intrusion detection, and as an assistant, you want to look and see, okay, what is intrusion detection? Intrusion prevention. Is it network-based or host-based? Both: what did you install the host based on? Where did you put the sensors that are network-based, and where’s the console? And let me see your logs. So we’re monitoring what’s going on in traffic, and we’re monitoring what’s going on on key servers with intrusion detection. The next thing we’re going to talk about is different kinds of firewalls and firewall implementations.