Security of Unified Collaboration Tools
par Dinara Kozhamzharova
1. Instant Messaging
2. Desktop Sharing
2.1. Always use the latest version of the products.
2.2. Install all updates.
2.3. If the solution will only be used in a LAN, block the port number used by the solution at the network perimeter.
2.4. For mobile users, disable automatic listening on the device. This will prevent an open port in an untrusted network.
2.5. Regularly review security logs for evidence of port scans.
2.6. Secure access to configuration files used by the solution. Implement encryption.
2.7. Control administrative access to the solution.
2.8. Ensure logging settings that establish an audit trail.
2.9. Train users on its proper usage.
2.10. Remove the software from computers on which it should never be used, such as secure servers.
2.11. Implement policies to prevent its installation unless administrative approval is given.
3. Remote Assistance
3.1. Always use the level of encryption required by your industry.
3.2. Many remote assistance tools do not provide sufficient auditing capabilities, which are critical in industries like banking and healthcare. If auditing is an issue in your industry, choose a product with the ability to capture the detail you require for legal purposes.
3.3. Limited access control
3.4. Consider crafting a standard message that a user sees and must acknowledge before allowing the connection, stating the extent of liability on your part for issues that may arise after the remote session.
4. Email
4.1. It uses three standard messaging protocols. Each of them can be run over SSL to create a secure communication channel. When they are run over SSL, the port numbers used are different. Here are the 3 protocols:
4.1.1. Internet Message Access Protocol (IMAP) is an application layer protocol used on a client to retrieve email from a server.IMAP4 allows a user to download a copy and leave a copy on the server. IMAP4 uses port 143. A secure version also exists, IMAPS (IMAP over SSL), and it uses port 993.
4.1.2. Post Office Protocol (POP) It allows for downloading messages only and does not allow the additional functionality provided by IMAP4. POP3 uses port 110. A secure version that runs over SSL is also available; it uses port 995.
4.1.3. POP and IMAP are client email protocols used for retrieving email, but when email servers are talking to each other, they use Simple Mail Transfer Protocol (SMTP), a standard application layer protocol. This is also the protocol used by clients to send email. SMTP uses port 25, and when it runs over SSL, it uses port 465.
5. VoIP
5.1. Physically separate the phone and data networks.
5.2. Secure all management interfaces on infrastructure devices (for example, switches, routers, gateways).
5.3. In high-security environments, use some version of a secure phone (to provide end-to-end encryption).
5.4. Deploy network address translation (NAT) to hide the true IP addresses of the phones.
5.5. Maintain the latest patches for operating system and VoIP applications.
5.6. Disable any unnecessary services or features.
5.7. To prevent performance issues, especially during DoS attacks on the network, employ 802.11e to provide QoS for the VoIP packets when they traverse a wireless segment, just as you would provide QoS on all wired segments.
5.8. Ensure that the SIP servers, which are the servers responsible for creating voice and video sessions, are protected by a firewall.
6. Cloud-Based Collaboration
6.1. Ensure that you completely understand the respective security responsibilities of the vendor and your organization.
6.2. If handling sensitive information, ensure that either the vendor is providing encryption or that you send data through an encryption proxy before it is sent to the provider.
6.3. Require strong authentication on the collaboration site. If the vendor also provides data loss prevention (DLP) services, strongly consider using these services.
6.4. When databases are also in use, consider implementing database activity monitoring (DAM).
7. Dial-up
7.1. A dial-up connection uses the public switched telephone network (PSTN).Have the remote access server call back the initiating caller at a preset number.
7.2. Do not allow call forwarding as this can be used to thwart this security measure.
7.3. Set modems to answer after a set number of rings to thwart war dialers. These are automated programs that dial numbers until a modem signal is detected.
7.4. Consolidate the modems in one place for physical security and disable modems that are not in use.
7.5. Use the strongest possible authentication mechanisms.
8. BYOD
8.1. Create BYOD policies
8.2. Identify the allowed uses of personal devices on the corporate network.
8.3. Create a list of allowed applications on the devices and design a method of preventing the installation of applications not on the list (for example, software restriction policies).
8.4. Ensure that high levels of management are on board and supportive.
8.5. Train users in the new policies.
9. Web Conferencing
9.1. Take ownership of the process of selecting the web conferencing solution.
9.2. Ensure that the underlying network itself is secured.
9.3. Disable or strongly audit read/write desktop mode, if supported by the product. This mode allows other meeting participants to access the host desktop.
9.4. Execute nondisclosure documents covering conferences that disclose confidential material or intellectual property.
9.5. Ensure that unique passwords are generated for each conference to prevent reuse of passwords for inappropriately attending conferences.
9.6. Consider requiring a VPN connection to the company network to attend conferences.
9.7. Define a process for selecting the product and using the product.The following four steps should be completed:
9.7.1. 1. Define the allowed uses of the solution.
9.7.2. 2. Identify security needs before selecting the product.
9.7.3. 3. Ensure that usage scenarios and security needs are built into the request for proposal (RFP).
9.7.4. 4. Include security practitioners in the planning and decisionmaking process.