Over the past few years, businesses and consumers alike began widely using many multimedia collaboration technologies to help them communicate with colleagues, friends and customers around the world in real-time and by a variety of methods including text, voice and face-to-face. While these technologies do provide powerful communications tools, security professionals must ensure that the technologies used in their organizations provide adequate security controls.
- [Mike] Over the past few years, businesses and consumers alike, began widely using many multimedia collaboration technologies to help them better communicate with colleagues, friends and customers around the world, in real time, and by a variety of methods, including text, voice and face-to-face. While these technologies do provide powerful communications tools, security professionals must ensure that the technologies used in their organizations provide adequate security controls.
The most basic form of multimedia collaboration began with the instant messaging protocols popular in the 1990s. Services like AOL Instant Messenger allowed simple, text-based communications in real time with anyone else using the service around the world. These services quickly found their way into the workplace because of their convenience and they soon added other multimedia capabilities such as the ability to send pictures and video. However, these services also raised a variety of concerns for security professionals.
The service might have been convenient, but it was also completely outside the control of the IT department and often did not include basic security controls to protect against eavesdropping, impersonation and other attacks. In response, IT departments began to build private instant messaging systems that either ran on top of an existing telephony solution or used a dedicated messaging server hosted by the IT department. The open-source community developed a protocol called the Extensible Messaging and Presence Protocol, XMPP, to allow a standard technology for this type of communication.
At the same time, messaging via the cellular network's Short Message Service or SMS also rose in popularity. This is the service that the world commonly knows as text messaging. It's a very convenient way to send a message to any telephone number, but it has some significant security flaws. First, SMS does not use encryption and messages sent by SMS are vulnerable to eavesdropping. Second, SMS does not provide any type of strong authentication mechanism.
This makes it very easy to spoof an SMS message, making it appear to come from a different sender. In an effort to compensate for the weaknesses of SMS, third-party applications are springing up that provide stronger security controls. For example, Apple's iMessage technology allows communication between Apple device users in a manner that provides end-to-end encryption, where even Apple can't read the contents of the communication. Other applications such as WhatsApp and Signal also provide strong encryption capabilities.
Multimedia collaboration has grown beyond the exchange of text messages to include pictures and video. Most people now have some ability to communicate in real time via face-to-face video conferencing. Apple's FaceTime technology puts this capability in the hands of consumers and makes it easy to engage in secure, encrypted video conferencing between Apple devices. Companies also often use more sophisticated video conferencing services to facilitate communications among employees, customers and business partners.
These technologies make it easy to connect to a shared conference from a specialized video conferencing room or even a smartphone used by a traveler on the road. In any case, security professionals should ensure that these technologies use strong encryption to protect the confidentiality of communications while they travel over networks. Let's take a look at how this is done in the video conferencing software that I typically use, Zoom. The process is very similar for other major packages that support encryption.
I just go in here and click on Meeting Settings, scroll through all the various settings that are available and then I notice the Security settings. You'll notice here I have this green check mark indicating that I'm already using end-to-end encryption by default for all of my meetings. If I wanted to change this, I could just click the Edit button and uncheck or check the box and save the changes. There are also many other settings here that I could enable, based upon my particular requirements. In addition to encryption, security teams should ensure that video conferences include appropriate access controls to limit their use to authorized individuals.
Only employees should be able to begin a video conference, especially when the service incurs charges for each use. Participant access controls will depend upon the nature of each conference. Some video conferences may be intentionally open to the public, while others may require passcodes or stronger authentication techniques to protect private conferences.
Learn about communication and networking best practices, including TCP/IP networking, network security devices, and secure network design and management. Instructor and cybersecurity expert Mike Chapple also includes coverage of converged protocols, network encryption, and wireless networking. You can find Mike's companion study books for this series at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- IP addressing
- Switches and routers
- Content distribution networks
- Designing secure networks
- Specialized networking
- Managing secure networks
- Working with virtualized networks like SDNs
- Detecting and preventing network attaches
- Transport encryption
- Wireless networking
- Host security