|
“Security is a process, not a goal” is a mantra often repeated by security professionals, for good reason.
 It encapsulates the fact that security is never really “done”. In a constantly changing world security risks are also in a continuous state of flux. With the implementation of the 2005 Transformational Government Strategy, and its core reliance on ICT, the challenges in deploying, managing and securing new systems and technologies are probably greater then ever before. This shouldn’t mean that legacy systems and older technologies are neglected. Unfortunately, from our general experience, the increased workload that such large changes place on key staff makes it an almost inevitable consequence when considering remote access by modem.
In some respects, the oversight is understandable. With the widespread adoption of both broadband Internet connectivity and VoIP telephony, organisations increasingly consider modems as irrelevant. For some roles this perception undoubtedly holds true. Remote end-user access to ICT systems is far more likely to be via a secure VPN Internet gateway than a dial-up RAS device, for example. However, this view is really based on a misconception of the role that modems continue to play. In many technical support roles, remote dial-in modem access is not only prevalent, but also essential.
To see why this should be so, it’s important to understand the changing landscapes of both technology and systems management. Technologically, commoditisation of computers has had an impact far beyond ICT, permeating all levels of infrastructure. For instance, network multifunction printers nowadays contain microprocessors, hard disk drives and run complex operating systems. Similarly, VoIP telephone systems are built around mainstream computer hardware, running mainstream operating systems (Windows, Linux & Unix). These examples are fairly obvious, but computerisation extends far deeper: encompassing heating & ventilation controls, power management/monitoring & backup, building access controls, voicemail systems, authentication servers... right through to network infrastructure itself.
Computerisation confers tremendous benefits. Vendors can substantially reduce development costs using cheap, off-the-shelf parts and readily-available, low cost software. Customers reap dual benefits of greater functionality and lower capital cost. However, when calculating total cost of ownership (TCO), ongoing support and maintenance costs are usually touted as the largest contributing factor. (Hence the pressure to outsource these activities.) Adding a modem to an already computerised device costs vendors little, yet this small modification has a potentially huge impact on lowering TCO. A modem enables remote maintenance, offering the potential for both more responsive and more cost-effective management. For devices that are not network-attached, form part of the network infrastructure, or for inflexible legacy ICT systems, modems may present the only viable remote management solution.
From this assessment, it is probably unsurprising that we continue to find 1 - 1.5% of all telephone lines as being configured for dial-in modem access in most organisations. This figure remains remarkably constant, irrespective of organisation size or sector. So, balancing the cost and service benefits of modem access, what are the concerns?
To answer that, it’s necessary to consider modem access in a wider security context. The Information Security triumvirate is typically expressed as:
- confidentiality (prevention of unauthorised information disclosure)
- integrity (prevention of unauthorised modification)
- availability
Organisations invest considerable resources, using defence-in-depth to achieve these goals: firewalls control ingress and egress to prevent unauthorised network access; intrusion detection/prevention systems (IDS/IPS) detect and react to suspicious activity both within the network (network-based) and on specific ICT systems (host-based).
The issue with modems is that they subvert these protection mechanisms. Firewalls and network-based IDS/IPS act at a network level, whereas modems provide direct external access through the telephone system, not the network. Similarly, host-based IDS/IPS are largely unavailable for the myriad of computerised infrastructure devices. Given the broad and vital roles these devices play, compromising their security can have a significant impact on the cornerstone of availability.
The security ramifications of a successful attack on an infrastructure device can be wider still. Although they are considered as appliances, this is fundamentally no more than a marketing convenience: “appliance” implies “fit-and-forget”. However, by running mainstream operating systems, they are subject to identical software bugs and security flaws... offering the determined hacker a platform from which to propagate attacks further. Consider for a moment a typical VoIP telephone system. It may run Linux, almost certainly has a built-in modem for remote access, but also (by definition) has a direct connection to the network...
The news isn’t all bad, however. Modems are perfectly capable of supporting remote management; cost-effectively and securely. The proviso being that they must be properly configured, managed and monitored.
Xiscan specialises in assisting organisations quantify and manage modem security issues. We offer a range of telephony/modem scanning products and services, backed by our own toolset. With audit experience encompassing well over a million calls, our client-base covers Government, Banking & Finance, Utility and Retail sectors.
For more information
Tel: 0870 011 8075
E-mail:
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
Web: www.xiscan.com |
