Secure communication channels: What you need to know for the CISSP exam

Communication channels can be thought of as the means of transmitting information between devices and users on a network. The rate at which mobile technologies have been adopted in recent years has led to much greater intercommunication between different types of devices. The standard by which these devices connect with one another is called a unified information and communications system and is widely seen as a good thing thanks to its ease of use and setup for many different classes of devices. 

The problem with this standard is that it also opens up more opportunities for attackers to exploit security weaknesses via popular technologies such as: 

• Voice, video and collaboration 
• Remote access 
• Data communications 
• Third-party connectivity 

We will take a look at each of these attack vectors and see what precautions organizations need to take to secure devices on their networks. Understanding these concepts will help you to prepare for your CISSP exam, as these topics are covered in Domain 4.3 of the exam outline. 

For more CISSP exam tips, get our free CISSP exam tips and tricks ebook, or watch our free one-hour CISSP exam tips course with an instructor whose students have a 95% pass rate. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Voice, video and collaboration 

We’ll discuss voice, video and collaboration separately. 

Voice 

Voice communication covers many different technologies, which means that you will need to be familiar with systems such as: 

• PBX (private branch exchange) 
• POTS (plain old telephone system) 
• VoIP (Voice over Internet Protocol) 

Learning about voice technologies is essential because they are still one of the most costly services that companies incur, so being able to effectively manage, investigate and administer them is really important. If outside users can use your voice services fraudulently, your company may be liable if crimes are committed with your services. International toll fraud is also costly and can come from unsecured phone systems. 

Video and collaboration 

Video and multimedia collaboration includes applications such as instant messaging programs, video conferencing and other real-time collaboration tools. These tools use convergent technologies because they’re able to carry voice, data, text and video all in a single application over the Internet instead of over separate networks. You will need to understand the risks associated with: 

• VoIP: This includes session controls and signaling protocols related to the notification and setup of calls. Candidates must also be familiar with codec software that converts audio and video into digital frames and open VoIP protocols such as H.323 and SIP (session initiated protocol). Understanding how SIP provides integrity protection with MD5 hash functions and encryption such as TLS is also important for the CISSP exam. VoIP security must also be understood. 
• Remote meeting technology: This technology allows users to collaborate by sharing control of remote desktops, file sharing, chat functions, voice and video. These technologies are vulnerable to unauthorized participation, eavesdropping, spying, data leakage and communications interception. To prevent this, mitigating technologies, such as firewall restrictions, data encryption, authentication security measures, computer management policies and user awareness training, must be employed. 
• Instant messaging and chat: Initially introduced as text-based communication, many of these applications now include voice, video, file sharing and remote control. Understanding that instant messaging (IM) technologies can be peer-to-peer or client-to-server relationships and all of the threat vectors associated with IM and chat. These threats include malware distribution and social engineering. 
• Content distribution network: A CDN is a system of interconnected machines that provide large-scale services such as internet service providers (ISPs) and network operations. CDNs serve end users with high-speed connections and high availability. You need to understand concepts such as hybrid models (peer-to-peer and server-to-client connections) and the corresponding threat vectors, such as unauthorized bandwidth usage, P2P malware attacks, malicious executable files and unauthorized system access.

Remote access 

Remote access was originally designed with dial-up systems in mind, allowing home-based users and traveling users the ability to access the internal network from a dial-up modem connection. This technology reduces the cost of a dedicated leased line and was seen as a more affordable method for letting people connect to the system while out of the office. The RAS server would then authenticate the user based on the credentials they entered, and users could access the corporate network with them. 

Today, however, organizations use virtual private networks (VPNs) and secure tunneling protocols. Therefore, VPN and tunneling protocols must be fully understood. Some examples include: 

• Remote Access Services 
• Point-to-Point Protocol (PPP) 
• Telnet (Port 23) 
• Dial-up and RAS 
• Old Dial-up Remote Protocol 
• Virtual Network Computing (VNC) 
• Cloud-based remote access 
• Authentication Protocols such as CHAP, PAP and EAP 
• Point-to-Point Protocol 
• Modern VPN protocols: PPTP, L2TP/IPSec SSL/TLS SSTP, Modern Authentication Protocols (VPN) MSCHAP v2 and EAP 
• Microsoft Remote Desktop Protocol (RDP): Remember that it uses port 3389 
• Secure Shell (SSH): Remember that it uses port 22 and that it is more secure than Telnet. Telnet transmits passwords in plain text and is, therefore, not secure 

Even though some of these technologies, such as dial-up and RAS, are no longer widely used, it’s good to be familiar with them because some organizations still put them to use. Therefore, there’s a chance they may appear on the exam. 

Data communications 

Candidates must be familiar with the following secure communications protocols concerning data communications. These involve sending data through networks and to a variety of endpoints, both in-organization and those used by customers: 

• SSL (Secure Socket Layer) 
• TLS (Transport Layer Security) 
• IPsec (Internet Protocol Security) 
• SSH (Secure Shell) 
• HTTPS (Hypertext Transfer Protocol Secure) 
• SFTP (Secure File Transfer Protocol) 
• FTPS (FTP Secure) 
• DNSSEC (Domain Name System Security Extensions) 
• SMTP with STARTTLS 
• SNMPv3 (Simple Network Management Protocol v3) 
• Wi-Fi Security Protocols (WPA3, WPA2-Enterprise) 
• MQTT with TLS (Message Queuing Telemetry Transport) 
• EAP (Extensible Authentication Protocol) 

In case the exam asks about some older protocols — perhaps in a question designed to test your decision-making skills when it comes to choosing modern over legacy protocols — it may help to be familiar with the following as well: 

• SwIPe (Swipe IP Security Protocol) 
• S-RPC (Secure Remote Procedure Call) 
• SET (Secure Electronic Transaction) 
• PAP (Password Authentication Protocol) 
• CHAP (Challenge Handshake Authentication Protocol) 

Third-party connectivity 

Organizations often depend on cloud services, telecom providers and hardware vendors to facilitate their communications. Despite the tools these providers may already have, you’re expected to be aware of the protocols used to keep these communications secure. 

Many of the protocols used in third-party-facilitated interactions overlap with those used in data communications and remote access. Common options include: 

• TLS (Transport Layer Security) 
• IPsec (Internet Protocol Security) 
• SSH (Secure Shell) 
• SNMPv3 (Simple Network Management Protocol v3) 
• SFTP (Secure File Transfer Protocol) 
• FTPS (FTP Secure) 
• DNSSEC (Domain Name System Security Extensions) 
• ZTNA (Zero Trust Network Access) 
• RADIUS & TACACS+ 
• EAP (Extensible Authentication Protocol) 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Conclusion 

The CISSP has been described by many as the “inch-deep, mile-wide” certification because of the many subjects that it goes into, without getting too deep into any single topic. The CISSP is one of the most highly sought-after certifications in information security at present, and it is a must-have qualification for anyone hoping to pursue a career in cybersecurity. 

Candidates who are considering taking this exam should check out Infosec’s CISSP boot camp. If you’re looking to get a head start on this certification, you can find more information in our CISSP exam tips and tricks ebook. 

If you’re plotting a career shift toward cybersecurity, you’ll also want to check out our Cybersecurity certifications and skills ebook.