What connects Gartner’s cybersecurity trends for 2022 and NSA’s 2021 VVoIP guidelines? Here’s a clue.
We’re sure you didn’t have to look too deep to find the answer: attack surface expansion. As the #1 cybersecurity trend for 2022, it is the underlying concern that prompted the NSA’s 2021 landmark VVoIP guidelines.
Given how closely today’s communication systems are integrated with IT equipment within enterprise networks, securing them is critical for attack-proof security. And that’s what NSA’s 43-page guide aims to help organizations do.
In the first post of our new 3-part VoIP cybersecurity series, we discuss the NSA guidelines, four high-level areas the report focuses on, the risks associated with each area, and the mitigation approach for each of them.
But first, let’s back up a little.
Why the NSA’s Guidelines Matter?
VVoIP systems introduce a class of attacks and challenges that did not impact legacy telephony systems. That’s because these systems are integrated into the organization’s existing IP infrastructure, and mostly use standard systems/protocols. These setups are very familiar to malicious actors, making these systems potentially susceptible to the malicious activity constantly targeting existing IP systems — through spyware, viruses, software vulnerabilities, or other methods.
There’s another risk: As the NSA states, sharing the IP infrastructure also creates a single point of failure in an organization’s communication model. If the IP network fails or there is a denial of service, all VVoIP services could be severely impacted.
4 Focus of the NSA VVoIP Guidelines:
- Risk: Deploying the network across a data-only infrastructure makes devices such as call servers and UC/VVoIP endpoints easily accessible to malicious cyber actors — since attackers can use the same tools they use to compromise data-only networks and related peripherals to compromise the VVoIP network. Attackers can simply connect to the UC/VVoIP infrastructure by using the data network infrastructure.
- Mitigation: Carefully deploying and configuring the network infrastructure to address threats related to communication systems, and separating the UC/VVoIP from the data infrastructure to make it harder to penetrate into.
- Risk: The perimeter is where all communications external to the organization’s UC/VVoIP system enter or leave the VVoIP network. Leaving it under-configured or unsecured is an open invitation to attackers.
- Mitigation: All devices that form the perimeter should be securely and dedicatedly managed by using principles of access control, data/voice separation, encryption, authentication, logging, and secure management.
External intrusions can be prevented by deploying special-purpose UC/VVoIP security devices such as a Session Border Controller (SBC). SBCs understand and inspect VVoIP communication at a level that traditional network firewalls cannot.
They should control access to internal VVoIP resources, deal with network address translation (NAT) traversal issues, and encrypt traffic, In addition, the traffic flowing through them should be monitored, say by monitoring CDRs (Call Detail Records) to detect issues, attacks, or fraud.
Enterprise Session Controllers (ESC)
- Risk: Used to establish calls and for authenticating and authorizing IP phones/users, call forwarding, voice mail, and conference calling, ESCs can securely manage all VVoIP endpoint devices registered to them. However, they require security considerations to protect the communications system from compromise and misuse. Unless carefully and securely configured, their remote management capabilities often make the server more vulnerable. For instance, the default configuration settings on their software may be set up for maximum functionality, and not security. Or features that are not appropriate for the installation environment may be enabled. In other cases, unnecessary network services running on an ESC could provide additional attack surfaces for attacks.
- Mitigation: Software installed on the ESCs (operating systems, databases, and VoIP applications) must be hardened by removing unnecessary accounts and applications. Management accounts and access to the server should be minimized and protected. Access and modification should be logged and audited regularly to check for security and access violations.
- Risk: The additional functionality and complexity in VVoIP endpoint software increase the chance of vulnerabilities. They are exposed to the same threats as general-purpose applications or computers on the network.
- Mitigation: Secure VVoIP endpoints by locking down the software (disabling any unnecessary applications) and hardware in addition to limiting their access. Place endpoints in their own VLAN separating voice/video traffic from all other traffic.
Update and patch the software using signed files from a trusted server. For remote management, use secure paths, secure protocols, authentication between devices, and strong cryptographic functions.
Next article, we’ll talk about the core principles that underlie the NSA guidelines and how you can implement them in your VoIP security strategy.
- The NSA guidelines
- AssertionTalks: Decoding the NSA – Our Experts decode the guideline in a 10 min video.
We secure your communication networks, protecting you from data theft, revenue loss and reputational damage. Assertion SBC Security™ is a fully automated, self-learning, and cloud-based system that provides Advanced Threat Protection for your Session Border Controllers. By protecting the SBC, Assertion SBC Security™ ensures that your communication network risk is contained at the perimeter itself. It:
- Identifies and blocks Robocalls and Scam calls
- Stops Telephony Denial of Service attacks and Toll Fraud attempts in real-time
- Detects and eliminates threats to Remote workers