The National Security Agency (NSA) has shared mitigations and best practices that systems administrators should follow when securing Unified Communications (UC) and Voice and Video over IP (VVoIP) call-processing systems.
UC and VVoIP are call-processing systems used in enterprise environments for various purposes, from video conferencing to instant messaging and project collaboration.
Since these communication systems are tightly integrated with other IT equipment within enterprise networks, they also inadvertently increase the attack surface by introducing new vulnerabilities and the potential for covert access to an organization's communications.
Improperly secured UC/VVoIP devices are exposed to the same security risks and targeted by threat actors through spyware, viruses, software vulnerabilities, and other malicious means if not adequately secured and configured.
"Malicious actors could penetrate the IP networks to eavesdrop on conversations, impersonate users, commit toll fraud and perpetrate denial of service attacks," as the US intelligence agency explained.
"Compromises can lead to high-definition room audio and/or video being covertly collected and delivered to a malicious actor using the IP infrastructure as a transport mechanism."
Admins are advised to take these key measures to minimize the risk of their organization's enterprise network being breached by exploiting UC/VVoIP systems:
- Segment enterprise network using Virtual Local Area Networks (VLANs) to separate voice and video traffic from data traffic
- Use access control lists and routing rules to limit access to devices across VLANs
- Implement layer 2 protections and Address Resolution Protocol (ARP) and IP spoofing defenses
- Protect PSTN gateways and Internet perimeters by authenticating all UC/VVoIP connections
- Always keep software up-to-date to mitigate UC/VVoIP software vulnerabilities
- Authenticate and encrypt signaling and media traffic to prevent impersonation and eavesdropping by malicious actors
- Deploy session border controllers (SBCs) to monitor UC/VVoIP traffic and audit call data records (CDRs) using fraud detection solutions to prevent fraud
- Maintain backups of software configurations and installations to ensure availability
- Manage denial of service attacks using rate-limiting and limit the number of incoming calls to prevent UC/VVoIP server overloading
- Use identification cards, biometrics, or other electronic means to control physical access to secure areas with network and UC/VVoIP infrastructure
- Verify features and configurations for new (and potentially rogue) devices in a testbed before adding them to the network
"Taking advantage of the benefits of a UC/VVoIP system, such as cost savings in operations or advanced call processing, comes with the potential for additional risk," the NSA concluded.
"A UC/VVoIP system introduces new potential security vulnerabilities. Understand the types of vulnerabilities and mitigations to better secure your UC/VVoIP deployment."
Much more extensive security best practices and mitigations on how to prepare networks, establish network perimeters, use enterprise session controllers, and add endpoints when deploying UC/VVoIP systems are available in the Cybersecurity Information Sheet released today by the NSA.
In January, the NSA also shared guidance on how to detect and replace outdated Transport Layer Security (TLS) protocol versions with up-to-date and secure variants.
The agency also warned companies to use self-hosted DNS-over-HTTPS (DoH) resolvers to block threat actors' DNS traffic eavesdropping and manipulation attempts.
Comments
Shplad - 2 years ago
Based on their past record, why would anyone listen to anything the NSA has to say about this?