NSA Offers Tips on Securing Unified Communication ChannelsGuidance Spells Out Best Risk Mitigation Practices
The U.S. National Security Agency has released guidance to help federal agencies and business enterprises protect their unified communications channels and voice/video over IP calls from cyberthreats.
The guidance released Thursday notes attackers can exploit vulnerabilities in unified communication systems, such as instant messaging, email, SMS and fax, along with VVoIP applications, to access sensitive communications. Attackers can use the exploits to introduce spyware to eavesdrop on conversations, impersonate users and perform denial-of-service attacks.
"If UC/VVoIP systems are not properly secured, they are susceptible to several malicious activities," the NSA notes. "Methods to minimize the risk to UC/VVOIP systems include segmenting the networks to limit access to a common set of devices, ensuring timely patching, authentication and encryption of all signaling and media traffic, and verifying the security of devices before adding them to a network."
The NSA describes mitigation measures that include:
- Network separation: The NSA recommends separating UC/VVoIP systems and data systems on different networks. It also recommends using virtual LANs to place access controls and limit lateral movement between data networks and UC/VVoIP networks.
- Encryption: Because unencrypted voice and video calls are susceptible to eavesdropping, the agency recommends that voice and video traffic should be end-to-end encrypted. The NSA also notes that traffic access can be restricted by enabling port security on all switches.
- Firewalls, filtering routers: To help prevent DOS attacks, the NSA says, organizations should use firewalls and filtering routers to limit the bandwidth allocated to incoming external calls while installing UC/VVoIP applications.
Perimeter risks - and mitigation measures - highlighted by the NSA include:
- PSTN gateways: Public switched telephone networks are used to connect to UC/VVoIP call processing. Attackers can take advantage of this to connect directly to the gateway and make unauthorized calls, according to the guidance. The agency notes attackers can also use the gateway to compromise the UC/VVoIP servers. To prevent attacks using these gateways, organizations should authenticate the gateway by using packet filtering to detect unauthorized signals.
- Signaling gateways: These are used to pass signaling information between two different network protocols. The NSA notes hackers can compromise these to disrupt voice and video services, access information and identify the subscribers. Because these gateways are public-facing, they should be placed in a virtual LAN and a demilitarized zone to prevent authorized signaling messages from directly entering into the gateways.
- Cloud connectivity: Organizations whose perimeters now extend to the cloud are particularly susceptible to DDoS attacks and vulnerabilities caused by misconfigurations, the NSA points out. Therefore, they should use cryptographic protocols to encrypt communications between UC/VVoIP devices regardless of whether they have fully or partially migrated to the cloud.
Session Controller Server Issues
The NSA notes several security issues for session controller/call-processing servers, including:
- User accounts: These accounts, which provide access to the servers, can be misused in many ways, the NSA notes. Therefore, they should be provided only to the individuals who manage the server, and built-in and default user accounts should be deleted or changed.
- Software vulnerabilities: Because software flaws can be exploited in many ways, the NSA recommends periodic patching and ensuring these updates are cryptographically signed by the software vendor to ensure authenticity.
- Cryptographic key material: Because the session controller servers store cryptographic key material for encryption and authentication, a threat actor with access to a server can use these keys to mimic the server, eavesdrop or capture calls. Therefore, organizations should store cryptographic keys only after encrypting them, the NSA says. And when backing up keys, they should be stored on a computer or device that is not connected to the network.
"The NSA new directive collects several good practices related to general security hygiene," says Tim Wade, a technical director at the security company Vectra AI. "In so much as this guidance is sufficient to harden such communication, it will be effective, though one hopes that many federal organizations were already well on their way to adopting such practices."
James McQuiggan, security awareness advocate at the security firm KnowBe4, stresses that organizations need to implement the steps the NSA suggests based on their enterprise risk management program.
"Their risk program will consider the impact that VOIP systems have on their network - the attack surface it creates - and then secure it like any other network, endpoint or system," he says. "Along with a strong defense-in-depth or layered approach to security, organizations need to ensure users are adequately educated and understand how to secure the technology and implement the processes, and provide the users with a strong security culture."