“When you feel secure, you can be the best version of yourself. Insecurity brings out the worst version of you.”
Shunya
Earlier this year, President Joe Biden signed executive order 14028. It begins as follows:
The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors. The Federal Government must also carefully examine what occurred during any major cyber incident and apply lessons learned.
Anyone following the recent stories about ransomware outbreaks will know how vulnerable critical resources and services are to attack and exploitation. Criminals and nation states have become highly sophisticated in choosing, penetrating, and compromising their targets. Not only are these attacks expensive to resolve, they negatively disrupt the lives of millions of people. It’s not a stretch to see them as digital terrorism.
Here in the communications world, we are not immune to the damage hackers can inflict upon our networks. In fact, throughout the telecom industry, the total losses from toll fraud are estimated to be $10 billion annually. While the techniques that VoIP hackers use are different than those employed by ransomware pirates, the results are not all that different – loss of service, loss of revenue, workflow disruption, compromised private information, etc.
Much Needed Guidance
I was extremely pleased to read that the NSA (National Security Agency) released a comprehensive document that details the steps enterprises can take to secure all aspects of their communications systems. Deploying Secure Unified Communications/Voice and Video over IP Systems covers the four attack planes of a communications system – Network, Perimeter, Session Controllers, and Endpoints. It provides detailed descriptions of how each plane can be exploited along with mitigation techniques. By understanding the potential weaknesses of each area and then taking the necessary steps to harden and protect against attacks, an enterprise can either completely stop hackers or detect malicious activity before it causes serious harm.
I have been involved in VoIP security in one form or another for several decades and I was impressed by the breadth and depth of the report. Not only does it cover what I consider the obvious security hardening steps (e.g. separate VLANs for voice and data, port locking, staying current on software, patching, etc.), it delves into less obvious areas such as forward-confirmed-reverse-DNS. It’s clear that the report is the product of significant research by experts in the many areas of communications security.
Highlights
I highly recommend a thorough reading of the document. The details it provides in both problem definition and solution are impressive. To help whet your appetite, here are a few basic points that I would like to draw your attention to.
- Although we tend to think of communications security in terms of the digital aspects (software, media, passwords, certificates, etc.), it’s important to pay attention to the physical aspects, too. For instance, it’s essential that physical access to sensitive devices be restricted. Whenever possible, servers and non-user-oriented devices should be kept behind locked doors and cabinets. Maintain access logs and install video surveillance equipment. Use backup power sources. Servers should be redundant with as much physical distance between server pairs as possible.
- Tightly control who has access to administrative logins and passwords. Set and manage roles for administrators to control who can do what. Avoid providing “super user” access to all but the most trusted administrators.
- Ensure that all configuration changes are logged. If possible, provide rollback options.
- Encrypt data in transit and at rest. This includes communications streams (media and signaling) and control data such as private keys. Attempts at unencrypted access should be logged and prohibited.
- Backup your data and test that the backup process is comprehensive. Don’t wait until a catastrophic outage to determine if you captured everything you need. Encrypt your backups. Don’t allow them to become a backdoor into your system.
- Restrict external access to only authorized client types. Disallow generic SIP clients. Require TSL and SRTP.
- Keep all software current. Update using signed files from a trusted server. Hackers look for out-of-date software with known security holes.
I expect that as is true with all security concerns, this is a living document and revisions will be forthcoming. In other words, there is no rest when it comes to protecting your communications systems and workflows. It’s important to stay current in your practices and your education regarding those practices. The hackers are becoming more sophisticated in their attacks and you need to do the same when it comes to your protection.
Mischief Managed
Security must never be an afterthought and the guidance provided by the NSA will help you in all aspects of protecting your communications assets – from the network edge to the user device. Sadly, security is never a one-and-done affair. It requires constant vigilance. The hackers won’t stop trying to get into your systems and neither should you slow down your efforts to keep them out.
This is where Assertion comes to the rescue. Our SBC scan helps you see how your implementation meets security best practices, and if deviations are found, what steps can be taken to remediate them. Additionally, our deep log scans show you how and where hackers are trying to break into and through your defenses. Without this information you are simply guessing that you got things right and security is no place for guesswork.
I hope you find the NSA report as useful as I did. I am certain that even the most seasoned security professionals will find something(s) of value in it.