Recently, our Chief Revenue Officer, Todd Carothers, highlighted the need for security as part of the strategy customers should consider when deploying unified communications (UC). A further post drew attention to BYOD and mobile device management (MDM) as areas to examine from the client perspective.
Almost every day we read reports of privacy breaches, or compromised code in applications we use on our phones or tablets. For customers considering deploying UC, whether hosted or on-premise, the risk of loss of data or network intrusion should be high up on the check list.
In this post, we’ll review some of the common security tools and highlight others that may be less obvious but are equally important.
It should be a given that user passwords should be a focus of attention when planning a system. With the prevalence of sites such as, https://haveibeenpwned.com, most IT Admins know that allowing users to choose passwords without any restrictions or guidelines often leads to poor selections. Password managers are easily available, and verifying password choices meet suggested guidelines should be part of the process when registering new accounts.
Ideally, the passwords used by the UC system should be federated and integrated with the usual network password (i.e. linked into Active Directory, LDAP or another centralized control) – ask the UC vendor how they link into your existing system instead of forcing users to have network passwords separate from those used by the UC system.
Firewalls and SBCs
Firewalls can be configured for general TCP/IP traffic management, but UC often uses SIP as the signalling protocol, and XMPP for messaging. Application-aware firewalls (Session Border Controllers) are more suited to this task, where deep-packet inspection and understanding the protocol intent is necessary to prevent service fraud. SBCs also often integrate intrusion detection systems, monitoring login frequency, call throughput and destinations, which can be an indicator of attack, fraud or misuse.
TLS/SRTP, VPN and VLAN
UC systems that use SIP and other protocols do not have to use encryption or tunnels – it is optional. Encrypting the UC traffic through the use of TLS/SRTP ensures that remote workers are protected, and that local eavesdropping is thwarted. A more generic VPN can protect all traffic between the sites. Segregating UC traffic (voice, signalling, messaging and collaboration data) from the rest of the core or local network through the use of VLANs, prioritizes important time-sensitive channels over regular data transfers.
It is also important to select the highest compatible version of these protocols. As vulnerabilities are discovered all the time, systems should attempt to negotiate current versions of TLS, refuse to connect with insecure SSL (due to its deprecation) and reject the use of known weak ciphers.
More sophisticated protection could also include certificate or public key pinning, which guards against rogue CA and MiTM attacks.
What about client software code? A recent case with Whatsapp demonstrated that apps are also in need of scrutiny. We are used to using HTTPS and installed certificates to trust servers to which we connect – but does your hosted solution offer mutual authentication (mTLS) so that unknown or compromised clients are not able to connect to the server to begin attacks? Does the software vendor subject their client app to penetration testing?
Many employees use their own devices for corporate apps (BYOD). Does the vendor’s UC App deploy within a managed environment such as AirWatch, Citrix, Good Technology, or MobileIron? Without this control, compromised devices may become a pivot point for further attacks into the Enterprise, or more colloquially, Bring Your Own Disaster.
Companies offering hosted UC or client software should provide some form of certification that their systems and software have been tested for security. If you are considering a hosted service, questions to ask would be how that testing is performed and at what frequency. A certificate from last year is of little use. Suppliers should have at least a two-stage testing process for their hosted services: Testing QA code, which is frozen and then deployed on a staging server which is then tested again as if live. The ability to switchover a staging instance to a production server mitigates service downtime. If you are hosting your own service, regular pen testing is a recommended route for discovering general vulnerabilities.
Malware, Intrusion Detection and Threat Intelligence
Many UC solutions provide tools to monitor logs and usage. It's a good idea to use them to trigger warnings when certain thresholds are reached, such as rate of registrations, calls or new destinations being called that were previously unknown.
A centralized AV/malware detection service should be a given, but there are also other solutions that examine network traffic, rogue or poisoned DNS, the Dark Web and other sources to gauge and extrapolate threat levels. These are called Threat Intelligence Platforms. Since larger hosted services are often bigger targets, these should always be under consideration. Today, companies such as HYAS, IBM X-Force Exchange, Anomali ThreatStream and others offer services that cover this form of threat analysis.
Audit logs are often stored locally, which presents an opportunity for an intruder to cover their tracks. An externally hosted log aggregation facility mitigates this and may also offer additional features such as trend analysis, cross-log search and threshold triggering to multiple recipients.
Third Party Libraries
Many UC services are accessible through a browser. UX designers often use third-party code for common functions and features. This is usually a good idea as the code has been tested, and is deployed in many sites. However, if the UC website includes the code at runtime rather than freezing a code release, it can be disastrous. TicketMaster relied on runtime third-party code inclusion and was compromised by code not written by any of their developers, but which had previously passed inspection.
Platform System updates and hardening
UC vendors supply updates for their software throughout the year. However, the operating environment is often overlooked. Applying OS updates to a production server is complicated and a patch that breaks the UC software services could be catastrophic. If using a hosted service, ask how they schedule platform updates as well as those required for the UC service. Also, be sure to inquire about the rollback or failover policy should an update fail.
UC vendors deploy on COTS hardware and OS (Redhat, Windows Server etc) but these environments come with default services that are often not required on the UC platform – examine open ports and close or remove the service.
Denial of Service (DoS), Distributed Denial of Service (DDoS) and System Availability
DoS and DDoS are common attacks faced by hosted providers. If choosing to deploy your own, you must consider how it will handle a local DNS failure, severed internet access or DoS attack. Mature-hosted providers have systems in place such as multi-provider geo-redundancy, DDoS attack mitigation and disaster failover plans.
If the UC service is hosted in a data center, then regulatory compliance offered by that provider should also be considered. GDPR is commonly cited, as well as data center security audits such as SSAE 18. If the UC solution offers recording of any streams (voice, video, data) then those regulatory compliance aspects become even more important. Is the data encrypted at rest, is it accessible by admin staff, how is that audited and controlled? The costs of failure in this regard can be significant, up to 4% of turnover in severe cases.
In this post we have covered a few of the areas in which security planners and potential customers of UC vendors should focus, whether they intend on utilizing a hosted service or deploying one locally. Within smaller enterprises, the level of security expertise necessary may not be easily available or cost effective. Maintaining those skills and dedicating a specific team to review, test and be vigilant is a complex and expensive task.
For more information on CounterPath secure UC solutions, visit our website: