I am sure that most of you reading this have not been on a conference call or video call in the last year, so this advice is not relevant to you, but for the rest of us, the NSA has a few tips on how to better protect yourself when you are collaborating online. The NSA suggests (and I bet they know) that since these online communications solutions are tightly integrated with the rest of your IT, compromising the communications, well, it compromises everything else.
They point out that, at the very least, compromise of these systems gives the attackers high definition audio and video of whatever you are discussing. At the very least. At the most, it gives them access to your entire IT infrastructure.
Here are the agency’s high level recommendations. Some are simple to do; some are more complex and may only apply to high-end in-house systems, but the first one, while causing your network team to groan, is super important.
- Segment enterprise network using Virtual Local Area Networks (VLANs) to separate voice and video traffic from data traffic
- Use access control lists and routing rules to limit access to devices across VLANs
- Implement layer 2 protections and Address Resolution Protocol (ARP) and IP spoofing defenses
- Protect PSTN gateways and Internet perimeters by authenticating all UC/VVoIP connections
- Always keep software up-to-date to mitigate UC/VVoIP software vulnerabilities
- Authenticate and encrypt signaling and media traffic to prevent impersonation and eavesdropping by malicious actors
- Deploy session border controllers (SBCs) to monitor UC/VVoIP traffic and audit call data records (CDRs) using fraud detection solutions to prevent fraud
- Maintain backups of software configurations and installations to ensure availability
- Manage denial of service attacks using rate-limiting and limit the number of incoming calls to prevent UC/VVoIP server overloading
- Use identification cards, biometrics, or other electronic means to control physical access to secure areas with network and UC/VVoIP infrastructure
- Verify features and configurations for new (and potentially rogue) devices in a testbed before adding them to the network
For more detailed guidance, see the NSA information sheet.
The NSA, recently, has been much more forthcoming in the area of defensive security. While this is a good thing, it only helps if people actually use their guidance.