I am sure that most of you reading this have not been on a conference call or video call in the last year, so this advice is not relevant to you, but for the rest of us, the NSA has a few tips on how to better protect yourself when you are collaborating online. The NSA suggests (and I bet they know) that since these online communications solutions are tightly integrated with the rest of your IT, compromising the communications, well, it compromises everything else.
They point out that, at the very least, compromise of these systems gives the attackers high definition audio and video of whatever you are discussing. At the very least. At the most, it gives them access to your entire IT infrastructure.
Here are the agency’s high level recommendations. Some are simple to do; some are more complex and may only apply to high-end in-house systems, but the first one, while causing your network team to groan, is super important.
- Segment enterprise network using Virtual Local Area Networks (VLANs) to separate voice and video traffic from data traffic
- Use access control lists and routing rules to limit access to devices across VLANs
- Implement layer 2 protections and Address Resolution Protocol (ARP) and IP spoofing defenses
- Protect PSTN gateways and Internet perimeters by authenticating all UC/VVoIP connections
- Always keep software up-to-date to mitigate UC/VVoIP software vulnerabilities
- Authenticate and encrypt signaling and media traffic to prevent impersonation and eavesdropping by malicious actors
- Deploy session border controllers (SBCs) to monitor UC/VVoIP traffic and audit call data records (CDRs) using fraud detection solutions to prevent fraud
- Maintain backups of software configurations and installations to ensure availability
- Manage denial of service attacks using rate-limiting and limit the number of incoming calls to prevent UC/VVoIP server overloading
- Use identification cards, biometrics, or other electronic means to control physical access to secure areas with network and UC/VVoIP infrastructure
- Verify features and configurations for new (and potentially rogue) devices in a testbed before adding them to the network
For more detailed guidance, see the NSA information sheet.
The NSA, recently, has been much more forthcoming in the area of defensive security. While this is a good thing, it only helps if people actually use their guidance.
DoD Working on CMMC-Fedramp ‘Reciprocity’ by Year End
CMMC, the DoD’s new cybersecurity standard is designed to measure security practices of companies and the servers in the computer rooms and data centers. But what about the stuff in the cloud. That is covered by another government standard called FedRAMP. But those two standards have different rules and contractors who have both need to figure out how to comply with two competing standards. DoD is working on this and plans to have a solution by September. One challenge is that FedRAMP allows for a ‘To-Do’ list – stuff we will fix when we get to it and CMMC does not. Harmonizing these two standards is critical for defense contractors. Credit: Defense Systems
The Risk of NSA’s Offensive Security Strategy
The NSA has, for decades, favored offensive security (hacking others) over defensive security (protecting us). The Obama administration created a process called the vulnerabilities equities process to try and rationalize keeping bugs secret to use against others vs. telling vendors so that they could fix them. Check Point research published a report talking about one failure where the Chinese figured out the bug we were using, one way or another and used it against us. That is the danger of offensive security. Read the details here. Credit: The Register
HINT: When Your Vendor Tells You it is Time to Upgrade – Listen
Airplane maker Bombardier is the latest entry into the club of companies who were compromised with Accellion’s decades old FTA file transfer system. What was likely stolen was intellectual property. Accellion has been trying to get customers off this decades old platform for 5 years. Now they say they are going to formally end-of-life the old software in April. 300 customers did not listen. At least 100 were compromised. Credit: ZDNet
Microsoft Asks Congress to Force Companies to Disclose Breaches
Microsoft’s president Brad Smith testified at a Senate Intelligence Committee hearing this week about the SolarWinds breach. Smith said that the private sectors should be legally obligated to disclose any major hacks. None of the other CEOs who testified argued with Smith. The details of who, how, when, etc. are note easy to figure out as is the penalty for breaking the law. I suspect that the overwhelming majority of breaches are never reported to anyone because there is no incentive to do so. Credit: The Register
DHS-CISA Reveals Authentication Bypass of Rockwell Factory Controllers
Rockwell industrial automation controllers used in places like factory floors can be compromised by a remote hacker if they can install some malware on the network. The bug has a severity score of 10 out of 10. The compromise would allow hackers to upload firmware of their choosing and download data from the controller. The bug was initially disclosed to Rockwell in 2019. Credit: Security Week