Originally published on Telephony Magazine
As software-defined networks, software-designed real-time communications applications and SIP adoption continues to explode, hackers are preying on vulnerabilities some voice network operators didn’t realize they had.
IT teams on the data front in enterprises have long been focused on securing data in storage and data in motion, and invest regularly in ensuring their infrastructure, communications networks, applications and access management control policies are updated as new threats surface and cyberattacks become more sophisticated and frequent.
Too often, however, these same teams, who are now responsible for all applications, including voice, video, messaging and collaboration platforms, are not aware of the vulnerabilities associated with voice and applications like Unified Communications (UC), Unified Communications as a Service (UCaaS), and Communications Platforms as a Service (CPaaS). Voice is still the most popular channel today and, while we’ve seen attention paid to wiretapping of phones and surveillance of cellular conversations by governments, because attacks on voice networks have not made the news as often as others, IT leaders may be putting their organizations at risk by not understanding the changing attack surface.
“We’re living in a hyper-connected, real time world, constantly on our phones, on conference calls we often believe are secure but may be hacked, recorded and even searched after recordings are transcribed to text,” said Ali Gomulu, SecOps, Ironsphere. “What we don’t see publicized are the cases where cyber criminals are attacking entire enterprise networks by hacking into real-time communications systems, finding unlocked doors and windows in otherwise ironclad enterprise computing and network environments.”
Gomulu explained that everything in IP networks must be protected and that Privileged Access Management (PAM) is an important way to guard who can get into the infrastructure, applications and databases associated with running RTC networks.
“There is a huge amount of valuable data being transmitted, from credit card numbers to health insurance information and more,” Gomulu said. “It is mission critical to protect the network, endpoints, call flows and media (in addition to applications) to ensure uninterrupted quality of service. But, we can’t stop there. It’s important to protect the entire cloud and computing environment. Attacks on contact centers is just one example of what can happen when cloud communications are not fully secured.”
As more voice moves to the cloud, even if a Unified Communications as a Service (UCaaS) provider has encrypted all the media and signaling, there may still be issues.
“There is amazing software embedded into voice systems, more every day – but what good is it if access to the network is not properly managed and governed?” Gomulu asked. “This is where PAM comes in.”
He also said that while it may not be evident what the incentives are for insiders or external criminals to hack voice network, as RTC and SIP adoption grows, hackers are preying on vulnerabilities created by a lack of understanding of the risks.
“Some bad actors will target SIP specifically for toll fraud or Distributed Denial of Service, (DDoS) attacks, but more likely this will be their point of entry for other forms of malicious activity such as disrupting operations, identity theft, financial theft, and even corporate espionage. There are ‘situation rooms’ for a reason, as even the secure conference calls we believe we are having have been compromised.”
If enterprises want to truly secure real-time cloud communications, they need to have a clear and deep understanding of all threats, including those associated with voice-based applications, Gomulu summarized.
“PAM is an important part of an overall approach that identifies and pinpoints threats, has security policies in place to stop a spreading attack, provides an enterprise-wide view of all applications across all networks, and automation and analytical tools to keep networks safe. CSPs are in an ideal position to bring voice security solutions to their enterprise and business customers, while adopting a proven strategy for securing their own voices services to protect every subscriber who connects to their networks.”
Corporate information security governance is a foundation upon which organizations can build an increasingly significant part of their overall risk management platform. The foundation of a successful security governance program begins with strong upper-level management support, including the CEO, Chairman and Board Members.read more
Third-Party Vendors are a Cyber-Criminals Dream; Don’t Leave the Front Door Unlocked and the Windows Open
Third-party governance and risk management has become increasingly difficult as more and more storage and compute are being done across multiple clouds – private, public, hybrid and multi-cloud environments.read more
Data Privacy Day is held on the 28th of January every year, and is designed to raise awareness among businesses, governments, and other organizations on not only the right to privacy, but the responsibility associated with protecting the data of customers, citizens and consumers.read more