Originally published on Telephony Magazine
As software-defined networks, software-designed real-time communications applications and SIP adoption continues to explode, hackers are preying on vulnerabilities some voice network operators didn’t realize they had.
IT teams on the data front in enterprises have long been focused on securing data in storage and data in motion, and invest regularly in ensuring their infrastructure, communications networks, applications and access management control policies are updated as new threats surface and cyberattacks become more sophisticated and frequent.
Too often, however, these same teams, who are now responsible for all applications, including voice, video, messaging and collaboration platforms, are not aware of the vulnerabilities associated with voice and applications like Unified Communications (UC), Unified Communications as a Service (UCaaS), and Communications Platforms as a Service (CPaaS). Voice is still the most popular channel today and, while we’ve seen attention paid to wiretapping of phones and surveillance of cellular conversations by governments, because attacks on voice networks have not made the news as often as others, IT leaders may be putting their organizations at risk by not understanding the changing attack surface.
“We’re living in a hyper-connected, real time world, constantly on our phones, on conference calls we often believe are secure but may be hacked, recorded and even searched after recordings are transcribed to text,” said Ali Gomulu, SecOps, Ironsphere. “What we don’t see publicized are the cases where cyber criminals are attacking entire enterprise networks by hacking into real-time communications systems, finding unlocked doors and windows in otherwise ironclad enterprise computing and network environments.”
Gomulu explained that everything in IP networks must be protected and that Privileged Access Management (PAM) is an important way to guard who can get into the infrastructure, applications and databases associated with running RTC networks.
“There is a huge amount of valuable data being transmitted, from credit card numbers to health insurance information and more,” Gomulu said. “It is mission critical to protect the network, endpoints, call flows and media (in addition to applications) to ensure uninterrupted quality of service. But, we can’t stop there. It’s important to protect the entire cloud and computing environment. Attacks on contact centers is just one example of what can happen when cloud communications are not fully secured.”
As more voice moves to the cloud, even if a Unified Communications as a Service (UCaaS) provider has encrypted all the media and signaling, there may still be issues.
“There is amazing software embedded into voice systems, more every day – but what good is it if access to the network is not properly managed and governed?” Gomulu asked. “This is where PAM comes in.”
He also said that while it may not be evident what the incentives are for insiders or external criminals to hack voice network, as RTC and SIP adoption grows, hackers are preying on vulnerabilities created by a lack of understanding of the risks.
“Some bad actors will target SIP specifically for toll fraud or Distributed Denial of Service, (DDoS) attacks, but more likely this will be their point of entry for other forms of malicious activity such as disrupting operations, identity theft, financial theft, and even corporate espionage. There are ‘situation rooms’ for a reason, as even the secure conference calls we believe we are having have been compromised.”
If enterprises want to truly secure real-time cloud communications, they need to have a clear and deep understanding of all threats, including those associated with voice-based applications, Gomulu summarized.
“PAM is an important part of an overall approach that identifies and pinpoints threats, has security policies in place to stop a spreading attack, provides an enterprise-wide view of all applications across all networks, and automation and analytical tools to keep networks safe. CSPs are in an ideal position to bring voice security solutions to their enterprise and business customers, while adopting a proven strategy for securing their own voices services to protect every subscriber who connects to their networks.”
We have all found ourselves in a different world of work given the events that have defined 2020, and few professionals are feeling the pressure more than IT and OT teams.
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.