The National Security Agency (NSA) has issued new cybersecurity guidance that covers best practices and mitigations to help secure Unified Communications (UC) and Voice and Video over IP (VVoIP) call-processing systems.
The report, “Deploying Secure Unified Communications/Voice and Video over IP Systems,” aims to further NSA’s cybersecurity missions, including identifying threats to National Security Systems, Department of Defense information systems, and the Defense Industrial Base.
“UC and VVoIP call-processing systems provide rich collaboration tools and offer flexible ways to communicate by combining voice, video conferencing, and instant messaging in the modern workplace,” the report says. “Today, these systems are integrated into an enterprise’s existing Internet Protocol infrastructure, use commodity software, and are likely to use open-source and standard protocols.”
UC and VVoIP systems extend the attack surface of an enterprise’s network and if not properly secured, are susceptible to the same malicious activity that targets existing IP systems such as spyware, viruses, software vulnerabilities, or other malicious means. These threat actors, NSA said, could “penetrate IP networks to eavesdrop on conversations, impersonate users, commit toll fraud and perpetrate denial of service attacks,” in addition to high-definition room audio and video being covertly collected.
The NSA report is broken into four parts, including:
- Preparing networks;
- Establishing perimeters;
- Using enterprise session controllers; and
- Adding UC/VVoIP endpoints for deployment of a UC/VVoIP system
Among other methods to minimize the risk to UC/VVoIP systems, NSA suggests “segmenting the networks to limit access to a common set of device, ensuring timely patching, authentication and encryption of all signaling and media traffic, and verifying the security of devices before adding them to a network.”