The National Security Agency (NSA) has released a new report giving organizations insight into the current best practices around the security of unified communications (UC) and voice and video over IP (VVoIP).
The report, titled Deploying Secure Unified Communications/Voice and Video over IP Systems, also looks at the potential risks to improperly secured UC/VVoIP systems.
Modern communications infrastructure in most organizations is tightly integrated with other IT networks, increasing the attack surface for hackers to gain access. The NSA said that UC/VVoIP devices would pose the same hacking risks to organizations through spyware, viruses, software vulnerabilities, or other malicious means if left inadequately secured.
"Malicious actors could penetrate the IP networks to eavesdrop on conversations, impersonate users, commit toll fraud and perpetrate denial of service attacks," the NSA said in a statement.
"Compromises can lead to high-definition room audio and/or video being covertly collected and delivered to a malicious actor using the IP infrastructure as a transport mechanism."
The report outlined the tips and tricks organizations should undertake to enhance security, such as segmenting voice and video traffic from data traffic and separate IP address ranges to limit access to a common set of devices.
RELATED RESOURCE
Five lessons learned from the pivot to a distributed workforce
Improve employee experience and support IT teams for a more adaptable distributed workforce
In addition to using VLANs, administrators should also use access control lists and routing rules to limit access to devices across VLANs. According to the NSA, this makes it more difficult for a malicious actor to access open services on phones and servers from outside the VLAN.
Another best practice the NSA outlined is implementing layer 2 protections and address resolution protocol (ARP) and IP spoofing defenses. It also recommended only using switches with these protections.
The NSA also said that PSTN gateways should authenticate all UC/VVoIP connections and not allow calls directly from IP phones without the UC/VVoIP server’s permission.
The agency also urged organizations to use only vendor-signed patches downloaded from trusted sources.
The NSA said taking advantage of a UC/VVoIP system’s benefits, such as cost savings in operations or advanced call processing, comes with potential risk.
"A UC/VVoIP system introduces new potential security vulnerabilities. Understand the types of vulnerabilities and mitigations to better secure your UC/VVoIP deployment,” the agency said.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Morgan Stanley fined $200m for "unapproved" WhatsApp useNews US gov report criticises bank for conducting business via personal channels of communications
-
WhatsApp backups to get end-to-end encryptionNews Facebook says it's the final step towards a full end-to-end encrypted messaging experience on the chat app
-
Widely-used WhatsApp mod stuffed with malwareNews FMWhatsApp is embedded with the Triada Trojan which tracks device information and intercepts texts
-
WhatsApp launches multi-device beta with support for end to end encryptionNews An infrastructure change means up to four devices can be attached to a single account without compromising security or privacy, company claims
-
How to restore Outlook emailsTutorials Knowing how to restore Outlook emails can save a lot of time and hassle for users
