When voice was first routed over the same network as data, it threw up all sorts of security issues, many of which (according to some) have yet to be fully addressed. And if that wasn't enough, now there's Unified Communications (UC) which, because it consolidates together a wider range of technologies beyond mere voice and data, presents an even greater security challenge. More than that, UC also encompasses the use of mobile devices and communication across insecure public and wireless networks, both of which add unique vulnerabilities to the mix.
First comes consolidation
By its very nature, unified communications implies consolidation, using a single IP network to carry not just voice, data and email, but presence information, video, instant messaging, collaboration and other traffic, each with its own vulnerabilities.
Ok, so each will also have parallel security technologies, firewalls, gateway anti-virus scanners, spam traps and so on, but these are mainly designed to work in isolation. Attempt to apply them all and it can make protecting the traffic that goes to make up a UC solution, and managing that protection, a very complex task indeed.
On top of that the integration of multiple communication streams opens the door to combination attacks not, otherwise, possible when component technologies are deployed independently.
One fairly simple but very common threat is so-called "toll fraud" where, typically, a brute-force password cracking attack, which at one time might have been used to extract network passwords, is directed at a company PBX to discover the codes used to route IP calls around both the corporate network and the wider PSTN. The hackers concerned can then sell discounted calls, often quite openly, and make millions of dollars off the back of the hacked infrastructure.
Think it can't happen? Then look up the case of Edwin Pena who in 2010 became the first person to be convicted for VoIP/UC hacking in the US. Pena broke into more than fifteen companies and resold over 10 million of their communication minutes on the open market!
Less spectacular but, potentially, just as damaging are the single point of failure implications of routing so much mission-critical information over the same, consolidated, infrastructure.
The risks here escalate as more applications are added, to a point where, should the network fail or succumb to a denial of service attack, you could lose everything you need to run the business. Voice calls will be interrupted or, worse still, dropped; presence information lost and video conferences totally curtailed. Online meetings will, similarly, be thrown into chaos and it could take a long, long time to get everything up and working again.
On the plus side , technologies to protect the network from DoS and other common attacks are mature and very effective. Likewise it's not that hard to build extra resilience and redundancy into the supporting infrastructure, but it's important not to be complacent. The more applications you introduce the greater the risk of hackers finding another way in.
The mobile angle
And then there's the mobile angle, where it's well accepted that one of the biggest drivers behind the adoption of Unified Communications is its ability to extend connectivity out beyond the confines of the corporate network. That, however, also throws up security issues, including those listed below
- Mobile devices containing potentially confidential and highly sensitive information are all too easily lost or stolen.
- In an era when apps can be downloaded for next to nothing, mobile devices may be exposed to users adding non-approved and potentially insecure applications.
- Mobile communications will inevitably traverse the non-secure Internet with connectivity via public access points in coffee shops, airport lounges and so on. VPN tunnelling can help on notebooks but isn't an option on processor-light devices such as smartphones, raising the risk of communications being intercepted and/or diverted.
- The access points needed within the UC infrastructure to support mobile connectivity are a risk in themselves, requiring additional controls to insure only valid devices and users are allowed in.
Naturally UC vendors, mobile device manufacturers and third parties developers are all working to address these issues with plenty of tangible results. So for example, the ability to encrypt notebook hard disks and storage in other mobile devices is now a common option, as is the ability to remotely lock mislaid or stolen smartphones and wipe their content. Multi-factor authentication is, similarly, a popular option while, for the paranoid it's possible to securely encrypt UC transmissions, end to end.
Unfortunately most of these options are just that - optional. Applying them is down to the discretion of the customer and their technical staff. In a lot of cases if the default isn't to apply the security option it simply doesn't get turned on. Not because the customer doesn't want the protection but, typically, because they don't know what the implications are for not turning it on or, perhaps, because they fear it will affect performance in some way.
That perennial people problem
Making sure available security measures are applied and enforced is more of a people issue than anything else. Which, finally, brings us to users, arguably, the biggest vulnerability of all and the hardest to protect.
In the age of UC, social engineering attacks are becoming ever more sophisticated. From simple calls to get users to divulge passwords to logon and make calls to more elaborate scams where hackers build complete bogus Call centres using free open source software. They then direct unsuspecting callers to the sites using the VoIP equivalent of a phishing email, a practice known as "vishing". Just like the real thing the bogus call centres can be automated but behind the scenes calls can be forwarded to premium rate numbers and other information such as passwords and credit card numbers extorted along the way.
It's all very worrying and security remains the number one reason for customers deciding not to implement a UC solution or choosing to delay it. Equally, it's something the vendors are well aware of and working hard to address. So much so that, if you're one of those who thought it too risky in the past, it might be worth just checking out what the big names have being doing about UC security in the meantime.
This article is written by Alan Stevens and sponsored by Avaya. The opinions reflected in this piece are solely those of Alan Stevens and may not reflect those of Avaya management