SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Security versus convenience? Don't trust everything 'UC'
Mon, 9th Oct 2017
FYI, this story is more than a year old

Unified communications (UC) is moving from cutting edge to commonplace as more enterprises see the value of consolidating communications into a single, simple-to-use application. But if your company's applications and all the conveniences that come with them  have you second-guessing your security exposure, trust your instincts. The reality is that UC applications—even well-established ones—present a security risk to your enterprise.   While UC-based attacks haven't been around as long as Internet-based hacks, they've attracted more attention from criminals because of their rate of success and their profitability. For 2015, the Communications Fraud Control Association (CFCA) estimated global losses for communications fraud at more than $38 billion. To put that into perspective, global credit card fraud is estimated at a little over $16 billion each year.   For Singapore, aspirations to become a Smart Nation have put a premium on data protection and advanced the race against cyber threats. In June, the Ministry of Communications and Information, in partnership with the Cyber Security Agency, released the proposed Cybersecurity Bill for public consultation. This bill is expected to be passed by Parliament by the start of 2018, and will have critical implications on how enterprises manage, investigate and respond the threats related to their applications, including UC.   These UC applications run in real time on IP-based networks (e.g., TCP and UDP), and real-time IP communications use a protocol called SIP (Session Initiation Protocol) that is embedded within the TCP and UDP streams. Real-time communications have different requirements than data communications. For example, if you drop a packet while downloading a web site, you can just send another packet. But if you drop a word in a real-time conversation, you can't re-insert it later in the conversation.   Why is the distinction between real-time and data important to security? Because many companies are using data-based security devices, such as firewalls, as their primary line of defense for everything, and firewalls simply weren't designed for SIP-based communications. As a result, enterprises turn off certain security features to accommodate real-time voice and video, which in turn creates new security holes. Cybercriminals not only know this, but exploit this.   How Do You Spell UC Security? S-B-C.

Ranked 5th in Asia in terms of vulnerability to cyber-attack by Deloitte's Asia-Pacific Defense Outlook report in 2016, Singapore and its enterprises are constantly exposed to an array of threats, including data exfiltration, DDoS attacks, ransomware, etc. It seems a month doesn't go by without stories of the latest security breach or website shutdown making the news.

The latest episode of the Singapore cyber attack saga, for instance, involves life insurance firm AXA and the stolen personal data of its 5,400 customers. And  this is just one of the big attacks. The reality is that most enterprises will be targeted by some type of sophisticated network attack—and more than once—over the next twelve months.   Mobile devices that use UC and real-time collaboration tools are as susceptible to attack as any other network-connected device—even more so when you consider risks such as non-secure wireless networks, weak password protection and the presence of “rogue” productivity applications. Given Singapore's mobile penetration rate – one of the highest in the world – employees' unsecured mobile devices could very likely become the next weak spot in their company's defenses.    So, if the proliferation of UC applications is a problem, what's the solution? Session border controllers, also known as SBCs.   SBCs function as a kind of highly sophisticated firewall designed specifically for real-time communications such as voice, video, screen sharing and WebRTC applications. SBCs provide security features such as media and signaling encryption, back-to-back user agents, network topology hiding and gray/blacklisting designed specifically for SIP communications.

Beyond security, SBCs include features such as media transcoding and SIP interworking that make UC applications work better. You can think of an SBC as a “traffic cop” that can enforce rules, give directions (in a variety of languages) and ensure that network real-time traffic flows smoothly and safely.   SBCs can take many forms. They can be small enough for a branch office of ten employees or big enough to handle thousands of calls per second in the largest data centers. They can be deployed on premises or in the cloud as a hosted service. They can run on a physical appliance or as software on a virtual machine. With so many options, one would assume that every enterprise would have some type of SBC in place. This is, however, not the case. In fact, over one-third of all enterprises (37 percent) that have SIP trunks coming into their data center do not have an SBC in place to secure those SIP communications.   Three Ways That An SBC Can Save Your IP Network   #1. Don't trust your firewall to do a job it wasn't designed for. Firewall technology is all good and fine for data communications; next-generation firewalls (NGFWs) are even better. But a NGFW isn't designed to help you secure real-time communications. In fact, the application layer gateway (ALG) security feature on most NGFWs can negatively impact call completion on your network.

In other words, UC applications exceed the IQ of the standard enterprise firewall. So, what do most enterprises do? They turn off the ALG feature, which immediately exposes their UC application to security hacks. Only an SBC is designed to address both reliability and security in real-time communications.   #2. Don't treat SBCs and firewalls as complementary devices; they are co-defenders. Even enterprises that use SBCs often under-use them in the sense that they treat their SBCs and firewalls as separate security entities. This is a mistake, because cybercriminals will often attack multiple entry points within moments of each other. Why do cybercriminals do this?

Because they're looking for a weak link in your network's armor. Imagine that the moment a network attack is detected, every SBC and firewall was alerted to the attack and could immediately blacklist the source IP address; a holistic security approach like that would shut down phishing attempts and DDoS attacks immediately.   #3. Ensure your network gets smarter over time. One of the biggest reasons why enterprises have trouble spotting abnormal network activity is because they don't really understand what “normal” looks like. A flood of calls from  Malaysia could be a TDoS attack—or it could be your Malaysia office dialing in for an all-hands conference call. SBCs shouldn't be “dumb” sentries. They should leverage behavioral analytics to help drive customized and dynamic policies for your enterprise to more accurately identify anomalous and suspicious traffic, and safely quarantine that traffic until a determination can be made.   One final word of caution: don't look at SBCs as just security devices. Interoperability is critical to unified communications, and SBCs are crucial to providing seamless communications between different applications, devices and networks through transcoding and interworking. In other words, it takes an SBC to make unified communications truly secure and unified.