A 2009 Aberdeen Group report analyzed the cost associated with the liability around common information compliance lapses, and it found that the maximum liability for lapses in credit card privacy ranged up to $1.5 million. For patient data privacy in a healthcare context, a compliance lapse can result in liability topping $1 million.
These are high stakes. Information security professionals in all types of enterprises are well versed in the best practices for protecting databases, controlling web-based threats, and using firewalls and other devices to “lock down and button up” networks.
Meanwhile, a new communications trend has opened up significant security gaps that threaten to undermine all these carefully thought-out and executed compliance efforts. The increasingly widespread deployment of Voice-over-IP and other communications applications require pro-active analysis and a rethinking of IT security practices and architectures.
Estimates vary, but industry analysts believe enterprises and service providers worldwide have spent more than $30 billion over the past decade deploying VoIP, next-generation video and related communication technologies. These communications technologies are loosely described as “Unified Communications” or UC.
At the most basic level, deploying UC involves replacing old telephone systems, closed circuit video systems and other communications networks in the enterprise with new applications running over a single, converged network based on Internet Protocol (IP) technologies. The converged IP network is simply an expanded form of the data network used by the company to support enterprise applications (ERP, financial systems, document management, CRM, project management) and to access the Internet, for web surfing and email.
The advantages from UC can be many. The converged network eliminates expensive redundant networks, consolidates control over many forms of communication, and opens up the infrastructure to easy expansion to video conferencing, inexpensive remote video surveillance and other applications. UC makes it easy to extend rich communication to remote employees, distant offices, and employees on the go.
But the flip-side of this convergence is increasing compliance risk:
• Lack of privacy controls: Converged UC networks mingle traffic from all types of communications and data sources, including sensitive data that must be kept private. Yet, many of the applications in UC do not use encryption because of performance, compatibility or interoperability issues. Numerous tools can be found for free on the Internet that make eavesdropping on this traffic a simple matter that any teenage hacker can undertake.
• Non-compliance: Employees in enterprises of all types use Instant Messaging and similar UC applications to communicate mission critical data. In most environments, there is no way to log, audit or control instant messaging, even though protected information is being conveyed by these applications, even across the public Internet.
• Un-trusted networks: Many third-party communication tools now in use by employees – such as VoIP on smartphones, IM and collaboration tools – utilize untrusted networks out of the enterprise’s control. IT managers and information security managers have decreased control over enterprise assets and less visibility into possible information leakage.
Some enterprises have responded to these issues by banning the use of certain applications or curtailing the functionality of the new UC deployment. But this approach is short-sighted. As every IT manager knows, employees end up using unauthorized, third-party applications anyway and typical security architectures make it difficult to prevent or enforce the ban. Furthermore, limiting the functionality of a UC deployment also limits the return-on-investment, undercutting the justification for adopting the new technology in the first place. Instead, some enterprises have discovered a solution to the UC security challenge via a group of UC security best practices. The emerging best practices include:
• Proactive security architecture planning: The managers of the communications security architecture (firewalls, VPNs, access control, etc,) must be brought into the discussion of UC deployment from the start. This way, appropriate information security rules and IT security postures can be evaluated and enhanced to enable the desired UC applications, instead of becoming an impediment later. Importantly, security planning must consider how to enable and secure real-time applications like voice and video without hampering performance, even when these applications cross untrusted networks and secure enterprise borders.
• VoIP and UC penetration testing: Many IT security managers conduct periodic penetration testing of data networks, to uncover and mitigate vulnerabilities in the data network and IT resources, and ensure security compliance. VoIP and UC use the same converged IP network technologies, so penetration tests must be conducted for VoIP and UC as well. These tests must consider threat vectors and security gaps that exist in both signaling the real-time media of the VoIP and UC applications, as well as both internal and external security postures.
• Continuous feedback and adjustment: A great benefit of UC is the ability to simply add new applications to the communications infrastructure as they become available. The UC security policy and practice must reflect the reality of the changing environment and continually adapt to the new uses and technologies coming into play.
My company, Sipera Systems, offers VoIP and UC penetration testing to enterprises and service providers, and we have witnessed firsthand many of the security gaps and exploits associated with these companies.
Some examples from the last several months:
• A client of ours was receiving bills for numerous, expensive international calls to a country in the Caribbean, but it had no records of placing these calls. We conducted an authorized penetration test to look for security gaps that could explain these mysterious call. Our testers found that the customer had multiple infrastructure vulnerabilities and device misconfigurations that created openings for attackers to commit toll fraud. The issue of toll fraud, in which hackers utilize a company’s long distance facilities to place calls without authorization or payment, is an increasing problem in enterprises of all types and sizes.
• A client engaged in a lawsuit suspected that an external party was eavesdropping on conversations taking place on a VoIP system regarding the suit. To test this theory, the client planted false information in a call and, sure enough, the information appeared later in a communication related to the suit from the external party. In just a few hours of investigation, our penetration tester identified multiple VoIP security issues that needed to be addressed to prevent such eavesdropping from taking place.
• Across vulnerability assessments in multiple clients recently, our penetration testers have found that encryption is deployed correctly only approximately 5 percent of the time. In one particular test at a very large multinational enterprise, our tester was able to use basic, freely available traffic interception tools to capture not only the voice traffic, but also intercept touch-tone signals on the system. In other words, the entire voice mail system and all passwords were entirely exposed.
Ultimately, we have found that companies that adopt a regular, repeatable process for continual evaluation and improvement of their VoIP and UC security posture will avoid many of these issues. In fact, a basic, simple process life cycle (see illustration) represents the best practice for continuous evolution of the security architecture.
The life cycle calls for an enterprise to understand, from the top level, which privacy mandates are central to the company’s mission, such as patient privacy (HIPAA), student privacy (FERPA), consumer privacy (GLBA), payment card privacy (PCI DSS) and others. The security audit should then focus on the potential communications vectors associated with the handling and processing of this protected data, and the requirements for safeguarding it. The life cycle then calls for assessment of the security architecture in line with these requirements, and a continuous process of reassessment and adjustment as mandates change and the VoIP and UC infrastructure evolves.