Serg Nvns - Fotolia

Manage Learn to apply best practices and optimize your operations.

Unified communications platforms lack security scrutiny

As UC platforms become more open to the outside world, IT leaders need to heed newer threats, including guest-access features, federation capabilities and cloud services.

Nemertes Research, a tech advisory firm, recently interviewed IT security leaders about their top enterprise security concerns and challenges. Unsurprisingly, participants rarely cited attacks on unified communications applications and infrastructure as a top security concern. 

This lack of interest in UC security isn't just among security leaders. Even those responsible for IP telephony and unified communications platforms rarely cite security as a primary focus. Instead, they spend the bulk of their time on operational issues, architectural planning, vendor management and, increasingly, working with lines of business to support digital transformation.

Why the lack of UC security concern? Here are some reasons:

  • Unified communications platforms have historically been closed. IP telephony systems, for example, are not easily accessible from the outside world. Calls entering or leaving the enterprise system go through a gateway to reach the PSTN via digital circuits, or they traverse Session Initiation Protocol (SIP) trunks protected by session border controllers.
  • Unified communications platforms are not considered high-value targets. Instead, the perception is hackers are primarily interested in obtaining customer data, such as social security numbers, account information or other personally identifiable data that a criminal entity can exploit for financial gain.
  • There haven't been any high-profile hacks of UC systems -- the kind that make the evening news or the front pages of newspapers and cause companies material harm in terms of lost earnings, reduced stock price or compensation to affected parties.
IT leaders would be wise to raise the profile of security protection for their UC platforms.

However, IT leaders would be wise to raise the profile of security protection for their unified communications platforms. Increasingly, UC platforms are opening up to the outside world. 

Many systems, for instance, allow guest access for voice and video calls, or for screen sharing via native apps or WebRTC. Some systems federate presence, voice and video with partners or cloud providers.

The shift to the cloud, especially for hybrid services, creates new potential vectors for attack via connections to internal applications. Embedding communications into applications via APIs creates yet another potential avenue of attack for those who can exploit these interfaces.

SIP-based services also present a unique challenge for protection. Some firewall vendors, for example, advise turning off SIP application-layer gateways to avoid connection problems caused by nonstandard SIP implementations.

Be proactive, not reactive

Successfully securing unified communications platforms requires a multipronged approach that includes regular audits of on-premises systems, patch management to address new exploits as they are discovered and, typically, the use of session border controllers for securing external access points, such as SIP trunking and WebRTC.

A successful security approach also requires protecting against phishing, spam phone calls, telephony denial-of-service attacks and internal threats, including malicious use of internal phone resources and toll fraud. 

Finally, a security strategy requires ongoing due diligence of cloud providers to ensure they are providing accurate reports on their own security mitigation efforts and any discovered breaches. 

Make security a core tenet of your UC strategy. Shift from dealing with threats reactively after they occur to preventing them before they happen.

Next Steps

UC platforms incorporate contextual communications.

Is it time to upgrade your UC platform?

Embedded communications present new security threats.

Dig Deeper on IP Telephony Systems

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How can you be proactive in securing your UC platforms?

This is an excellent article on a very important matter.  In particular, you said: "SIP-based services also present a unique challenge for protection."  This is particularly true in the SMB space for businesses wanting to gain the benefits of UCaaS.  

The issue wrapped around SIP is that many SMB businesses do not use session border controllers within their premises.  They rely on the service provider to guard the SIP connection. This is a virtual impossibility when many implementations use customer-provided access via their public Internet provider.  

Broadview Networks, however, took a different approach with our Silhouette platform.  This is more commonly known in the industry as Broadview OfficeSuite.   With OfficeSuite, two specific technologies are deployed to assist the business from a security perspective.  

First, no SIP trunks are needed as communications to the endpoint (typically a handset) are delivered via our own protocol.  
  • As the end-point firmware is specific to this protocol no SIP trunks are needed.  
  • Communication happens and data, which resides on the servers - not the phones - is delivered in real-time.  
  • All data such as directories, call routing, voice mail, etc. reside on the secure servers, where Broadview manages the security.
Second, the data transmitted between the endpoint and the Silhouette servers is encrypted.  
  • It is encrypted from the platform to the device and from the device to the platform.
  • This includes both the actual voice call and the aforementioned data, such as directories, call routing, voice mail, etc.
The three primary results of these two unique security capabilities are: 
  • An elimination of the SIP point of entry for hackers as SIP trunks is not needed.
  • An elimination of the ability for hackers to "listen in" to the actual call being passed over the public Internet as the data is encrypted.
  • An elimination of the ability for hackers to gain entry to the data, such as customer, vendor, and other phone numbers typically resident in a handset, voicemail, etc. There is no data residing in the handset as it only transfers to the device when needed for the function to be used. 
For Resellers, there may be an additional benefit.  That is: 
  • When a Reseller sells Broadview OfficeSuite White-Label they may be protecting themselves from some level of liability.  
  • If a reseller decides to sell a hosted VoIP or UCaaS system that does not have the protections listed above, and a customer is hacked, there may be culpability assigned to the Reseller for their recommending, selling and supporting a SIP trunk based, unencrypted platform.  We all understand the impact this can have on a reseller. In extreme cases, it could potentially put them out of business.  
I appreciate the ability to put forth this additional information.
Keep up the excellent work. TechTarget generally and you, in particular, are doing a great job informing the business community of issues like this.

Pete Keane
Broadview Networks Wholesale