Hacking Unified Communications security
by Adam Boone - Sipera Systems - Friday, 8 April 2011.
A fundamental shift in the IT security world has taken place. It is the common thread running through these real-world case studies:

1. An enterprise telecoms manager at a small company is stunned to receive a US$100,000 phone bill, an invoice many times greater than normal.

2. A major health care system of hospitals and clinics has deployed converged IP communications. One day, the privacy compliance officer discovers that doctors, nurses and pharmacists are communicating protected patient data to each other using an unauthorized instant messaging application pushing data out into “the Cloud,” somewhere out on the Internet. Panicked, the officer realizes a major privacy law violation is taking place.

3. A major bank adopts SIP trunking to cut telecoms costs. The SIP trunks bring in-bound calls to call center representatives who are the primary interface with the bank’s retail banking customers. Within an hour of turning up the trunks, the bank’s new system is hit by a VoIP Denial of Service attack designed to effectively block all calls to its call center services, cutting off communications with its customer base in the middle of the business day.

These are all factual accounts of recent Unified Communications (UC) security risks encountered by real companies. They represent stark examples of the new security environment facing companies around the world as Unified Communications reaches mass adoption.

UC Security is the new phase in the long evolution of IT security. Each leap forward in technical innovation is followed by the exploitation of security vulnerabilities as the new technology reached mass adoption. Local Area Networks and Wide Area Networks spawned the need for authentication systems, firewalls and intrusion detection systems. Ubiquitous computing and the Internet eventually brought the need for anti-virus on end-points, spam protection, and VPNS. The new era of enterprise communications – UC – is bringing with it new attack vectors, exploits, and losses mounting into the billions of dollars for companies that fail to properly plan or appreciate the unique requirements of UC applications.

UC is most often defined as the convergence of multiple communications applications – typically VoIP, collaboration tools, instant messaging, presence-enabled tools, and IP video conferencing. UC also often involves new end-point devices such as smartphones or tablets accessing these communications applications. Finally, UC may also involve extending communications across untrusted networks such as the Internet or other networks out of the company’s control, such as with SIP trunks. UC may also include connecting with other applications in another company’s environments such as a supply chain partner, or incorporating an application running from “The Cloud” or hosted provider. In short, UC often involves varied, smart end-points sharing corporate data and corporate applications across borders and over untrusted networks.

Every aspect of this innovation involves a multitude of new security concerns. As is the case in all technical innovations, the true security risks that really matter do not become apparent until the technology has been in use for some time.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th