Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

NSA Releases Guidance for Securing Enterprise Communication Systems

The NSA on Thursday released guidance to help organizations secure their communication systems, specifically Unified Communications (UC) and Voice and Video over IP (VVoIP).

UC and VVoIP are call-processing systems that are used for communications and collaboration by many enterprises, including government agencies and their contractors.

The NSA on Thursday released guidance to help organizations secure their communication systems, specifically Unified Communications (UC) and Voice and Video over IP (VVoIP).

UC and VVoIP are call-processing systems that are used for communications and collaboration by many enterprises, including government agencies and their contractors.

The NSA has warned that if these systems are not properly secured, they are exposed to the same risks as IP systems, including software vulnerabilities and various types of malware. Threat actors could abuse such systems to impersonate users, eavesdrop on conversations, cause disruptions, and conduct fraud.

In an effort to help organizations secure UC and VVoIP systems, the NSA has released a 43-page guide that describes network, perimeter, enterprise session controller, and endpoint security best practices and mitigations.

The intelligence agency has also made available a 7-page information sheet that summarizes the guide.

The NSA’s recommendations include using VLANs to separate UC/VVoIP systems from the data network, implementing layer 2 protections, ensuring that all UC/VVoIP connections are authenticated, ensuring that systems are patched, authenticating and encrypting signaling and media traffic, using fraud detection solutions, implementing mechanisms for preventing DoS attacks, ensuring that systems are physically secure, and performing tests before adding new devices to operational networks.

“Taking advantage of the benefits of a UC/VVoIP system, such as cost savings in operations or advanced call processing, comes with the potential for additional risk,” the NSA said. “A UC/VVoIP system introduces new potential security vulnerabilities. Understand the types of vulnerabilities and mitigations to better secure your UC/VVoIP deployment.”

The NSA has released many guides and advisories over the past year in an effort to help public and private sector organizations protect their systems against cyber threats.

Guidance released by the agency includes securing IT-OT connectivity, adopting zero trust security, securing IPsec VPNs, work-from-home recommendations, and implementing Protective DNS.

Related: NSA Lists 25 Vulnerabilities Currently Targeted by Chinese State-Sponsored Hackers

Related: NSA: Russian Hackers Exploiting VPN Vulnerabilities – Patch Immediately

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.