The NSA on Thursday released guidance to help organizations secure their communication systems, specifically Unified Communications (UC) and Voice and Video over IP (VVoIP).
UC and VVoIP are call-processing systems that are used for communications and collaboration by many enterprises, including government agencies and their contractors.
The NSA has warned that if these systems are not properly secured, they are exposed to the same risks as IP systems, including software vulnerabilities and various types of malware. Threat actors could abuse such systems to impersonate users, eavesdrop on conversations, cause disruptions, and conduct fraud.
In an effort to help organizations secure UC and VVoIP systems, the NSA has released a 43-page guide that describes network, perimeter, enterprise session controller, and endpoint security best practices and mitigations.
The intelligence agency has also made available a 7-page information sheet that summarizes the guide.
The NSA’s recommendations include using VLANs to separate UC/VVoIP systems from the data network, implementing layer 2 protections, ensuring that all UC/VVoIP connections are authenticated, ensuring that systems are patched, authenticating and encrypting signaling and media traffic, using fraud detection solutions, implementing mechanisms for preventing DoS attacks, ensuring that systems are physically secure, and performing tests before adding new devices to operational networks.
“Taking advantage of the benefits of a UC/VVoIP system, such as cost savings in operations or advanced call processing, comes with the potential for additional risk,” the NSA said. “A UC/VVoIP system introduces new potential security vulnerabilities. Understand the types of vulnerabilities and mitigations to better secure your UC/VVoIP deployment.”
The NSA has released many guides and advisories over the past year in an effort to help public and private sector organizations protect their systems against cyber threats.
Guidance released by the agency includes securing IT-OT connectivity, adopting zero trust security, securing IPsec VPNs, work-from-home recommendations, and implementing Protective DNS.
Related: NSA Lists 25 Vulnerabilities Currently Targeted by Chinese State-Sponsored Hackers
Related: NSA: Russian Hackers Exploiting VPN Vulnerabilities – Patch Immediately