Unified Communications (UC) is normally defined as the point at which disparate communications applications come together. It usually includes video conferencing, instant messaging, collaboration tools, VoIP and presence tools. UC also involves new tools for the user to access these services, such as tablets or smartphones. UC might also involve extending communications over untrusted networks, such as areas of the Internet, or other networks that are outside the company’s control, like SIP trunks.
The advent of UC necessitates a similar advancement in IT security. Each quantum innovation is quickly followed by exploitation of security issues as the new tech reaches critical mass and is adopted by many. As LANs and WANs created the need for intrusion detection systems, firewalls and authentication systems, the Internet ultimately spawned anti-virus programs, VPNs and spam protection. This is a new era in corporate communications, and UC is on the rise. But it is bringing with it new exploits, attack vectors, and billion dollar losses.
Unfortunately, the risks that matter most have not become obvious until the technology has been used for a while. Consider these cases:
- Companies using unsecured UC/VoIP systems fell victim to a Romanian hacking ring, which stole an estimated 11 million Euros in services.
- US companies were victimized by an international group that used hackers in Asia and resold stolen services in Italy. Over 2,000 businesses were compromised, and over US$5 million of minutes were stolen, before the US government shut it down.
- So widespread is Vishing, or the practice of using VoIP tech to steal identities, that the government warns companies continuously. Recently, millions of US retail banking customers were targeted by a series of Vishing scams that prompted authorities to issue corporate and consumer alerts across several states.
- Smaller companies, too, are falling victim to incidences of toll fraud in which the company receives a communications bill for an order of magnitude above what they usually get – easily tens of thousands of dollars, or more.
- UC vectors are also being used for corporate espionage. Some security experts are confirming cases of data leakage, eavesdropping and other related crimes resulting from inadequately secured VoIP systems. Not only are these vulnerabilities present in simple VoIP, but in instant messaging and other applications also.
- More disturbing VoIP crimes are also rising, including SWATting, which is the practice of calling a bogus hostage crisis or terrorist attack while using a spoofed caller identification. This causes authorities to send powerfully armed police to an innocent business, or even a residence.
These problems all stem from the common fallacy that UC and VoIP do not need any security beyond the basics. It’s a reasonable assumption that every victim above had this sense of complacency. UC, however, has some distinct attributes that must be addressed, which must include:
Real-Time Performance: In order to be considered “business class,” UC tools must perform – and also be secured – in real-time. Email and web browsing are asynchronous.
Converged Applications: A range of applications converge their traffic in UC, whereas previously they were separate. This makes it easier to compromise other applications if just one of them is compromised. Free tools available on the Internet now allow an attacker to hop from a VoIP virtual LAN into the data virtual LAN. If that happens, the risk level for every system attached to the internal network skyrockets.
Untrusted Networks: In the modern market, there are many more teleworkers, employees on smartphones, and even people working from coffee shops. The company extends the UC to these computers – over untrusted networks, where a sniffer can intercept and trap corporate data.
New End-Points: Workers are using tablets, smartphones, and other new devices to conduct company communications. Worse, the current trend is to allow employees to work on their own devices. If the company is granting access to resources like VoIP and US through these devices, then those systems are open to risks presented by the new devices – devices over which corporate IT does not have control.
To summarize, UC requires application-layer security just like any other communications application. Web browsing, spam and email all brought us new products like firewalls, filters and proxy servers that offer security for corporate data. A company must make sure that it fully examines its security architecture before it adopts UC. This must be done in light of each new UC security requirement. If this is done fully and proactively, then a company can make its path forward simpler and more effective.