[BreachExchange] NSA Releases Guidance for Securing Enterprise Communication Systems

[Sophia Kingsbury]

https://www.securityweek.com/nsa-releases-guidance-securing-enterprise-communication-systems

The NSA on Thursday released guidance to help organizations secure their
communication systems, specifically Unified Communications (UC) and Voice
and Video over IP (VVoIP).

UC and VVoIP are call-processing systems that are used for communications
and collaboration by many enterprises, including government agencies and
their contractors.

The NSA has warned that if these systems are not properly secured, they are
exposed to the same risks as IP systems, including software vulnerabilities
and various types of malware. Threat actors could abuse such systems to
impersonate users, eavesdrop on conversations, cause disruptions, and
conduct fraud.

In an effort to help organizations secure UC and VVoIP systems, the NSA has
released a 43-page guide that describes network, perimeter, enterprise
session controller, and endpoint security best practices and mitigations.

The intelligence agency has also made available a 7-page information sheet
that summarizes the guide.

The NSA’s recommendations include using VLANs to separate UC/VVoIP systems
from the data network, implementing layer 2 protections, ensuring that all
UC/VVoIP connections are authenticated, ensuring that systems are patched,
authenticating and encrypting signaling and media traffic, using fraud
detection solutions, implementing mechanisms for preventing DoS attacks,
ensuring that systems are physically secure, and performing tests before
adding new devices to operational networks.

“Taking advantage of the benefits of a UC/VVoIP system, such as cost
savings in operations or advanced call processing, comes with the potential
for additional risk,” the NSA said. “A UC/VVoIP system introduces new
potential security vulnerabilities. Understand the types of vulnerabilities
and mitigations to better secure your UC/VVoIP deployment.”

The NSA has released many guides and advisories over the past year in an
effort to help public and private sector organizations protect their
systems against cyber threats.

Guidance released by the agency includes securing IT-OT connectivity,
adopting zero trust security, securing IPsec VPNs, work-from-home
recommendations, and implementing Protective DNS.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210618/1ef9fe20/attachment.html>