NSA releases guidance on voice and video communications security

Failure to secure voice and video calls could lead to hackers snooping

The National Security Agency (NSA) has released a new report giving organizations insight into the current best practices around the security of unified communications (UC) and voice and video over IP (VVoIP).

The report, titled Deploying Secure Unified Communications/Voice and Video over IP Systems, also looks at the potential risks to improperly secured UC/VVoIP systems.

Modern communications infrastructure in most organizations is tightly integrated with other IT networks, increasing the attack surface for hackers to gain access. The NSA said that UC/VVoIP devices would pose the same hacking risks to organizations through spyware, viruses, software vulnerabilities, or other malicious means if left inadequately secured.

"Malicious actors could penetrate the IP networks to eavesdrop on conversations, impersonate users, commit toll fraud and perpetrate denial of service attacks," the NSA said in a statement.

"Compromises can lead to high-definition room audio and/or video being covertly collected and delivered to a malicious actor using the IP infrastructure as a transport mechanism."

The report outlined the tips and tricks organizations should undertake to enhance security, such as segmenting voice and video traffic from data traffic and separate IP address ranges to limit access to a common set of devices.

Related Resource

Five lessons learned from the pivot to a distributed workforce

Improve employee experience and support IT teams for a more adaptable distributed workforce

Five lessons Learned from the pivot to a distributed workforce - whitepaper from VMwareDownload now

In addition to using VLANs, administrators should also use access control lists and routing rules to limit access to devices across VLANs. According to the NSA, this makes it more difficult for a malicious actor to access open services on phones and servers from outside the VLAN.

Another best practice the NSA outlined is implementing layer 2 protections and address resolution protocol (ARP) and IP spoofing defenses. It also recommended only using switches with these protections. 

The NSA also said that PSTN gateways should authenticate all UC/VVoIP connections and not allow calls directly from IP phones without the UC/VVoIP server’s permission.

The agency also urged organizations to use only vendor-signed patches downloaded from trusted sources. 

The NSA said taking advantage of a UC/VVoIP system’s benefits, such as cost savings in operations or advanced call processing, comes with potential risk.

"A UC/VVoIP system introduces new potential security vulnerabilities. Understand the types of vulnerabilities and mitigations to better secure your UC/VVoIP deployment,” the agency said.

Featured Resources

Preparing for AI-enabled cyber attacks

MIT technology review insights

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud Compute Engine

Download now

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

Download now

Harness data to reinvent your organisation

Build a data strategy for the next wave of cloud innovation

Download now

Recommended

McAfee’s zero trust solution strengthens private applications’ security
cyber security

McAfee’s zero trust solution strengthens private applications’ security

3 Aug 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Mastering endpoint security implementation
Security

Mastering endpoint security implementation

3 Aug 2021
86% of organizations expect a cyber attack in the next 12 months
cyber attacks

86% of organizations expect a cyber attack in the next 12 months

3 Aug 2021

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021
Preparing for AI-enabled cyber attacks
Whitepaper

Preparing for AI-enabled cyber attacks

22 Jul 2021