Forget Videobombing – Worry About What You Can’t See
If you follow any kind of tech news feed, you’ve surely seen stories about unwanted “guests” doing God knows what in someone’s collaboration room. I take these intrusions very seriously, but I don’t think it’s the most serious security threat we face in UC and IT overall. The truth is, it grabs our attention because we can literally see the attack happening and we innately understand how it impacts the users involved; it’s a very tangible violation of our security. I believe we should be far more worried about the attacks that aren’t obvious and where we can’t easily understand the attacker’s motivation. Rather than just blame the technology providers (who do shoulder some of the blame), we should use this experience to ask ourselves why these attacks are so successful and what we can do to protect the rest of our UC infrastructure from far more nefarious attackers.
How are UC assets at risk?
- PBX and UC infrastructure is often old and running software that is even older. Why don’t organizations update it? “It’s not broken” is a typical response. Actually, a more accurate response would be “what I can see isn’t broken”. The real problem lies in the bits you can’t see, including such things as 1990’s era FTP server software (or many other examples) buried inside the system’s old operating environment that is vulnerable and makes these assets potential entry points into the network.
- Often UC security is outsourced to users. Many companies are running sophisticated single-sign on tools (including 2-factor authentication) for their e-mail and CRM tools yet their UC tools often lack basic protection like password aging or any real passwords at all. Worse, the users have passwords…15 different ones… and then we wonder why those users don’t change them as frequently as recommended in the company’s “Security Best Practices” handbook they have lying in a dusty drawer somewhere. As vendors we need to build UC solutions that are fully integrated into the modern IT security systems that are easy for users to securely connect to, and as buyers we need to replace the “isn’t broken” gear with secure solutions.
- Too often threats are visualized in terms of gaining access to UC assets instead of thinking about UC assets as a “side door” into other systems. More and more we see hackers trying to avoid a frontal attack on modern IT security systems. Instead, they target ancillary systems that are on the network but not a primary IT asset. Hackers look for a legacy or unprotected system, compromise it, and then gain access to other systems to steal a user’s credentials, gaining additional access to other IT assets. Case in point, in March of 2020, Russian state hackers targeted the San Francisco Airport’s website for their construction vendors. Surely this was not to get the scoop on runway paving contracts, rather it was to steal user’s credentials and use them to access more important systems. (…and think about the other airport IT systems those same contractors access as they maintain an airport… and how many of those users probably have the same password for dozens of systems…)
- We underestimate our opponents. We are used to hearing about toll fraud attacks and the clever way attackers gain access; we grasp that threat. However, In the new world order of state sponsored hacking, these toll-fraud criminals are like comparing pick pockets to the mafia. Traditional attacks are still serious threats that come with meaningful monetary damages, but they don’t compare to the new threats from state-sponsored cyber criminals that are finding and storing vulnerabilities to create cyber arsenals. These are criminals who don’t want you to know you’ve been hacked. The longer you feel safe, the greater their access and the more they can leverage it. (e.g. most of us would say “well my system has never been hacked” because we assume the threats are only the ones we can see… ala video bombing. In fact, we may have no idea.)
Fundamentally, the root cause is that our industry isn’t investing enough into UC security assets, refreshing them regularly, and then integrating them into a wider IT security framework. No one would suggest that simply having a firewall will completely secure your data network, likewise you shouldn’t assume that because you purchased a Session Border Controller five years ago, your UC solutions are secure. An SBC is still critical as the first line of security, but it has to be running the latest software and it should be tied into larger analytics solutions that sees multiple facets of the network and it needs to be able to interact with other IT security assets. As Apple famously said, “Think Different,” and that is particularly true as we move forward with UC security.