Ribbon: “To ensure security of RTC data while in-flight, software-hardware should leverage encryption”


Spotlight on RTC | TelecomDrive.com

Today’s hyper-connected, hyper-scale world is putting – Real Time Communications or RTC right into the helm of communications space and it is fast evolving to encompass increasing number of channels available for sharing information and data, beyond traditional email and voice mail systems. This is also opening new pathways for cybercriminals to enter the network and hence securing RTC becomes an extremely important priority for telecoms and enterprise networks.

Kevin Riley, CTO, Ribbon interacts with Zia Askari from TelecomDrive.com about the issue of securing real time communications (RTC) and why it has become so important for driving collaboration ahead.

How has the definition of real time communications security changed over the last few years?

Real time communications itself has been changing, evolving into unified communications with an increasing number of channels available for sharing information and data, beyond traditional email and voice mail systems. Instant messaging, social collaboration platforms, VoIP applications, and embedded communications in websites and mobile apps help build stronger, more productive businesses but also increase the “surface area” for attacks.

These instantaneous, multi-channel communications open new pathways for cybercriminals to enter the network, expanding the potential for internal data theft and loss. In a real time environment, attackers can spread malware, hijack systems, and steal data in a split second.

A growing number of attacks are targeting collaboration software where activities like file sharing, chat, video conferencing, live editing and other features elevate the risk of exposure.  Cybercriminals have learned to exploit user behaviors and tendencies toward greater trust, more downloads, a desire to share, and the mix of business and personal communications.

Real time connections enable faster breaches. Enterprises and organizations who don’t have the right security software and management policies and procedures in place are finding these increasingly difficult to manage.

What key technologies enable new security techniques for real time communications?

As SIP becomes the primary foundation for today’s real time communications, the use of Session Border Controllers (SBCs) has likewise grown. SBCs are built to create and leverage a secure real-time communications environment, where multiple devices across numerous networks interwork to create a unified user experience. To address today’s growing threat surface, SBCs must include:

  • B2BUA/Network Topology Hiding
  • DoS and DDoS Defense (Policers)
  • Encryption (Media and Signaling)
  • Toll Fraud Protection
  • Malformed Packet Protection
  • Call Admission Control/Overload Controls
  • Full SIP Session State Awareness

Security technology must be able to dynamically process real time communications requirements associated with the SIP “state”, to parse and infer active and changing port numbers, UDP service types, stream activity/inactivity, and bandwidth requirements.

Are security measures for different kinds of RTC different? For example, is securing video collaboration sessions different from securing text messaging and voice calls?

Security should be applied to all digital services.  While there are similarities given that these services are all being delivered over IP-based networks, including the Public Internet, all layers of the communications stack require a high degree of application awareness to provide maximum security.

As an example, Data Loss Protection (DLP) techniques should be invoked on file sharing features within a unified communications suite to protect digital assets while call recording/tapping security techniques should be invoked on voice channels.

Enterprises and organizations, including governments, are starting to recognize that security is a practice that must be a forethought instead of an afterthought, tied closely with policies designed to keep cybercriminals out, and to keep internal users from sharing private, confidential information and data, whether accidentally or intentionally.

To ensure the security of RTC data while in-flight, software and hardware should leverage encryption.

Many applications are requiring encryption by default for signaling and media streams now that system hardware has reached an efficiency point such that encryption can be run at scale.

Companies such hospitals and financial institutions, which are entrusted with highly sensitive information, must be specific about which users can connect, internally and externally and think carefully about how policies for accessing digital assets such as single sign-on (SSO), 2-factor authentication or multi-factor authentication, and end-user policies like Bring Your Own Device (BYOD),  are enforced.

Are there examples of security breaches on real time communications systems we should be paying attention to?

None of us have missed news of massive attacks causing consumer and other data to be stolen.

Attacks on VoIP systems, while less covered in the popular media, have been growing steadily; given the reputational damage these may cause to businesses and organizations, they are not always reported.

Cyberattacks are more than just viruses, trojans, and ransomware. Unprotected Voice over Internet Protocol (VoIP) systems are vulnerable to Denial of Service (DoS) and Telephony Denial of service (TDoS) attacks designed to overwhelm a system with so many requests that the system shuts down and can be subject to a ransom to halt the attack.

Are there certain industries more susceptible to attacks than others?

As the world becomes more digital, hyper-connected and operational in real time, private and sensitive information is being captured, stored and shared in every industry. While verticals like healthcare and finance have privileged access to valuable personal information of all kinds, manufacturing and its increasing reliance on IoT is also an attractive target.

Ultimately any enterprise or organization leveraging, IP-based, real-time communications needs to bake security into their design from the beginning.

How is real time communications security changing with new regulations, for example GDPR?

Earlier this year, the personal data of EU residents became strongly protected with the General Data Protection Regulation (GDPR). Any enterprise or organization interacting with an EU resident must protect consumer data; if something goes wrong, there must be a detailed log to prove that the law was followed. Given how much we communicate using so many channels, until now, policies have not had to be as detailed and thoughtful when it comes to the new legalities.

Permissions must be granted – to place an outbound marketing call, to send a text message, an email, a reminder – and to sell or otherwise monetize consumer information. IT teams are rethinking everything now, including voice communications to avoid outcomes including large fines (up to 4% of global turnover or €20 million) and reputational losses.

In short, the management and protection of consumer data must be baked into RTC offers which in turn puts pressure on RTC vendors to ensure that their solutions are engineered in-line with GDPR requirements.

Are there going to be new security risks in the future, as voice technology matures (for example hacking voice-activated systems like Siri and Alexa, how does AI impact RTC security)?

Voice-activated assistants are enormously popular, and their numbers are growing. The range of activities that can be prompted by voice means cybercriminals can cause havoc by asking about medical appointments, purchasing from e-commerce sites, and more – particularly if the owners of the devices don’t set a four-digit pin.

Smart speakers are also designed to be hubs that can control IoT in smart homes, including lights, thermostat, and door locks. Convenient, but potentially vulnerable as well.

Where AI is playing a positive role in securing voice-based applications and systems is the ability to monitor trends and abnormalities.

Behavioral analytics solutions that use structured and unstructured machine learning to model network behavior and improve threat detection is making it possible to monitor patterns and thwart attacks. Advanced analytics can accelerate the search and discovery of events across rapidly growing oceans of data, including voice and voice recordings.

Analytics and machine learning will play a critical role in enabling consumers, service providers and enterprises to keep up with the increasing surface area of attacks and level of threat sophistication. Harvesting data from the entire real-time communications infrastructure backed by behavioral analytics and machine learning allows for highly advanced threat detection and mitigation.

How are governments and particularly investigative and homeland security agencies addressing security risks in the real time communications space?

There may be no greater requirement for security than with today’s government agencies. They are charged with securing countries and citizens, and in order to do so must be able to communicate and collaborate in the most secure environments while being prepared to respond to real time threats.

We recently announced an implementation of over 50,000 real time communications endpoints for the US Department of Defense (DOD). This was one of the DOD’s largest VoIP deployments ever, leveraging Ribbon’s JITC-certified Application Server. Our ability to deliver key enterprise features such as Shared Line Appearance (SLA) and to improve system reliability and uptime were key factors in the DoD’s decision to select us.

We also benefited from our long history of providing carrier-grade reliability for tier one service providers including Verizon, the lead service provider for this implementation, and offered a solution that delivered significant operational savings.

The deployment enables the Department of Defense to extend the value of significant investments in communication systems by allowing end-users the ability to leverage existing phones and equipment and seamlessly migrate to upgraded technology, including carrier-grade security.

What should communications service providers be looking at when it comes to real time communications security?

Real-time communications traffic continues to explode. With the growing shift toward Session Initiated Protocol (SIP) and cloud-native architectures, new openings have emerged for attacks against real-time communications that were not possible on previous-generation networks.

Moreover, service providers need an end-to-end, turnkey solution to deliver detailed insights of their real time communications network to maintain service level agreements and quality of service for their customers.

Ribbon’s suite of security, fraud management and intelligent network operations solutions enables service providers to turn potential threats and key performance indicators (KPIs) into actionable information.

What should enterprise IT teams be looking at?

DoS attacks are just one example of how an unprotected network can make a VoIP solution vulnerable. With the right amount of requests, attackers can render a network useless just by making it “busy.” These types of vulnerabilities can be predicted, monitored, and handled with the proper network VoIP security. Configuring gateway security, firewalls, and outlining patching procedures are all steps to providing a holistically secure solution.