Problem to Solve: What can we do to protect our organization from Hacktivism, specifically for protecting our critical Unified Communication services?
Have you ever had the joy of experiencing your company’s voice communications become unavailable? Well, if you think about it, “what if” the bad guys turned their hacktivism efforts on your company’s unified communications (UC) services. What would happen? Would business service really be affected? Would it cause your company to lose money? Nowadays, UC is way more than basic VoIP, and there are key services to consider and protect.
The assumption for the rest of this article is that you probably have security tools already covered on some of your critical infrastructure links. As we build the overall defense strategy, our goal is to extend complimentary functionality for the existing security tool sets, but …. do it from an APM NPM perspective.
Company Call Centers
Most companies now employ dedicated call centers. These centers can be domestic or international, but are usually regionally dispersed across the country or globe. The call center obviously take calls from your customers and orders from your business partners that produce revenue for your company. While the initial phone call may be VoIP based, there are many other platforms in play at a call center. Platforms, many times include Interactive Voice Response Systems (IVR) for voice prompts and call routing, an application interface into the customer relationship management (CRM) system, and an application into the Order Entry portion of the ERP System. Many call centers have chat sessions to interact with customer service, as well as email communications for questions and order confirmations. The key point about the call center is that many companies depend on the call center for order taking, warranty claims, technical support, etc. Most of these services directly impact company revenue, so they usually get classified as “business critical” locations. Obviously, any service interruption to a call center will cause a loss of productivity and revenue. Well, the bad guys know this as well, which is why a call center is a target for hacktivism.
Your company’s enterprise network may or may not generate direct company revenue like the call center. However, a disruption of voice services can more than disrupt company productivity. Project collaboration, internal company communication, 1:1 discussions are all the types of things affected by enterprise VoIP service disruptions. This disruption is more of an annoyance than a revenue impacting event, but there is still a cost to lost productivity.
Another UC platform that has gained great popularity in recent years is Instant Messaging. It comes in many forms like Cisco Jabber, Avaya Communicator and Microsoft Lync. It is so convenient to simply ping someone to ask them a quick question, or collaborate during meetings. A disruption to this type of service is again probably more of an annoyance, but still can be considered a loss of productivity and convenience.
Some voice conferencing systems are hosted externally, and some provided internally via the UC platforms. Group conference calls are quite popular for team collaboration and project updates. Disruptions to this type of service definitely has an impact on productivity and efficiency.
The bottom line is that the hackers, hacktivists and threat actors are very aware of what is disruptive to a company. Their goal is to disrupt services to take companies off-line and impact productivity and revenue. UC and Voice services again become targets in this type of mindset.
What Can You Do?
If UC services are important to your business, then these types of services usually are monitored by traditional APM NPM tool solutions. Assuming that they are, then you do have some pieces of functionality available.
- Cyber Team Access to UC Performance – Actively encourage your Cyber teams to look into critical UC services. This will likely yield information on potential threats, mis-configurations, as well as aid in their cyber triage process effort should a security event unfold against the UC platforms.
- Configure and Leverage Anomaly Alerts – Be specific in looking for changes to packet loss, jitter, and Mean Opinion Score that could adversely affect UC or Call Center services. A more detailed description of key metrics and anomalies is available in this article https://problemsolverblog.czekaj.org/unified-communications/customers-complaining-voip-communications/ If the call center falls into scope, then also use alerts that can be used to monitor key service enablers (DNS, DHCP, LDAP, Radius) as well as application specific traffic (i.e., Web Services or Citrix) for call center traffic.
- Keep an active eye on QoS – Specifically, QoS in terms of DSCP Code Point 46 should be monitored for changes as well as new applications being introduced. The reason to monitor this closely is due to the fact that many UC platforms will leverage QoS (DSCP 46) for VoIP signaling protocols. Any change to the performance of QoS level 46 can affect call signaling performance, which can cause issues for call setup performance.
- Keep a close watch on changes in key UC Applications Services – Specifically watch out for UC and Call Center applications that have changes of traffic, increased latency, errors in SMTP, HTTP, Citrix, Database, Call Managers, etc. A chance in traffic pattern or increased latency or error codes can be an early identifier that an “attack” is in process.
- Make sure that UC Service issues get forwarded to SIEM – a bit of a change of thinking, but make sure that UC service alarms are forwarded into your SIEM for processing. While DMZ’s, Internet Links, and hosted web servers are obviously important to security, UC services are often an afterthought when it comes to inclusion into cyber security efforts and strategy.
Points to Ponder
- Ever experienced an attack on your UC – VoIP – Video or Call Center applications?
- Have a war story or anecdote that you want to share?
- Was your business impacted by the event?
Continue on to the next article in the series, Would Homer Simpson Protect Virtualized Servers? (Hacktivism #5)