Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/14/2009
02:36 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Sipera IDs UC Security Trends

Chief among the findings is a trend toward addressing security for both control plane signaling and real-time application media

Richardson, TX, January 14, 2009 - Sipera Systems, the leader in real-time Unified Communications (UC) security, today released its UC Security Trends to Watch list, highlighting security issues and best practices adopted by enterprises implementing UC.

Sipera's list is based on its experience with dozens of enterprise customers and value-added resellers that are leading the transformation to UC, converging voice, video, messaging and collaboration applications onto a common, next-generation IT infrastructure. Chief among the findings is a trend toward addressing security for both control plane signaling and real-time application media, along with radically differing security architectures adopted by enterprises to comply with unique business requirements, such as regulatory mandates and industry standards for privacy.

UC Security Trends to Watch

1. Security for Real-Time Application Media As they implement UC, Sipera's customers are deploying security measures that mitigate application-layer threats without degrading real-time communications performance. Moving to UC promises to deliver a consistent user experience and interface across a set of real-time applications such as VoIP, instant messaging, web-based collaboration and videoconferencing, enhanced by location and presence data and the efficiencies of a common infrastructure and enabling technologies such as SIP. But unifying these applications presents a variety of vulnerabilities and exploits that must be addressed without introducing delay in the signaling and media for this time-sensitive traffic.

Security postures in these deployments include provisions for privacy and policy enforcement on a per-application, per-user basis, and must consider the real-time nature of UC media to comprehensively protect against threats. Further, an increasingly common best practice among IT groups is to conduct periodic vulnerability assessments that evaluate the security risks associated with VoIP and other real-time UC media. In addition, enterprises are frequently evaluating and protecting against UC threats including Number Harvesting, Call Walking, Denial of Service, SIP Worms, Service theft and Identity theft.

2. Targeted UC Security in the Insecure Enterprise Managers in some enterprises implementing UC are taking a non-traditional approach to security that assumes there are no assurances of security throughout most of the enterprise network. Instead, the security architecture for these enterprises is based on identifying particular applications and information that is to be secured, and then implementing targeted security.

For example, many universities and other institutions of higher education must operate on the assumption that the majority of their network is exposed to potential attack. This may be because these universities commonly have public IP addressing and many resources open to the Internet, because students are constantly challenging the defenses of the university IT infrastructure, or IT does not control security for all machines that use its networks. In some cases, IT managers in such environments simply decide that there is no secure, perimeter DMZ. Instead, they identify applications that must be secured, such as voice connectivity for the student financial services department, and secure that traffic via application-layer security techniques and focused access control and policy enforcement.

3. The Secure Extended Enterprise In contrast to enterprises that adopt targeted security, other enterprises take the opposite approach and secure the perimeter DMZ while still enabling rich, UC interaction with third parties outside this trust boundary. UC enables enterprises to engage in new forms of communication and collaboration with customers, partners, suppliers and an extended workforce of teleworkers and remote call centers. But for many enterprises a central requirement for all interactions is air-tight security for the perimeter and for communications to third parties that involve private customer or financial transaction information, especially in industries such as financial services.

In a financial services enterprise, virtually every communication between parties has the potential to contain sensitive information, often protected by privacy statute or industry best practices. Financial services IT managers involved in transformation to UC are adopting an extended enterprise security posture that seeks to enforce policies, extend access control, employ 2-factor authentication, and ensure privacy across a range of applications, including IM, email, VoIP, videoconferencing and data network transactions that involve parties beyond the trusted limits of the traditional enterprise perimeter.

4. Unified Security Approach for UC Regulatory Compliance One driver for implementing UC in many enterprises is to provide a multitude of separate but integrated methods for interacting with end clients. For example, healthcare industry firms moving to UC often seek to create richer and more efficient interactions with patients. A patient may access personal health data from a secure web site and then click on a link to establish an instant message communication with a billing representative. The communication could potentially escalate to a voice or video call to resolve the patient's issue. This multi-application method of communications has clear privacy and regulatory implications, especially for healthcare providers that must comply with HIPAA. Sipera's customers are addressing this requirement with a unified security posture that applies appropriate access controls, policy enforcement and encryption across all applications, including IM, voice, video, and collaboration.

About Sipera Systems Sipera Systems, the leader in real-time UC security, enables enterprises to simplify and confidently deploy their VoIP and unified communications over any network to any device while service providers can protect and quickly offer new IP-based communication services. Backed by the extensive vulnerability research of the Sipera VIPER Lab, the Sipera IPCS(tm) products provide comprehensive threat protection, policy enforcement, access control, and privacy in a single, real-time appliance. For more information, visit http://www.sipera.com.

Sipera, Sipera logo, Sipera IPCS, Sipera IPCS 210, Sipera IPCS 310, Sipera IPCS 410, Sipera IPCS 510, Sipera IPCS 520, Sipera LAVA and Sipera VIPER are trademarks of Sipera Systems, Inc. All other companies and products listed herein are trademarks or registered trademarks of their respective holders.

Media Contact: Jan Jahosky, TurboPR, 407-331-4699, [email protected]

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.