Do you give much thought to security and SMB UC systems? In addition to being aware of some of the most likely attacks against UC systems, it’s also important to understand some common terminology you’ll hear referenced when talking security. For example, the acronym CIA (Confidentiality, Integrity and Availability) is used to describe the desirable attributes of an effective information security implementation. As you read the rest of the terms and their descriptions below, think about how each of these concepts apply to your business.
User data should be confidential. The only people who should be able to access your confidential information are those for whom it is intended. In the case of business Unified Communications (UC) systems the data could be voice traffic or chat messages. Confidentiality is important both to protect trade secrets and personal privacy. In the same way you might close your office door in order to have a confidential conversation, you would likewise expect that a phone call between two parties would be similarly private. You would not want an uninvited third party to be able to eavesdrop on the conversation.
The integrity of information refers to the quality being unchanged. If you receive an email from a colleague, you should have a reasonable expectation that the text you are reading is the actual message they sent. A malicious attacker intercepting your message and modifying it could cause havoc.
Having a secure network with confidentiality and integrity is of little value if your services are unavailable to your users. A DoS (Denial of Service) attack is one in which an attacker prevents access. For example, imagine an attacker who gains physical access to your server closet and disconnects the power to your UC server. The disruption to your phone service would impact your ability to provide customer service.
Availability is also important to keep in mind when selecting security equipment. There is a such thing as “too much security.” For example, imagine you wanted to secure the hard disk of your PC. You could remove the disk, encase it in cement and bury it in the ground. The data on the disk would be highly confidential – no unauthorized person would be able to get to it. It would have high integrity, and be nearly impossible for an attacker to modify the data on the disk. However, it would also be completely unavailable and as such this security tactic is a futile one. It may seems obvious that “cement” is a poor choice for securing UC equipment, however often the same type of over-handed security polices are put in place, making the data so “secure” no one can get to it, even your users.
Mitigation vs Elimination
A truly secure network is one that is not only protected from attack but is also accessible when it needs to be. In this spirit, the goal of information security should be mitigation not elimination. To “mitigate” a threat means “to lessen or make smaller.” It’s never possible to completely eliminate all threats against your UC system. If an attacker is determined enough they will find a way to break in to your system, however most attackers are not determined. In general VoIP security threats most commonly arise from attackers looking for an easy, unsecured target. By implementing a baseline of security best practices you make your system unattractive to potential attackers looking for an easy target.
In tomorrow’s post we’ll take a look at 7 practical steps you can take to secure your UC systems. Be sure to come back or subscribe so that you don’t miss out.