NSA: Test Unified Communications Patches Before Installing

The National Security Agency is responding to a rise in popularity of systems among the defense industrial base that streamline various forms of communication—such as voice, video, and chat—over the internet, with guidance that recommends organizations test software updates and device configurations before applying them to their networks.   

“To reduce the chances of updates causing unforeseen problems on production servers, test the updates on a test network that approximates the production network,” reads the guidance NSA released Thursday.

The guidance is specifically for "Deploying Secure Unified Communications/Voice and Video over IP Systems." The NSA notes malicious actors are particularly acquainted with such systems and outlined mitigations for various ways they could exploit them.

“These systems and protocols are very familiar to malicious actors, making UC/VVoIP systems potentially susceptible to the same malicious activity constantly targeting existing IP systems, including through spyware, viruses, software vulnerabilities, or other malicious means,” the NSA wrote in an abridged version of the 42-page guidance. These avenues of attack can be used to eavesdrop on conversations, impersonate users, or perpetrate denial of service effects if robust mitigations are not put in place.”

The guidance may be more relevant in remote working environments established as a result of the pandemic and addresses other ways incorrect implementation of UC/VVoP systems could go awry.

“Users of UC/VVoIP systems can move their endpoint devices between physical locations but function as if they were in the office,” NSA explained. “Examples include taking an office endpoint device to a remote site to work for the day or taking it home to telework. If proper procedures are not in place to account for these moves, a call from the endpoint device reporting an emergency may result in first responders arriving at the wrong location.”

To avoid this, NSA mitigations include subscribing to an enhanced 911 service through the unified communications provider and only routing 911 calls that originate within the network to the emergency service; keeping location information up to date with the subscriber; using direct inward dialing, which allows mapping multiple phone numbers to one virtual number; and simply using other means for emergency calls originating outside the internal network.    

Along with more obvious measures like physical security for equipment like servers, routers and switches, the NSA stressed common cybersecurity best practices such as encryption, network segmentation and access controls in accordance with defense-in-depth and zero-trust concepts.

Faulty or default configurations in conjunction with increased use of the cloud have been especially problematic for organizations. 

In addition to separately testing software updates before installation, the NSA recommends a dry run with deliberate, focused decision-making before putting devices on a network.

“Verify features and configurations in a test bed,” the NSA says. “Do not allow rogue devices to auto configure themselves with the UC/VVoIP servers. Choose a single, secure remote management protocol. Disable all others and block them on the network.”