Integration Disintegration

October 31, 2014

No dbuot, as I hvae, you wuold hvae receevid an email wihch did the rodnus smoe tmie ago, cialming taht reserachers at Cmabridge Univtrsiey had identieifd adlut hunams' ailibty to ealsiy deocde wrtiing howvoeser jubmled, pvorided the fsrit and lsat letters wree in the crorect palce.

Can you imagine however, what a voice conversation would be like with such scrambling? Anyone who's ever used their mobile phone in an area with poor signal - and that's certainly most Aussies, would have a very good idea; it's not pleasant.

Many organisations are in the process of moving both their voice communications and CCTV networks onto IP networks. It is almost guaranteed that any new "PABX" will not in fact be based on PABX technology at all, but one of various Voice over IP (VOIP) implementations. Similarly, the rapid shift in camera and recorder technology from analogue to digital has seen IP based cameras and digital recorders forming some, if not all of the CCTV infrastructure. As such, new threats have become relevant and organisations are potentially exposing themselves to (literally) communications breakdown, or worse.

To further reduce infrastructure and ongoing management costs, in many cases, VOIP and CCTV systems communicate on the same local area networks upon which the corporate data systems also communicate. Email, web browsing, file and print services may share the same infrastructure as voice communications and CCTV. As a result of this integration, there is increased risk to both the quality and the security of these systems.

One of the more simple concepts within Information Security is the triad of Confidentiality, Availability and Integrity.

Although there are other factors which influence information security (and certainly there are more complex models), the CAI (or CIA if you must) model identifies three areas which are critical to successful protection of information assets. Confidentiality refers to preventing the disclosure - deliberately, accidentally or maliciously, of information to unauthorised parties. Availability ensures access to information, systems, data and resources by suitably authorised parties is not hindered. Integrity ensures information is not modified, deleted or inserted without proper controls and authorisation.

All three of these objectives may be adversely affected by a poorly thought out implementation of a network technology such as VOIP or CCTV on a corporate data network.

Confidentiality

Intercepting landline phone conversations used to be largely restricted to law-enforcement and B-movies with men hanging from telegraph poles. In the real-world, to successfully intercept calls, the criminal element needed a reasonable level of technical skill as well as physical access to premises in order to listen to calls. Similarly, modern PABX systems had (reasonably) secure operating systems and frequently required physical access to the premises in order to reprogram them.

Intercepting VOIP calls however is potentially far easier, as like any IP traffic, it can be 'sniffed' using a variety of freely available, and quite legal tools. Obviously how such tools are used may or may not be legal. Security professionals will appreciate that many tools, such as firearms, can be used for good or evil, depending on the user. Packet sniffing tools are ultimately no different. Generally, sniffing IP traffic yields massive amounts of data which must be filtered to find the 'good stuff'. Although high quality sniffing tools such as Wireshark (formerly Ethereal) allow users to easily filter for email and in some cases passwords, trying to sort the 'good stuff' from the data flow may be similar to trying to take a drink from a firehose. VOIP traffic however is easily identified and captured for subsequent playback.

For the good guys, this is excellent news as it allows them to test the security of their networks and the operation of their phone systems. Additionally, legal call-recording and monitoring is no longer restricted to large enterprise, doesn't require extensive rewiring, recording systems or media management. In many cases all that is needed is a modest PC running the relevant software. Sadly, for the criminals it is also good news as they can monitor traffic and record it for later playback, say as an MP3 file of each conversation as well as the source and destination phone numbers. As with most threats to information security, it is not confined to bad-guys outside the organisation. Many staff know that company management reserve the right to monitor calls. Do management know that some staff might be returning the favour? If CCTV systems are operating on the same networks, it is also possible that intruders are gaining an inside-view of your premises as well as learning any blindspots.

Availability

When performing threat/risk-assessments for clients we are often surprised at how much criticality they assign to their enterprise email systems. Our consultants are frequently told that email servers are "mission-critical" and that their failure for a day or more could have devastating consequences. Usually, we ask "has it ever gone down for a few hours?" When the answer, inevitably is "yes", we point out that the organisation didn't go out of business. Usually, people picked up the phone instead or (heaven forbid) walked over to their colleagues and said hello. Consequence or criticality ratings are usually revised downward.

However, if a data network went down altogether, meaning no more email, and the phone network went down as well. Is that perhaps a situation you would worry about? Of course there are mobile phones, but in larger organisations, they likely won't help your customers reach you. "Denial of Service" is a term which strikes fear into most IT security professionals and generally refers to any outage caused by malicious activity, such as saturation to overload, of network infrastructure. Defending against DoS is difficult. Even if you take cybercriminals out of the equation, a sloppy approach to 'capacity planning' or switching of a network can mean you run out of bandwidth and the first users to suffer are those on the phone - which often includes your customers. Most people can't remember the last time the ancient copper public switched telephone network (PSTN) went down, whereas Internet or network failures are a regular occurrence,

CCTV and voice systems once had their own networks - phone calls ran along copper pairs throughout a building and CCTV via multiple runs of coaxial cable. In most cases, for an intruder to sabotage them - affect their availability - they would require physical access to the environment. If you locked your cables in a wiring cabinet and secured your 'MDF room' it was largely game over. Once services are connected to a corporate LAN however, they are (potentially) 'connected' to the rest of the world and the enemy can be on the other side of the world as well, often out of the reach of law-enforcement.

Most Australians have experienced slow Internet access from time to time. Crowded websites, busted servers, dodgey ISPs. The extra second or longer that it sometimes takes to download a page is frustrating, but by no means a show-stopper. Eventually, the information will appear. Due to their real-time nature however, voice communications require a minimum 'quality of service' in terms of available bandwidth and transfer rates, lest phone discussions become disjointed and totally useless as a method of communica...

One of the biggest risks in combining voice networks with LANs that are at some point connected to the Internet, is that your hitherto sacrosanct phone services become susceptible to similar attacks as your web, email and file servers. Certainly something to keep in mind when hearing about how much money the technology can save you. The same applies to CCTV systems, which are usually a critical security control which might also be 'taken down' by the very people it is intended to deter.

Integrity

In the past, international phone-calls cost an arm and a leg. Today, they are quite cheap and to the total frustration of Australian consumers, it is usually cheaper for someone in Sydney to call someone in New York, than to call them down the road on their Australian mobile. So, while the "blue-boxers" and "phone phreaks" of yesterday may not be as prolific in their exploration of public phone networks, a new generation is turning its attention to newer VOIP networks for fun and in some cases, profit. Cybercriminals are stealing cheap VOIP 'minutes' and reselling them to other providers or the black-market. New York telco Stealth Communications claims "These thieves steal 200 million minutes a month, worth US$26 million". Stealth's interest is its provision of a private VOIP network not connected to the Internet and sub-leased by international telco providers. Their product has been taken up by a number of major organisations who have appreciated that the Internet might not be a friendly place for their voice traffic. Smaller organisations who makes anyphone-calls which are sensitive, would do well to consider this advice.

Have a question?
We'll answer your enquiry within 24 hours.