The office of 2019 does not look like the office of 2020, nor will it look like the office of 2021. The pandemic has reshaped more than just global health, but has profoundly altered social lives, national economies and the way we work.
In the attempt to maintain business continuity many offices have had to transform their staff into remote workers. It has been an experiment which few were prepared as IT teams pushed their infrastructures and personal limits to provide security service to potentially thousands of remote workers.
Moreover, it looks like remote work is going to stick around for the foreseeable future. A survey from international consultancy Hoxby showed 59 percent of office workers believe that remote working arrangements will stay in place for at least six months after the quarantine. At companies that have adapted successfully, remote working seems to be a good fit for both workers and managers, who stand to gain from reduced costs and increased flexibility for themselves.
And as we settle into that new normal – we need connectivity. Staff need to be able to stay in touch with colleagues and superiors at the drop of a hat. We might not be all sitting in the same office, but we need to recreate the kind of immediacy that we once enjoyed in the office.
It’s hard to think about a time when we’ve needed Unified Communications quite as much as we do now. We need connectivity and we need it fast. But just as on the highway, speed can be dangerous. As enterprises rush to adopt mission-critical technologies, they often don’t give new technologies the due diligence they require.
Enterprises find themselves in a tough situation – but one that is faced time and time again in IT – adopt new technologies now and potentially profit while risking the security of your enterprise, or wait for due diligence and delay the potential returns.
Hastily acquired UC devices may well be the downfall of many otherwise resilient networks. Examples of this kind can be found throughout the short history of the Internet of Things. Enterprises – so taken with the transformative promises of the IoT – commonly overlook some of the fatal flaws in those devices. From there, they fall prey to attackers who can leverage those vulnerabilities and gain a foothold into their network.
Many of the same things can be said about Unified Communications. In fact, many UC devices are IoT devices. And just as with the IoT – they are often produced with insecure components, made without much thought to their security, often lacking the compute power to integrate basic security measures and a breach of one can lead to the downing of an entire network.
Take the Cisco VoIP Phone – one of the most popular categories of UC device around – and one for which successive years have revealed critical vulnerabilities. Earlier in 2020, vulnerabilities were discovered in the phones which could allow an attacker to send a crafted HTTP request to the phone, trigger a buffer overflow and ultimately remotely execute code with root privileges. The previous year, Cisco found a vulnerability which could allow Cross Site Request Forgery Attack on their VoIP phones. To their credit, Cisco quickly released patches for those vulnerabilities. However, as history shows, people are slow to patch. Even with the patch readily available, data from our customer networks showed that a quarter of VoIP phones present in those networks were still vulnerable.
What makes UC devices particularly worrying is how their functionality can be exploited. If an attacker were to take over a VoIP phone for example, they could listen in on the conversations that were had over that line. After all, what better surveillance device is there than one which you use willingly?
It is not practical or even necessarily possible to retroactively account for all the potential vulnerabilities that UC devices might have brought into an enterprise. How fortunate then that enterprise can get ahead of this potential problem not solely through a robust security audit, but by shifting their gaze from the devices themselves to behaviour instead.
Guest blog by Ronnen Brunner, Vice President of EMEA Sales at ExtraHop
