Tag Cyber Security Control: Voice Security

This is a guest blog post by Dr. Ed Amoroso, Chief Executive Officer of TAG Cyber LLC, a global cyber security advisory, training, consulting, and media services company supporting hundreds of companies across the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016.

The TAG Cyber Security annual identifies fifty different aspects of enterprise cyber security management that are essential to any modern information risk reduction program, defined as cyber security controls. One critical, often overlooked control is ‘voice security.’

Voice Security

Most enterprise security teams have tended to forget that, over the past few years, voice communications have become increasingly mobility-based, and increasingly vulnerable to a range of new cyber threats. While it is true that the conventional public switched telephone network (PSTN) was less directly vulnerable to modern IP-based attacks, this claim simply cannot be made about modern voice services, especially when using mobiles.

The good news is that mobile service providers have tended to do a good job improving their underlying communications infrastructure protections toward enhanced voice security. Encryption algorithms have improved, as have the basic voice service infrastructure elements, often due to compliance pressures. So, the challenges to voice security are not as severe as they might be –but enterprise teams should recognize the risk and take immediate action.

Voice security tends to fall into three categories of concern: (1) Encrypting traditional and mobile voice communications when the threat has great potential consequence (e.g., when senior executives travel); (2) Protecting voice communications from eavesdropping at the infrastructure level (e.g., SS7 vulnerabilities in traditional infrastructure); and (3) Ensuring robust, highly-available services for critical applications including first responders.

References above to voice security can and should include adjacent references to texting, messaging, and other forms of over-the-top (OTT) communications. Increasingly, voice-over-IP (VOIP) and related means for speaking with friends and business associates using Internet connectivity (most often involving open WiFi service somewhere in the communication) has become the norm. Voice security for OTT is thus more imperative than ever.

2019 Trends for Voice Security

Through the three most recent generations of voice security, the associated controls started with mostly effective PSTN controls, through less effective early security for Voice -over-IP (VoIP) and mobility, toward the current generation, where excellent over-the-top (OTT) encrypted voice solutions and improved underlying infrastructure controls give enterprise teams good options (see figure below).

While the intensity of voice attacks is becoming ever more intense, many CISO teams have been surprisingly passive (or ignorant) regarding this threat. The transition from landline PSTN toward emerging 5G mobile services with its largely SDN-powered infrastructure offers greater flexibility for introducing new security for voice. But this is only true if security teams select the best OTT solution for mobiles, especially for traveling executives.

Voice Security Trend Chart

The future of voice security will be heavily focused at the application OTT level with end-to-end encryption providing round trip protection between endpoints. This will be true for mobile, VoIP, and application-based communications such as conference bridge and video conferencing utilities, which are generally non-encrypted today. Compliance controls for secure voice are likely to increase in their intensity as well.

It is worth saying that in the coming years, voice leaks are likely to play an important role in the transition of voice security from an add-on to an essential strategic component of every CISO’s operational playbook. When senior executives start to see their voice communications on WikiLeaks and other Internet-facing sites, the demand for encrypted OTT applications for voice will grow accordingly.

Excerpted from the 2019 Tag Cyber Security Annual Volume 1: Outlook for Fifty Cyber Security Controls.