Mitigations against data exfiltration via the voice and/or video communications network/system must be implemented.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-21507	VVoIP 2200	SV-23716r2_rule		Medium

Description
The voice and video communications network provides an often overlooked pathway to spirit sensitive data out of an enterprise network without the likelihood of detection. Data exfiltration presents a huge vulnerability to any data that is stored within any enterprise and especially sensitive data. The DoD’s data is no less vulnerable. While predominantly an insider threat at this time, as EoIP technology progresses, the bad actors will find external methods to get at and exfiltrate our data through this covert channel that does not require insider activities. The traditional pathway to exploit this vulnerability is via a modem and the traditional voice network. The modem was invented to transfer data via the traditional telephone system. A modem can easily be connected to a phone line and a server or workstation (if not already embedded,), a outbound call can be made to an external computer’s modem, and data can flow easily, albeit slowly. To mitigate this threat, we institute both policy and technological mitigations such as specifically authorizing modem use; disabling an embedded modem while its host is connected to a computer network, and others. While modem usage for day-to-day data transfers and network access is dwindling at the enterprise level, many devices today still require the use of a modem. These are FAX machines, traditional secure telephones, and traditional secure VTC systems. As part of a layered defense against enterprise data exfiltration via a modem; detection, filtering, blocking, and call admission control mechanisms can be placed on traditional telephone switch trunks to detect unauthorized modem traffic and take appropriate action. Generally speaking, all modem traffic should be blocked with permissions established for pre-authorized devices on a specific line-by-line, case-by-case basis. Such technologies exist today. Today’s technology is taking us swiftly toward a converged IP based data and communications network called the Internet of Things (IoT). As this trend continues the many vulnerabilities and threats that we have been dealing with for years on our data networks are extended to our voice and video communications networks. The threat of sensitive enterprise data exfiltration via the data network is nothing new, and mitigations have been developed to address the various methods and exploits. However, little or nothing has been done to date to address the covert channel through our VoIP communications infrastructure whether connected to a traditional telephone network via a Media Gateway (MG), or to an IP WAN via a Session Border Controller (SBC), or Edge Border Controller (EBC). VVoIP aware firewalls generally address signaling issues and vulnerabilities, but do little to address those of the media streams. A data exfiltration exploit using the VVoIP network would look something like this. A trusted insider places a VoIP call from a compromised soft-phone on their workstation to a collection server outside the enterprise network. The call is processed and routed by the VoIP session manager as it would any voice call. The collection server answers the call as if it was a VoIP endpoint; e.g., using another compromised soft-phone. Once the connection is established, a file transfer can occur using the normal RTP streams established for the call as the transport medium. The data transfer is not detected because RTP or SRTP streams are generally not inspected. This is because of a general perception that payload anomalies are undetectable due to the random nature of encoded audio and video signals. SRTP encryption makes the payload inspection task even harder. This scenario easy to implement via IP end to-end-through one or more SBCs/EBCs without any data degradation. While it has been commonly thought that the transcoding performed in a MG would prevent such an exploit, such an exploit has been demonstrated using a pair of MGs resulting in only minor data degradation. Due to this fact, it is time to be concerned about data exfiltration via the VVoIP infrastructure and implement mitigations to prevent it.

Description

The voice and video communications network provides an often overlooked pathway to spirit sensitive data out of an enterprise network without the likelihood of detection. Data exfiltration presents a huge vulnerability to any data that is stored within any enterprise and especially sensitive data. The DoD’s data is no less vulnerable. While predominantly an insider threat at this time, as EoIP technology progresses, the bad actors will find external methods to get at and exfiltrate our data through this covert channel that does not require insider activities. The traditional pathway to exploit this vulnerability is via a modem and the traditional voice network. The modem was invented to transfer data via the traditional telephone system. A modem can easily be connected to a phone line and a server or workstation (if not already embedded,), a outbound call can be made to an external computer’s modem, and data can flow easily, albeit slowly. To mitigate this threat, we institute both policy and technological mitigations such as specifically authorizing modem use; disabling an embedded modem while its host is connected to a computer network, and others. While modem usage for day-to-day data transfers and network access is dwindling at the enterprise level, many devices today still require the use of a modem. These are FAX machines, traditional secure telephones, and traditional secure VTC systems. As part of a layered defense against enterprise data exfiltration via a modem; detection, filtering, blocking, and call admission control mechanisms can be placed on traditional telephone switch trunks to detect unauthorized modem traffic and take appropriate action. Generally speaking, all modem traffic should be blocked with permissions established for pre-authorized devices on a specific line-by-line, case-by-case basis. Such technologies exist today. Today’s technology is taking us swiftly toward a converged IP based data and communications network called the Internet of Things (IoT). As this trend continues the many vulnerabilities and threats that we have been dealing with for years on our data networks are extended to our voice and video communications networks. The threat of sensitive enterprise data exfiltration via the data network is nothing new, and mitigations have been developed to address the various methods and exploits. However, little or nothing has been done to date to address the covert channel through our VoIP communications infrastructure whether connected to a traditional telephone network via a Media Gateway (MG), or to an IP WAN via a Session Border Controller (SBC), or Edge Border Controller (EBC). VVoIP aware firewalls generally address signaling issues and vulnerabilities, but do little to address those of the media streams. A data exfiltration exploit using the VVoIP network would look something like this. A trusted insider places a VoIP call from a compromised soft-phone on their workstation to a collection server outside the enterprise network. The call is processed and routed by the VoIP session manager as it would any voice call. The collection server answers the call as if it was a VoIP endpoint; e.g., using another compromised soft-phone. Once the connection is established, a file transfer can occur using the normal RTP streams established for the call as the transport medium. The data transfer is not detected because RTP or SRTP streams are generally not inspected. This is because of a general perception that payload anomalies are undetectable due to the random nature of encoded audio and video signals. SRTP encryption makes the payload inspection task even harder. This scenario easy to implement via IP end to-end-through one or more SBCs/EBCs without any data degradation. While it has been commonly thought that the transcoding performed in a MG would prevent such an exploit, such an exploit has been demonstrated using a pair of MGs resulting in only minor data degradation. Due to this fact, it is time to be concerned about data exfiltration via the VVoIP infrastructure and implement mitigations to prevent it.

STIG	Date
Voice Video Services Policy Security Technical Implementation Guide	2019-03-18

Details

Check Text ( C-25740r2_chk )
Verify mitigations are implemented against sensitive data exfiltration via IP based voice/video communications systems as follows: - Filter/monitor IP media traffic through Media Gateways (MGs), Session Border Controllers (SBCs), and Edge Border Controllers (EBCs) to detect and block/inhibit the exfiltration of sensitive DoD data from the network via VVoIP RTP/SRTP communications sessions. - Enable appropriate alarms and security event auditing/logging on these filters such that network security personnel and administrators can take appropriate action. Physically inspect the data exfiltration mitigations filters that have been implemented to validate their existence, configuration, and how they are monitored and responded to. Determine the following: - PRI, CAS, and POTS analog trunks connected to a VVoIP system via a MG. - A VVoIP system connected to an external IP WAN (e.g., SBU Voice) via a SBC or EBC. If PRI, CAS, and POTS analog trunks connect to a VVoIP system via a MG without a RTP/SRTP data exfiltration filter between the MG and the VVoIP system endpoints, this is a finding. If the VVoIP system is connected to an external IP WAN (e.g., SBU Voice) via a SBC or EBC without a RTP/SRTP data exfiltration filter within the SBC/EBC or between the SBC/EBC and the VVoIP system endpoints, this is a finding. If the mitigations exist but are not proactively managed, monitored, and appropriately reacted to when alerts are generated, this is a finding.

Check Text ( C-25740r2_chk )

Verify mitigations are implemented against sensitive data exfiltration via IP based voice/video communications systems as follows:
- Filter/monitor IP media traffic through Media Gateways (MGs), Session Border Controllers (SBCs), and Edge Border Controllers (EBCs) to detect and block/inhibit the exfiltration of sensitive DoD data from the network via VVoIP RTP/SRTP communications sessions.
- Enable appropriate alarms and security event auditing/logging on these filters such that network security personnel and administrators can take appropriate action.

Physically inspect the data exfiltration mitigations filters that have been implemented to validate their existence, configuration, and how they are monitored and responded to.

Determine the following:
- PRI, CAS, and POTS analog trunks connected to a VVoIP system via a MG.
- A VVoIP system connected to an external IP WAN (e.g., SBU Voice) via a SBC or EBC.

If PRI, CAS, and POTS analog trunks connect to a VVoIP system via a MG without a RTP/SRTP data exfiltration filter between the MG and the VVoIP system endpoints, this is a finding.

If the VVoIP system is connected to an external IP WAN (e.g., SBU Voice) via a SBC or EBC without a RTP/SRTP data exfiltration filter within the SBC/EBC or between the SBC/EBC and the VVoIP system endpoints, this is a finding.

If the mitigations exist but are not proactively managed, monitored, and appropriately reacted to when alerts are generated, this is a finding.

Fix Text (F-22296r2_fix)
Implement mitigations against sensitive data exfiltration via IP based voice/video communications systems as follows: - Filter/monitor IP media traffic through MGs, SBCs, and EBCs to detect and block/inhibit the exfiltration of sensitive DoD data from the network via VVoIP RTP/SRTP communications sessions. - Enable appropriate alarms and security event auditing/logging on these filters such that network security personnel and administrators can take appropriate action. Establish proactive monitoring as well as policy and procedure regarding incident response.

Fix Text (F-22296r2_fix)

Implement mitigations against sensitive data exfiltration via IP based voice/video communications systems as follows:
- Filter/monitor IP media traffic through MGs, SBCs, and EBCs to detect and block/inhibit the exfiltration of sensitive DoD data from the network via VVoIP RTP/SRTP communications sessions.
- Enable appropriate alarms and security event auditing/logging on these filters such that network security personnel and administrators can take appropriate action.

Establish proactive monitoring as well as policy and procedure regarding incident response.