Blog | Continuant

The Salt Typhoon Wake-Up Call: Is Your Business Ready for Secure Comms?

Written by Aldo Febro | December 27, 2024

After the recent Salt Typhoon attack, which infiltrated U.S. telecommunication companies, the US government urged individuals and enterprises to implement end-to-end encryption to safeguard confidentiality, ensure data integrity, and minimize data exfiltration. 

For CISOs, this raises an important question: Is your phone system ready to support end-to-end encryption requirements?

We at Continuant have created a three-step guide to help you assess the readiness of your communication platform for end-to-end encryption. Following these steps will help protect you from Salt Typhoon attack while preserving confidentiality and integrity of your communication session.

Step 1: Assess the Attack Surface 

Start by evaluating your enterprise communication assets and the traffic types. The relevant assets are: IP phones, desktop app, mobile apps, PBX, voicemail server, contact center server, gateways, session border controllers, etc. The relevant traffic types are media sessions (audio, video, text) and signaling (H.323, SIP, etc.)

Step 2: Evaluate Encryption Support 

Encryption capabilities vary by manufacturer and firmware level. Here's a spectrum from worst to best-case scenarios: 

  • Encryption is not supported.
  • Encryption is supported but requires an additional license.
  • Encryption is available but not enabled.
  • Encryption is enabled.

Organizing this in a matrix, like the one below, will help you track whether any critical elements are missed. 

Popular enterprise communication platforms include Avaya, Cisco, and Microsoft Teams. After consulting with our engineers, here’s a high-level assessment of these platforms:  

  • Avaya: H.323 is not encrypted. SIP is encrypted with TLS. SRTP is available in Aura 6.3.9 and newer versions.
  • Cisco: TLS and SRTP are available with the base CUCM license.
  • Microsoft Teams: TLS and SRTP are available.

Step 3: Implement a Plan and Monitor Outcomes 

Based on your findings from the previous steps, the final step is to create a plan that aligns with your risk appetite. Instead of waiting for the perfect moment when all conditions align, adopt Theodore Roosevelt's mindset: "Do what you can, with what you have, where you are." Progress is incremental, and something is still better than nothing. 

If encryption is not supported or unavailable for certain parts of your infrastructure, consider implementing compensating controls to reduce the impact. 

If you're not sure how to assess or requires assistance to enable end-to-end encryption, reach out to Continuant. Our engineers can assess your current infrastructure and recommend the best options moving forward.  

This incident may be the final straw before that long-anticipated system migration. The threat is real now, and a full upgrade to a cloud solution with more robust security is more necessary than ever. 

In short, follow these three steps, and you’ll more prepared to minimize the potential damage caused by Salt Typhoon attack.
View full post