Chris Clauss – ConvergeOne

Get this presentation – http://bit.ly/iaugpres

PCI and HIPAA

Compliance within the

Aura Solution - 212

Thanks for coming!

Please ask questions!

Let’s make this time together worthwhile!

Get this presentation

http://bit.ly/iaugpres

Protecting Customer Data

Organizations that must comply with PCI and HIPAA requirements must consider how to address compliance with VOIP systems.

VOIP systems may have weak security and could be an inroad for hackers or for the release of PCI or PHI data.

The systems must be configured to secure data in transit and at rest that include…

PII Personally Identifiable InformationPHI Protected Health InformationPCI Payment Card Information

What we need to protect

• Security teams use the acronym “CIA” to identify 3 key areas

Confidentiality• Privacy of data. Insure that data is kept private during transport and at rest

(for example a VOIP call on the wire or a voice message on the hard drive).• Insure only those who must have access have access.

Integrity• Data must not be changed in transit, and steps

must be taken to ensure that data cannot be altered by unauthorized actors.

Availability• Maintaining and protecting systems to keep them up and running to process

data. Protect against actors that wish to harm or deny service.

Who do you need to protect against?

Depending on the industry you are in, or the specific company you work for…

• Nation / States• Corporate Competitors• Hackers / Hacktivists

• Organized Crime – hacking forinformation / toll fraud / or planted

employees in call center staff• Opportunists

• Company Insiders

Ask yourself - what can someone with bad intentions do with my UC system?

What are the costs of breaches?

Unauthorized access can lead to…• Loss of Strategic information / Intellectual Property.• Loss of personal or customer information.• Loss of financial data.

Denial of Service attacks lead to…• Loss of productivity / revenue.• Damage to systems.

Any outage can lead to…• Loss of reputation.• Regulatory penalties.• Court costs / Litigation.• Cost of investigation / forensics.

What is PCI

Payment Card Industry Data Security Standard (PCI DSS)

Set of standards designed to secure the processing, storage, and transmission of credit card information through lifecycle of the transaction.

Administered by the PCI Security Standards Council

www.pcisecuritystandards.org

https://www.pcisecuritystandards.org/documents/Protecting_Telephone_Based_Payment_Card_Data_v3-0_nov_2018.pdf

What is HIPAA

Health Insurance Portability and Accountability Act

It was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage.

From a telcom perspective, seeks to secure Private Health Information - PHI

Federal law – less specific information than what is available for PCI.

What data needs to be protected?

PCI• Cardholder Data

• Account Number / Expiration Date • Name

• Sensitive Account Data• Magnetic Strip Information / Card Verification Code / PINS

• Personal information

HIPAA• Protecting user information that can be linked to patient records, such as phone number,

location of caller.

From a telecom perspective, both standards need to protect data at voice and at rest. Both standards seek to ensure only privileged users have access to sensitive data.

Audit logs are required for administrative actives.

HIPAA talks to a notion of a “conduit service” that is used as a pass through. Be careful as these services still would need to be secured if data is logged or stored. (talk to me later)

Why is PCI particularly important for VOIP?

• Voice transactions do not have access to the physical card so information must be conveyed across the conversation.

• Criminals only need to obtain the account number, name, expiration date, and in most cases card verification code.

• Since physical card security has evolved (chips), voice is a desirable channel for criminals.

What needs to be secured

You must apply security practices to • People• Processes• Technologies

That• Transmit• Process• Store

• Cardholder information• Personal Health Information

Scope

Is your system in scope for PCI/HIPAA?

Is part of your system in scope for?

Large systems may be split into “zones”

• Non PCI/HIPAA zone – office and information workers• PCI/HIPPA zone – call center and adjuncts that process PCI data

Note that the zone may not have any “people” in zone – may be fully automated, but needs to be secured.

If calls can be easily transferred or conferenced between zones, compliance may be compromised.

Scope

How some customers deal with Zones

• Treat the entire UC system as a secured zone

• Define a zone and apply security within that zone / limit interaction between zones.

• Segregate the UC system into distinct systems. Fully secure the zone, and place other staff and adjuncts on a different UC system.

• Remove PCI call processing from the system altogether by transferring callers with sensitive information to an outside company via carrier. Much harder to do for HIPAA.

Decision is based on the cost of securing the information.

Possible Segmentation

IVR

PBX

CallRecording

VoiceMail

SBC

Call CenterInformation Worker

W A N

1 LAN 10/3SERVICESCCA 10/12

USB

10/2LAN10/4

MDM

A LM

CPU

P W R

RST A SB

V1

SY

ST

EM

COMPACT FLASH

CARDIN US E

V2

V3

A UDIO

G43

0

MediaGateway

Telco

W A N

1 LAN 10/3SERVICESCCA 10/12

USB

10/2LAN10/4

MDM

A LM

CPU

P W R

RST A SB

V1

SY

ST

EM

COMPACT FLASH

CARDIN US E

V2

V3

A UDIO

G43

0

MediaGateway

End to End Encryption of all systems – requires physical security and training

Possible Segmentation

IVR

PBX

CallRecording

VoiceMail

SBC

Call CenterInformation Worker

W A N

1 LAN 10/3SERVICESCCA 10/12

USB

10/2LAN10/4

MDM

A LM

CPU

P W R

RST A SB

V1

SY

ST

EM

COMPACT FLASH

CARDIN US E

V2

V3

A UDIO

G430

MediaGateway

Telco

W A N

1 LAN 10/3SERVICESCCA 10/12

USB

10/2LAN10/4

MDM

A LM

CPU

P W R

RST A SB

V1

SY

ST

EM

COMPACT FLASH

CARDIN US E

V2

V3

A UDIO

G430

MediaGateway

Distinct Network Regions – Control encryption settings.

Scope reduction- Call center segmentation

Possible Segmentation

IVR

CallRecording

VoiceMail

SBC

Call CenterInformation Worker

W A N

1 LAN 10/3SERVICESCCA 10/12

USB

10/2LAN10/4

MDM

A LM

CPU

P W R

RST A SB

V1

SY

ST

EM

COMPACT FLASH

CARDIN US E

V2

V3

A UDIO

G43

0

MediaGateway

Telco

W A N

1 LAN 10/3SERVICESCCA 10/12

USB

10/2LAN10/4

MDM

A LM

CPU

P W R

RST A SB

V1

SY

ST

EM

COMPACT FLASH

CARDIN US E

V2

V3

A UDIO

G43

0

MediaGateway

Distinct PBX Systems

PCI PBXPCI PBX

VoiceMail

Possible Segmentation

IVR

PBX

CallRecording

VoiceMail

SBC

Call CenterInformation Worker

W A N

1 LAN 10/3SERVICESCCA 10/12

USB

10/2LAN10/4

MDM

A LM

CPU

P W R

RST A SB

V1

SY

ST

EM

COMPACT FLASH

CARDIN US E

V2

V3

A UDIO

G430

MediaGateway

Telco

W A N

1 LAN 10/3SERVICESCCA 10/12

USB

10/2LAN10/4

MDM

A LM

CPU

P W R

RST A SB

V1

SY

ST

EM

COMPACT FLASH

CARDIN US E

V2

V3

A UDIO

G430

MediaGateway

3rd Party Service Provider

Web

Outsource secure traffic to 3rd party – via carrier or SBC links

Scope reduction- DTMF Masking- Pause and resume - Third party provider

Securing VoIP

Securing the system calls for encrypting sensitive data.

In VOIP systems, the call is split in two components.

Call Signaling – the protocols that set up a call such as h.323 & SIPCall Media – the protocols that transfer the voice data such as h.711

Digital / Analog media – used for trunking and analog services such as fax. Generally accepted at point of demarcation.

Data at rest – Any call data including signaling or media that is stored after the call is completed. This could be adjuncts such as recording systems, voice mail, or even CDR data that records keypress.

Securing Call Signaling

Call Signaling must be secure as sensitive data can be sent via call set up and call signaling.

• Who is calling who.• Time and date of call.• Where the call is coming from

or going to.• UUI (User to User information)

that is sent via signaling when call center calls are transferred between agents and IVR.

• DTMF digits transferred over h.323 or SIP

Signaling - what is SIP/H.323?

• SIP is a protocol - a “standard” way of letting endpoints set up calls. H.323 as well – but manufacturer proprietary.

• SIP has become the standard for interoperability between systems, trunks, and adjuncts

• Negotiates the best media to use for a call (g.711 / G.729) using Session Description Protocol (SDP) or H.245 for H.323

• SIP is an Internet protocol – like HTTP –text based

• Port – 5060 / 5061 secured

SIP and H.323 does signaling RTP does media

After the call is set up, the network devices and adjuncts user Real Time Protocol (RTP) for the talk path.

Same for SIP and h.323

RTP contains the actual media (voice) of the call.

Ports – Random

Securing Call Media

Call media must be secure as sensitive data can be spoken, or DTMF digits can be transferred within the network payload.

Call media can be easily decoded in a network using free software such as Wireshark. Network switch ports can be mirrored to allow VoIP calls to be captured anywhere by system administrators.

How easy is it to decode VoIP?

Capture network data including VOIP calls. Notice the SIP and RTP packets…

How easy is it to decode VoIP?

Select VoIP Calls from the Telephony Menu, select the call, click Play Streams

How easy is it to decode VoIP?

Wireshark will decode the RTP streams to allow playback.

How do we encrypt data?

Unencrypted network traffic flows between servers and phones using TCP.TLS is an “add on” to TCP that allows negotiation of encrypted links. TLS requires that each server sends a certificate to ensure authentication.

So who signs certificates?

• Self signed – example a personal check signed by you.

• Certificates signed by a certificate authority

• Private Certificate Authorities – example is a company ID card signed by HR.

• System Manager

• Windows Server Certificate Authority

• openSSL on Linux

• Public / 3rd party Certificate Authorities – example is a passport issued by a government.

• GoDaddy

• Verisign

• Digicert

Configuring Avaya CM / Session Manager for secure communications

• To configure the solution, we needto do the following

• Validate capabilities• Issue certificates• Configure secure

signaling• Configure secure media

Securing SIP and H.323Verify system capacity for TLS (R7.1+)

Verify system capacity for TLS (R7.1+)

Minimum TLS version support was added in Aura R7.1. Important because compliance generally requires minimum TLS version 1.2

Generate server certificate using SMGR

• Before Enabling the TLS for H323 on any stations, install TLS certificates.• H323 endpoints will download the cert from the Utility server at boot.• Login go the System Manager web page and go to

> Services / Security / Authority

Note – your company may not allow SMGR to be the Certificate AuthorityDownload SMGR root certificate to distribute to servers and endpoints.

Register CM in the SMGR Registration Authority

• Register the CM in the SMGR Registration Authority• Use CM FQDN

Register CM in the SMGR Registration Authority

Username –Password – need it laterCN – usually the DNS nameNext few fields are optional

SAN is very importantAdd DNS name, short DNS nameand optionally IP address.

CA is usually tmdefaultca for SMGR

Use P12 file to generate cert with private key. No CSR required.

SMGR can also sign CSR. Select User Generated.

Create the CM certificate

• Create the signed server identity certificate that will be imported into the CM using the EJBCA Administration screen.

Create the CM certificate

• Create the signed server identity certificate that will be imported into the CM using the EJBCA Administration screen.

Create the CM certificate

• Create the signed server identity certificate that will be imported into the CM using the EJBCA Administration screen.

Upload the certificates to the CM

• Download the net CM certificate and then upload both files to the CM.

Install SMGR trusted certificate

• Install the SMGR certificate that was uploaded into the trusted certificate store.

Install CM server certificate

• Install the CM server certificate that was signed by the SMGR.

Copy the SMGR root cert to Utility / Web Server

• Copy the SMGR root cert to the Utility Server or HTTP server and edit the 46xxsettings.txt file to load it into phones.

• Phones generallydon’t need theirown identity certificatesas we usually do notdo mutual authenticationof phones.

• Your security policy maydiffer. Also importantfor mobile / remote.

And do this for…

Every system in the Avaya Aura Solution. You will need to generate server identity certificates for:

• CM servers / ESS / LSP• CM Gateways• CM Media Servers• Session Manager Servers• AES Servers• Messaging Systems

Any system that will process callsignaling or RTP media.

Securing H.323Configure Network Region

• Enable H.323 Security Profiles in IP network region• Enable H.323 Mutual Authentication in Gateways

Securing H.323Verify that station register with TLS

Securing RTPValidate System Settings

• Validate Media Encryption turned on in system settings.

Securing RTPAdd Encryption types to Codec Set

• Validate Media Encryption turned on in system settings.

Note –Test this fora single“trial” network region first

Securing SIP signalingStill need the SMGR certificates

• SIP TLS registration is simplified since Session Manager is automatically registered as a SIP entity and trusts SMGR.

• Only need to load the SMGR root cert on station and configure station for TLS registration in settings file.

• RTP is controlled by the CM network region.

Securing SIP Signaling

• Configure all entity links between SIP devices to use TLS.

Securing H.323 and SIP end to end

• Securing station registrations and media must be completed end to end.

• Calls shuffled through gateways or that traverse H.323 or SIP trunks for adjuncts could fall back to unencrypted.

• That is why you must have certificates and configure encryption on all devices.

Trunking / Demarcation

Connections to carrier network are generally unencrypted.

• For digital facilities (T1 / Analog), the point of demarcation is a media gateway. Gateway will convert encrypted RTP to digital.

• For SIP trunking, point of demarcation will be the Session Border Controller.

• Session Border Controller can transcode SRTP to RTP to carrier network. SBC will also hide the topology of the internal network and act as a “SIP Firewall” to prevent unauthorized access.

Physical security is required at gateway and SBC locations to avoid taps.

Dealing with Data at Rest

Storage of data is an important consideration.

• Vendors can advise if data is encrypted when stored.• Many voice mail systems do not encrypt data.• Other systems may contain PCI data – call recording / CDR.

Good news – operating systems can be configured to encrypt all data on drives. Virtual servers can encrypt storage VM is running on.

Encrypting data does not account for admin access restrictions. An admin still potentially access data trough O/S Access

Dealing with Data at Rest

• Note that system backups may not be encrypted. Work with I/T to store backups securely.

• Add access controls to systems to protect access to data.

• Eliminate “super user” logins with full access to UC systems. Use Roles Based Administration.

• Do not share logins or use standard logins.

• Log administrative access to systems – use SYSLOG in Avaya products.

Dealing with Adjuncts / Call Recording

Some adjunct systems present a problem for compliance.

• Some systems may not be able to support TLS encryption. Generally not a problem.

• Call recording systems generally have RTP media “copied” to a recorder that decodes and stores the RTP. If the data is encrypted, the recorder will not be able to decode this traffic.

• Be sure to discuss encryptionwith all adjunct system manufacturers to understand how they will deal with the issue.

• Recoding systems may be able to take advantage of SIPREC. Stillneed to secure links, but onlybetween SBC and recorder.

Dealing with Adjuncts / Call Recording

Some adjunct systems present a problem for compliance.

Recording systems - screen recording – is PCI / HIPAA data obscured?

Voice analytics – does logging capture private information?

Call recording – is PCI / PHI captured?

People

Training• Behavior • Reporting Suspicious Activity• Secure the end user environment (PC / Monitor / Desk)• Criminal harassment/ organized crime

Access• Limit access to systems – implement controls for physical access• Administrative Access• Roles Based Administration – Available with System Manager

Home based workers• Specific concerns - use MFA• Only allow company controlled devices to access PCI / PHI data• For softphone environments - need firewall / scanning software

Logging

Aura solution provide methods to log system activity and to provide alarming.

SYSLOG – System Logging – provides services to send specific system logs to an external server. Logs can be analyzed to identify incidents or to do forensic analysis.

SNMP – Simple Network Management Protocol – usually used for alarming to Network Management System (NMS). Avaya Aura uses this for SAL alarming, but alarms can also be sent to customer NMS.

All Aura systems configure SNMP and SYSLOG a bit differently.

Recommendations

• Secure your systems

• Encrypt Everything if possible

• Reduce Scope otherwise

• Enable Logging

• Managing People and Access

• Validate Adjunct systems

• PATCH and UPDATE your systems (plug)

What’s the best way for you to get help with scans?

- Come ask us questions- www.convergeone.com- Thanks for attending!

Chris Clausscclauss@convergeone.com

Find the best partner – here at the show!

Please fill out your session survey! Session 212

Please tweet about the presentation if you liked it - @clauss

Get this presentation – http://bit.ly/iaugpres