CYBERSECURITY HARDENING GUIDE 1
CYBERSECURITY HARDENING GUIDEHow to prevent or reduce the impact of security risks.
Communication is critical in all areas of business. Actionable intelligence is essential to decision making that promotes operational efficiency.
When communication requires voice audio, intelligibility is paramount. You can’t afford to get the message wrong — if you do, then you have a business problem.
For over 70 years, Zenitel Group has delivered innovations that solve that business problem.
2
CONTENT
CYBERSECURITY............................................................................................... 4Meeting cybersecurity risks head on...................................................................................4Defending against cyber attacks...........................................................................................4Membership with CIS (Center for Internet Security)...........................................................4Developing a strong foundation ........................................................................................ 5Cybersecurity planning........................................................................................................ 5
PLAN.................................................................................................................... 6Risk and security levels......................................................................................................... 6Security mechanisms............................................................................................................ 7CIS Control 5: Controlled use of administrative privileges................................................ 8 Managing Passwords and Credentials.................................................................... 8 Tools to manage credentials and passwords......................................................... 8CIS Control 9: Overview of ports and services................................................................. 10 DO........................................................................................................................11Installing and setting up for cybersecurity.........................................................................11 Installation and setup of IP intercom devices for cybersecurity........................ 11 Installation and setup of AlphaCom XE server for cybersecurity....................... 14
CHECK................................................................................................................ 17Cybersecurity checklist...................................................................................................... 17
ACT..................................................................................................................... 18Evaluating and following up.............................................................................................. 18
WHERE TO LEARN MORE............................................................................... 19Download, General Information, CIS, Customer Support................................................ 19
3CYBERSECURITY HARDENING GUIDE
4
Meeting cybersecurity risks head onEvery new system, application or network service added comes with potential security vulnerabilities, making cyber protection increasingly more difficult and complex. By confronting the serious network se-curity risks pragmatically, you can reap the benefits while minimizing those risks. To accomplish this, you need a solid cybersecurity plan and the resources to execute it. Handling cybersecurity risk reduction up front typically takes less resources than having to clean up after avoidable cyber attacks.
Defending against cyber attacksThe vast majority of cybersecurity problems that occur can be prevented by proactive actions, tech-nology and practices that are already available. Yet, many organizations are overwhelmed by the “Fog of More”: more work, problems, regulatory and compli-ance requirements, conflicting opinions, marketplace noise, and unclear or daunting recommendations than anyone can manage. Even for the rare Enterprise that has the information, expertise, resources and time to sort through everything, it is rarely true for all their key business partners, suppliers and clients.
Membership with CIS (Center for Internet Security)CIS (https://www.cisecurity.org/) is a forward-think-ing nonprofit entity that harnesses the power of the
global IT community to safeguard private and public organizations against cyber threats. Its CIS Controls and CIS Benchmarks are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continually refined and veri-fied by a volunteer global community of experienced IT professionals. CIS is home to the Multi-State Information Sharing & Analysis Center (MS-ISAC®), the go-to resource for cyber threat prevention, pro-tection, response, and recovery for state, local, tribal, and territorial governments.
Zenitel is proud to be a CIS SecureSuite member. Through this membership, we are further bolstering our cybersecurity defenses by leveraging CIS Se-cureSuite resources that include CIS Benchmarks, consensus-based, internationally recognized security configuration resources, including CIS-CAT Pro, and CIS Controls, a set of cyber practices, developed by experts around the world, to stop today’s most per-vasive and dangerous cyber attacks.
CIS has developed the CIS Critical Security Controls for Effectve Cyber Defense, Version 6.1, a prioritized list of highly focused actions you can follow to pro-tect and defend your company against cyber threats. These Controls have been developed after studying actual attacks and effective defenses and have been developed, refined and validated by a community of
Network access gives your staff and company many benefits. However, the more access that you provide, the greater the danger that someone will exploit the increased vulnerabilities. Cybersecurity is the key to ensuring a safe, stable and resilient cyber environment.
CYBERSECURITY
CYBERSECURITY HARDENING GUIDE 5
Add IP communication system
PLANIdentify possible risks. Define se-
curity levels and mechanics.
DOImplement & install.
CHECKMonitor & surveilance.
ACTEvaluate & follow up.
The key building blocks:
leading global experts. They align with and map to all the major complicance frameworks, such as NIST Cybersecurity Framework, NIST guidelines and the ISO 27000 series, as well as regulations including PCI, DSS, HIPAA, NERC CIP and FISMA.
Developing a strong foundationCIS Controls 1-5 are what CIS refers to as ‘Foundational Cyber Hygiene’ - the basic things you must do to cre-ate a strong foundation for your cyberdefense. A num-ber of studies show that implementation of the first 5 CIS Controls provides an effective defense against the most common cyber attacks (~85% of attacks).
In CIS’s view, it is also vital to make a formal, con-scious and top-level decision to integrate the CIS Controls within any organization’s standard for cybersecurity. Senior management and the Board of Directors must also be onboard for support and accountability, calling for implementation of the first 5 CIS Controls in their organizations, as a minimum requirement.
Based on best practices, you should be able to answer: ▪ What is connected to our systems and networks? (CIS
Control 1: Inventory of Authorized & Unauthorized Devices)
▪ What software is running (or try to run) on our systems and network? (CIS Control 2: Inventory of Authorized & Unauthorized Software)
▪ Are we continuously managing our systems using ‘known good’ configurations? (CIS Control 3: Secure Configurations for Hardware & Software on Mobile Devices, Laptops, Workstations & Servers)
▪ Are we continuously looking for and managing ‘known bad’ software? (CIS Control 4: Continuous Vulnerability Assessment & Remediation)
▪ Do we limit and track the people who have administrative privileges to change and bypass or to override our security settings? (CIS Control 5: Controlled Use of Administrative Privileges)
More information about the CIS Critical Security Con-trols framework can be found at http://www.cisecuri-ty.org/critical-controls.cfm.
Cybersecurity planningYou need to consider and understand what is critical for your company and the system and solutions you use. From there, you can plan, implement and man-age your cybersecurity defense.
Zenitel has developed this Cybersecurity Hardening Guide to help you approach your planning, based on the CIS Controls. It combines our experience apply-ing best practices developed by CIS to support end users and integrators to build a good cyberdefense.
“You need to consider and understand what is critical for your company and the system and solutions you use. From there you can plan, implement, and manage your cybersecurity defense.”
1. The number of administrators who will have access to the systems. A system with many administrators has a higher risk that passwords can get into wrong hands or that other things that can go wrong in regards to cybersecurity.
2. The general threat level for your organization. A company protecting high value assets or providing critical infrastructure services has a higher risk that they will have intruders with more resources who will try to break through their cyberdefenses.
NOTE: This guide covers all Vingtor-Stentofon IP intercom devices and the AlphaCom XE servers series except the ITSV-1 Desktop Video Telephone. The guide does not cover PC tools such as AlphaPro, AlphaView, VS-Recorder and VS-Intercom Management Tool.
We have defined the following security levels that will be used throughout this guide:
MISSION-CRITICAL SYSTEM: General threat level is critical, and an IT department is managing the IT/IP systems.
HIGH-RISK ENTERPRISE SYSTEM: General threat level is high, and an IT department is managing the IT/IP systems.
MEDIUM-RISK SYSTEM: Small- to medium-sized business with a medium threat level. Typically, one system administrator manages the complete IT/IP system.
RISK AND SECURITY LEVELSRisk and security levels vary from organization to organization. Some factors that can impact your levels include the following:
6
PLAN
CYBERSECURITY GUIDE 7
CIS CONTROL
Control 1: Inventory of Authorized and Unauthorized Devices
Own dedicated network for physical security devices
Maintain an asset inventory using a tool that monitors and keeps inventory of devices that access the network. Typically tools to be used are DHCP logging, 802.1x with radius accounting, automatic discovery tools).
Deploy network level authentication via 802.1X to limit and control which devices can access network.
Use certificates for 802.1X.
Control 2: Inventory of Authorized and Unauthorized software
Verify that you have the latest production software for the Vingtor-Stentofon products from your integrator.
Use a software inventory tool to track software running on all devices.
Control 3: Secure configuration for hardware and software
Manage and change default passwords for administration access.
Control 4: Continuous vulnerability assessment and remediation
Run continuous vulnerability scanning tools on your network.
Control 5: Controlled use of administrative privileges
Minimize administrative privileges and only use administrative accounts when they are required.
Make a special administrative account for management of the intercom system.
Use a password-generation tool to create and manage passwords (See next page : CIS Control 5.)
Periodically re-generate and update passwords.
Control 6: Maintenance, monitoring and analysis of audit logs
Collect, manage and analyze audit logs of events.
Enable NTP in the IP intercom devices to ensure that all events are logged with correct time.
Enable SNMP, syslog to send events to logging servers
Control 7: E-mail and Web browser
NOTE: An IP intercom device is not exposed to security threats from users visiting possible harmful websites or opening malicious email attachments.
Control 8: Malware defense
NOTE: An IP intercom device is not exposed to security threats from users installing untrusted applications.
Control 9: Limitation and control of network ports, protocols and services
Ensure that only ports, protocols and services with validated business needs are applied.
Protocols that should be considered to be opened from the dedicated physical network to other cor-porate networks. (See page 10 : CIS Control 9.)
Control 10: Data recovery capability
Provide a backup of the configuration on the IP intercom devices.
MIS
SIO
N-C
RIT
ICA
L
HIG
H-R
ISK
ME
DIU
M-R
ISK
SECURITY MECHANISMSThe following table shows the relevant security mechanisms for each level of system, categorized by CIS Control.
8
To make credentials for the intercom devices and servers, you should use a password generator. The pass-word should be a minimum of 12 characters, though we recommend 20 characters. An example of a pass-word generator to use is https://strongpasswordgenerator.com. Password generators will make credentials that are difficult to hack.
It is easy to forget strong passwords, and we have seen examples where users have posted their passwords on Post-It notes on their desk. This is obviously not ideal from a security standpoint.
To store passwords, we recommend using a password management program like KeePass, which is open source software, free to use (http://keepass.info). The application stores log-on credentials in an encrypted database. Of course, the password to the database itself needs to be very strong and not something you can remember. But you might need to log on to this database on a daily basis with a password you can remember.
Here is what you can do:1. Make your master password database, where you add all your system passwords. Then, generate a very strong
password for this database.
2. Make a new database, with no passwords in it. For this database, you make a password that you can remember, but still strong, as described above.
3. Make the third database, which also is empty. For logging on to this database, here you choose to use your Windows domain user credentials for single sign-on.
4. Download a plug-in to KeePass called AutoOpen and install this in KeePass.
CIS CONTROL 5: CONTROLLED USE OF ADMINISTRATIVE PRIVILEGES
To manage passwords, you should have a password policy that says how strong the password should be and also how often it needs to be renewed. A strong password is long — the longer the better — and consists of a combination of special characters that is unlikely to for outsiders to guess.
For the IP intercom devices and the AlphaCom server, Zenitel recommends to use: ▪ Strong passwords (up to 20 characters)
▪ Randomly generated passwords
The credentials for intercom devices and AlphaCom servers are usually seldom used; the need to change and renew passwords is therefore not as high as that for passwords used daily. You can even consider using the same password for all devices, as typically only a few administrators are using these credentials.
Managing Passwords and Credentials
Tools to manage credentials and passwords
CYBERSECURITY HARDENING GUIDE 9
Now, you can easily configure the last database, which you open with your Windows domain user creden-tials, to open the second database, which you also configure to open the master database with all the secret passwords. The reason for making three databases instead of only two, is that your Windows user credentials may get corrupted; then, you couldn’t get access to the master database. If your Windows user credentials do get corrupted, you can always choose to open the second database with your secret password directly, which again will open the master database.
KeePass can be used by a team, where you have one master database, and each team member can set up their own two databases to access it.
This may sound complicated, but you will find it is straightforward in practice.
10
CIS CONTROL 9: OVERVIEW OF PORT AND SERVICES
The Vingtor-Stentofon IP communications solutions use the following IP ports, protocols and services:
Table 1 - TCP ports and services
SERVICE PORT # DESCRIPTION
AlphaNet Data 50000 Data communication between AlphaCom servers and external systems
AlphaPro 60001 Used between AlphaPro and AlphaPro PC tool
AlphaVision 55010 Used between AlphaPro and AlphaVision PC tool
Demo 50010 Only used for demo applications
DNS server 53 DNS lookup service over TCP
HTTP 80 Used for Web and IMT communication
HTTPS 443 Used for Web
IP stations 50001 Used between AlphaCom server and IP intercoms
Multimodule Data 50010 Used between master and slave AlphaCom server modules
OPC Server 1 61112 Used between AlphaCom and OPC servers
OPC Server 2 61113 Used between AlphaCom and OPC servers
SIP 5060 Only supported for SIP intercoms connecting to SIP servers
SIPS 5061 Only supported for SIP intercoms connecting to SIP servers
SSH 22 Used for SSH communication
ZAP 50004 Used for integration between VS devices in SIP/Pulse mode and external systems
ZAP Web 8080 Used to read ZAP information
Table 2 - UDP ports and services
SERVICE PORT # DESCRIPTION
Audio data 5035 Only used for demo
DHCPv4 client 68 Communications with DHCP server
DHCPv4 server 67 Alternative to use AlphaCom as DHCP server
DIP multicast 5001 Group call signaling for AlphaCom to IP devices
Discovery 5002 Discovery protocol for IP intercom devices
DNS server 53 DNS lookup over UDP
mDNS 5353
NTP server 123 Synchronize time with NTP servers
SIP 5060 SIP signaling to SIP servers and devices in Pulse mode
Pulse 5062 Additional SIP port used in Pulse mode
SNMP 161 Interface to SNMP servers
TFTP 69 Used for firmware upgrade and auto provisioning
VoIP audio 61000:61250 Transfer of audio and video payload
CYBERSECURITY HARDENING GUIDE 11
Here are the basic steps for setting up the system, using IMT for the parameters affecting cybersecurity:
1. Start IMT and discover stations.
Installation and setup of IP intercom devices for cybersecurity
INSTALLING AND SETTING UP FOR CYBERSECURITYOnce you have completed the planning phase for ensuring the cybersecurity of your system, it is time to move on to implementation. An important part of this is correctly configuring your device or system. Here, we pro-vide two sets of instructions: one for how to install and configure IP intercom devices and the other for how to install and configure an AlphaCom server.
DO
▪ Start the VS-IMT PC tool.
▪ Open existing project database or press Create to make a new project.
▪ Press File > Launch Station Wizard and enter the IP range to scan.
▪ Select Search, and IMT will find all Vingtor-Stentofon devices in the range specified.
12
2. Change default password for admin access for all sta-tions.
▪ Press Next until you come to the Configure Stations page.
▪ Select all stations (Ctrl + A), Enter the new Password, then Upload.
▪ Press Next two times to finish the Station Wizard.
3. Set the NTP server for all stations.
▪ In the Configuration page, select all stations (Ctrl + A) and open Time Settings.
▪ Enable Network Time Protocol and enter a valid host name or IP Address for the NTP Server.
▪ Press Save, then Upload.
4. Set SNMP parameters
▪ In the Configuration page, select all stations (Ctrl + A) and open SNMP Settings.
▪ Enter the relevant SNMP parameters
▪ Press Save, then Upload.
CYBERSECURITY HARDENING GUIDE 13
5. Enable IEEE802.1x and set authentica-tion parameters.
6. Verify IP ports and firewall settings.
7. Generate report describing the system.
▪ In the Configuration page, from the menu bar, select Tools > 802.1X Setup. Select all stations (Ctrl + A).
▪ Enter the relevant authentication parameters.
▪ Press Save, then Reboot.
▪ In the Configuration page, select one station.
▪ Open the Firewall Settings.
▪ Check that Allowed/Blocked services are according to the needed services
▪ Check the Firewall Settings for each station.
▪ Vingtor-Stentofon products are shipped with the minimum set of IP ports enabled.
▪ Launch the Station Wizard by selecting File > Launch Station Wizard and run through the Discover Station process.
▪ From the last step in the Wizard, use the report generator to create a report of the system.
14
1. Log in to AlphaWebLog in can be done via HTTP or the secure HTTPS protocol.
Installation and setup of AlphaCom XE server for cybersecurityHere are the basic steps for setting up the system using AlphaCom web interface for the parameters impact-ing cybersecurity:
2. Set IP configThe AlphaCom has two eth-ernet interfaces. By default, one port is used for VoIP traffic, the other port for Management.
CYBERSECURITY HARDENING GUIDE 15
4. Set NTP serverThe AlphaCom can synchronize its clock from a NTP server.
5. Enable SNMP Traps and/or Syslog for monitoring.
3. Change default passwordThere are two types of passwords, one for read access only, and one for read/write access.
16
6. Verify IP ports and firewall settings.
7. Backup configuration data
Configuration data is stored on local file on server, as well as to external PC.
8. Generate report describing systemAn Excel report containing all configured devices can be generated.
CYBERSECURITY HARDENING GUIDE 17
Cybersecurity checklistAfter completing the implementation phase for ensuring the cybersecurity of your system, it is time to check how things are going. To get you started, we’ve compiled a simple checklist linking the necessary tasks to the relevant CIS Controls.
CIS CONTROL ID TASK EXPECTATION FINDINGS
CIS Control 1: Inventory of authorized and unauthorized devices
Review the logs of authorized devices that have accessed the network.
Verify that authorized inter-coms have no unplanned network disconnects.
Verify that no unknown devices have accessed the network used for physical security.
CIS Control 2: Inventory of authorized and unauthorized software
Check the software version of your intercom devices.
Verify that you have the latest production software on Vingtor-Stentofon Intercom devices. See release note at
alpha.zenitel.com.
CIS Control 3: Secure con-figuration for hardware and software
Check when the login password was last changed.
Evaluate the need to change the password, ac-cording to company policy.
CIS Control 4: Continuous vulnerability assessment and remediations
Run a vulnerability scan on the physical security network.
There should be no critical findings from vulnerability scan.
CIS Control 5: Controlled use of administrative privileges
Review who has access to admin passwords for physical security devices.
Only current adminis-trators know the current admin passwords.
CIS Control 6: Maintenance, monitoring and analysis of audit logs
Review SNMP and syslog reports.
Verify that authorized inter-coms have no unplanned network/server discon-nects.
CIS Control 9: Limitation and control of network ports, protocols and services
Review the firewall settings in your intercom devices.
Verify that no ports for un-used services are open.
CHECK
18
Evaluating and following up
Once you have completed the cybersecurity checklist in the previous stage, you will have a set of findings that will shape your action plan for any necessary follow-up. Review your findings from the checklist and identify the actions needed for each. For example, let’s say this is your finding on CIS Control 5:
Naturally, the follow-up action required is to change your admin passwords immediately.
Once you have all the follow-up actions identified, you can more easily prioritize them, evaluate resource needs and work through to completion.
Collecting this information in a structured, consistent way will simplify tracking and make it easier for you to report on your system’s cybersecurity health to management on a regular basis.
We hope that this guide will help you to meet your cybersecurity risks head on and ensure that you are main-taining a healthy, robust cyberdefense for your systems.
CIS CONTROL ID TASK EXPECTATION FINDINGS
CIS Control 5: Controlled use of administrative privileges
Review who has access to admin passwords for phys-ical security devices.
Only current adminis-trators know the current admin passwords.
Some former administrators have the current admin passwords.
ACT
CYBERSECURITY HARDENING GUIDE 19
WHERE TO LEARN MORE DOWNLOADOur firmware and software is available via our pages:https://www.zenitel.com/customer-service/wiki-access
GENERAL INFORMATIONWe design each of our solutions from the outset with defensibility in mind:https://www.zenitel.com/cybersecurity/vingtor-stentofon-cybersecurity
CIS (Center for Internet Security) is an independent, non-profit organization with a mission to provide a secure online experience for all:https://www.cisecurity.org
CUSTOMER SUPPORTWe are available to take your call 24 hours a day, 7 days a week.Global: +47 4000 2700 USA: +1 800 654 3140E-mail: [email protected]
A100K11771 09/2017
DOC NO.
www.zenitel.com
[email protected] and its subsidiaries assume no responsibility for any errors that may appear in this publication, or for damages arising from the information therein. Vingtor-Stentofon products are developed and marketed by Zenitel. The company’s Quality Assurance System is certified to meet the requirements in NS-EN ISO 9001. Zenitel reserves the right to modify designs and alter specifications without notice. ZENITEL PROPRIETARY. This document and its supplementing elements, contain Zenitel or third party informa-tion which is proprietary and confidential. Any disclosure, copying, distribution or use is prohibited, if not otherwise explicitly agreed in writing with Zenitel. Any authorized reproduction, in part or in whole, must include this legend. Zenitel – All rights reserved.
