Category Archives: Service Providers

REDCOM continues to demonstrate effectiveness of STIR/SHAKEN caller authentication standards with the ATIS Robocalling Testbed

| February 11, 2021

REDCOM Laboratories, Inc., the leading provider of solutions for the network service layer, announced today it has successfully completed interoperability testing with the ATIS Robocalling Testbed that demonstrates the interoperability of the company’s STIR/SHAKEN implementation within the REDCOM Personalized Call Screening software. REDCOM previously completed this testing in 2019, and is proud to have completed it again with both STI-AS and STI-VS functionalityThese tests are part of a broader industry effort to help service providers protect consumers against unwanted robocalls and caller ID spoofing. 

“Nuisance calls are one of the biggest pain points affecting consumers today,” Said Shannon Chevier, Director of Product Management for REDCOM. “The TRACED Act requires all telecom carriers to provide their users with a call screening system. Our robust Personalized Call Screening solution allows service providers to offer consumers real protection against today’s onslaught of robocalls. Service providers that implement REDCOM software not only get a proven STIR/SHAKEN solution, but also a ‘best of all worlds’ toolkit that includes reputation scoring, white and blacklists, and audio CAPTCHAs.” 

The virtualized testing facility, hosted by the Neustar Trust Lab, supports a joint effort from the Internet Engineering Task Force (IETF) and the Alliance for Telecommunications Industry Solutions (ATIS) called STIR/SHAKEN, which gives service providers the ability to authenticate, digitally sign, and verify calling party numbers. This testing confirms REDCOM’s successful implementation of both the Secure Telephone Identity Revisited (STIR) standard and the Signature-based Handling of Asserted information using toKENs (SHAKEN) framework. 

“Neustar is committed to helping combat spoofed calls, and restoring trust in the phone channel,” said Neustar’s SVP and GM, Communications Solutions, James Garvert. “As of October of last year, we had sixty-six registered participants in the ATIS testbed. We’ve all learned that testing in a contained environment is very important to ensure STIR/SHAKEN goes live without any errors. We congratulate REDCOM on their success.” 

Service providers interested in REDCOM’s robocall and nuisance call blocking software can visit https://www.redcom.com/capabilities/call-screening/ for more information. 

 

About REDCOM 

REDCOM Laboratories, Inc. is a woman-owned small business that specializes in the design and development of advanced communications solutions for service providers. REDCOM offers a full suite of highly flexible, standards-based Carrier-Class Service Layer solutions and switching platforms. Our products enable service providers to cost-effectively converge wireline, IP, and wireless services with a common service delivery environment; migrate legacy switching; roll out VoLTE; and deploy enhanced network services such as Personalized Call Screening, Intelligent Call Routing, Real-Time Call Rating, and Mass Notification. All REDCOM products are proudly designed, built, and supported in the United States. 

Tips for Cybersecurity Awareness Campaigns

| November 5, 2020

Cybersecurity presentationsNearly all professionals are familiar with the idea of cybersecurity awareness campaigns: presentations and discussions about cyber risks and practices to mitigate said risks.  Likewise, many familiar with these campaigns may also know how ineffective they can be in convincing the average user to enhance their security habits. Recent research has attempted to isolate certain aspects of cybersecurity campaigns which lead to their ineffectiveness and overall downfall. In this post, we will explore the research and dive into suggested ways to help improve the odds of an awareness campaign being successful.

Cybersecurity campaign goals

The overall goal of a cybersecurity awareness campaign is to “render people amenable to change(s)” which will ultimately raise their security posture. To accomplish this goal, two conditions must be met:

1. People must be able to understand and apply cybersecurity advice
2. Users must have their attitudes and intentions changed in favor of being more security-conscious

A successful campaign will need to be structured around these conditions to alter attitudes and actions towards cybersecurity. According to NIST Special Publication 800-50, it is important to note that cybersecurity awareness is not the same as cybersecurity training. Cybersecurity awareness should ultimately alter a person’s cybersecurity perspective, rendering them more motivated and receptive to formal cybersecurity training.

Factors of an unsuccessful cybersecurity campaign

While the goal is to run successful cybersecurity campaigns, it is vital to understand that factors that can derail the effort, factors such as:

misunderstanding cybersecurityMisunderstanding security

Although this idea may seem obvious, it proves to be a point of failure for campaigns. Not only must a campaign have an idea as to what general cybersecurity looks like, they must also know what cybersecurity means to the audience they’re communicating with. Not all experiences with cybersecurity are created equally, so realizing your audience’s current understanding of cybersecurity is crucial in order to effectively relate to them. Relating to your audience in how they already think about cybersecurity feels more personal and will be easier to convey knowledge that will impact their actions.

Compliance

Compliance with a cybersecurity education program does not equal proper behavioral changes. It is more important to emphasize appropriate behavior and actions than compliance with a cybersecurity course or program.

Uniqueness of awareness

Heightened awareness of cybersecurity will be an entirely new action or practice for many individuals, so it should be taught with that same approach. Cybersecurity awareness is a unique skill, so constant reinforcement of proper behaviors and actions is a necessity, as well as reassurance when individuals falter or have misunderstandings.

Lack of engaging material

Information disseminated by cybersecurity campaigns must be easily digestible and engaging. This could prove rather difficult for large-scale campaigns, as cybersecurity notions will certainly differ from one audience to another. A wide range of information covered via several media (e.g., posters, brochures, presentations, demonstrations, etc.) could increase adaptability to multiple distinct audiences.

Relate to an audience at the individual level

Studies have shown that one of the most effective media for engaging with audiences from the general population is the poster.

Absence of data collection

Regularly collecting metrics from audiences allows for those working on the campaign to learn which methods are working and which are not. Data collection will enable campaigns to improve based on direct feedback from audience members.

Unreasonable expectations

Organizers of cybersecurity campaigns must recognize that they are attempting to teach an entirely new skill and that failure is inevitable. Individuals will falter when learning any new practice, and cybersecurity is no exception: organizers must leave room for failure and turn failures into learning opportunities.

Multiple threats

There is an ever-increasing variety of cyberattacks, so awareness campaigns must be prepared to test their audiences in a variety of different ways (quizzes, false phishing, risky behavior analysis, etc.). Like the last point, it is important not to shame or discourage an individual if they fail a testing exercise, rather, it is important to turn the failures into learning moments and provide continued encouragement.

Factors of a successful cybersecurity campaign

Communication

Finding success with a broad audience requires information through several media. As mentioned before, posters have been reported to be the most effective.

Computer-based training

Computers are an omnipresent component of modern cybersecurity, so it’s crucial to expose audiences to them as much as feasibly possible. Computer demonstrations and exercises may be useful for smaller-scale audiences.

Awareness events

Events help bring security awareness efforts to life. Events are places where information can be distributed, demonstrations can be performed, and questions can be asked. Events can also allow campaign organizers to gauge an audiences’ understanding and feelings of cybersecurity.

Security portal

An online campaign must provide general information on cyber attacks and cybersecurity in general in an online format. The portal should include a knowledge base and a section where general users can ask questions in an online forum to promote discussion.

Behavioral testing & teachable moments

Campaign organizers need to be prepared to allow failures in understandings, practices, and testing. As stated previously, these failures should be met with a positive attitude and reinforcement of proper cybersecurity behaviors and actions.

Teaching new skills effectively

Cybersecurity is an extraordinarily complex field, so when teaching proper skills & behavior to a general audience, complex goals should be broken down into short-term, achievable steps. Any & all assistance should be offered to all participants of a campaign at any time, whether it be answering a specific question or reintroducing basic concepts.

Conclusion

cybersecurityCybersecurity awareness is an enormous concept and campaigns will take some trial & error in order to see some marginal success. It is important to consider the factors outlined in this study, as they seem to make valid points about the human experience with cybersecurity. One of the most important aspects, it seems, is that no one person is an expert in all of cybersecurity, and when teaching practices of good cybersecurity posture, one should treat it as the almost entirely new skill that it is. It is also important to remember that cybersecurity is an ever-changing field, and advances in cybersecurity awareness & overall posture must remain ever-changing as well.

TRACED Act signed: Is it enough?

| January 22, 2020

In the final part of this two-part blog series, REDCOM explores if the TRACED Act goes far enough to protect subscribers from robocalls. In part one we looked at what the Act is, what it entails, and how it affects Service Providers and their subscribers.

Does the TRACED Act go far enough?

As mentioned in the previous blog, the TRACED Act adds deterrents such as increased fines and the expanded statute of limitations. Still, the only mandated protection from robocalls is the STIR/SHAKEN framework. STIR/SHAKEN is an excellent start to mitigating robocalls and is one of the important countermeasures REDCOM employs in our Personalized Call Screening (PCS) solution. However, STIR/SHAKEN alone is not enough.

In the simplest terms, STIR/SHAKEN is a framework for validating a SIP call. It is not the solution to ending robocalls or nuisance calls. The STIR/SHAKEN framework is a great start, but all carriers know that STIR/SHAKEN has several significant limitations:

• It applies to SIP calls only
• Attestation (Full, Partial, Gateway) defines the relationship between the caller and carrier, not what is meaningful to the called party
• Originating from or transiting TDM/legacy PSTN results in loss of validation
• Requires management of validation credentials
• Only works if implemented by all carriers
• No flexibility to block annoying (but legal) nuisance calls (i.e., insurance salesmen, banks, surveys, etc.)

Now that the TRACED Act is law, STIR/SHAKEN will be implemented by the majority of U.S. carriers. They’ll comply, but the bad guys will continue to find ways to circumvent the technology. History tells this story, with 27 years of regulation that have led us to the present day, including the Telephone Consumer Protection Act of 1992 and the Do Not Call Registry. Are any of these actually working for you?

The best solution is a multi-layered approach

We believe the only effective solution to combating nuisance calls is a multi-layered approach that builds on STIR/SHAKEN with whitelists, blacklists, audio CAPTCHAs, reputation databases, and real-time analytics. Unlike an SBC solution that does verification at the edge, REDCOM’s Personalized Call Screening sits at the core and can offer carriers a network-wide solution. The further these methods can be pushed to the heart of the network or towards the originator, the more effective they become.

Additionally, according to the TRACED Act, Service providers cannot pass the cost of STIR/SHAKEN onto subscribers. Still, carriers can offer the additional protections provided by REDCOM PCS as value-added services. This will help mitigate the cost of a STIR/SHAKEN implementation.

An in-depth demo of REDCOM’s Personalized Call Screening can be found here.

TRACED Act signed: What is it?

| January 17, 2020

In part one of this two-part blog series, REDCOM explores what the TRACED Act is, what it entails, and how it affects Service Providers and their subscribers.

What is the TRACED Act?

The Pallone-Thune TRACED Act, aimed at providing Americans a reprieve from robocalls, is a piece of legislation signed into law in late 2019. Signed by the president and passed with bipartisan support through the legislature, the TRACED Act is the culmination of growing anger from the American public towards the pesky and potentially malicious onslaught of robocalls. While it is not the end all be all to robo and nuisance calls, it grants the FCC more authority and means to combat the issue.

What does the Act entail?

Here is a breakdown of what’s included in the TRACED Act:

  • Increases potential fine amounts and the statute of limitations up to four years for robocall offenses
  • FCC rulemaking required to protect consumers from nuisance calls and texts
  • FCC must report on robocall enforcement and is empowered to propose legislation
  • Timeline for the implementation of STIR/SHAKEN
  • Protects subscribers from being charged for STIR/SHAKEN services
  • Protects carriers  from liability for reasonable mistakes
  • Attorney General must create an interagency task force to oversee the prosecution of offenders
  • Allows the  Justice Department to prosecute perpetrators
  • Requires research to ensure the law works and invested parties are providing feedback
  • FCC must establish a Hospital Robocall Working Group

What does the Act mean for service providers

The main takeaway for carriers, especially smaller providers, is they will now have to play a much larger roll in mitigating robocalls to subscribers. Above all, service providers will, within a reasonable timetable, have to implement the STIR/SHAKEN framework. To see how STIR/SHAKEN works, see our overview here.

STIR/SHAKEN is the sole framework now required by the U.S. Government to protect subscribers from spam calls and spoofing. In part two of this series, REDCOM looks into is STIR/SHAKEN enough? Be sure to subscribe to the REDCOM Newsletter using the form below to get all of our latest posts and see relevant news we share from around the industry.

[Read Part Two]

   

Authentication — Do I Know You?

| September 24, 2019

How do I know you are who you say you are? That, in a nutshell, is what authentication is all about. As you may recall from a recent blog post, authentication is a component of access control. Access control is a part of one of the pillars of the security triad – confidentiality. So, what exactly is authentication? Simply stated, authentication is the act of verifying the claim of an identity.

 

 

How does authentication work? The most familiar example is logging in to your bank account online. Providing your username is a claim of your identity. Entering the associated password is used to authenticate that claim. Be careful not to confuse authentication with authorization. Authorization is the process that occurs once authentication has successfully completed. Continuing with the bank account example, once you’ve successfully logged in (authenticated) you’re authorized to perform some – not necessarily all – functions (such as balance inquiries, fund transfers, or pay bills).

All the rage right now is MFA (multifactor authentication). NIST (National Institute of Standards and Technology) defines strong authentication as “A method used to secure computer systems and/or networks by verifying a user’s identity by requiring two-factors in order to authenticate.” So, if our bank requires a username, password, and a PIN we comply with the NIST recommendation, right? Well, no, that example includes only a single factor of authentication.

So, that raises the question, what are factors of authentication? A factor describes a type of authentication. There are five different factors of authentication:

 

Something you know

These include factors that rely solely on your memory such as passwords and PIN numbers.

 

Something you have

Examples here include a proximity card or a security token. These are items that you will need to have in your possession. A proximity card generally contains an RFID activated security certificate. A security token is a device that generates a temporary time-based one-time password (TOTP).

 

Something you are

Something you are is all about biometrics. This includes authentication methods such as a fingerprint, retinal scan, or voice recognition.

 

Something you do

This authentication factor relies on actions you perform. These can be overt such as drawing a specific pattern in order to unlock a smart phone. They can also be something less obvious such as recognizing your gait as you walk.

 

Somewhere you are

This authentication factor uses your location. This is generally derived from a GPS receiver such as the one in your smartphone.

So, let’s go back to our example of logging in to a bank account with a username, password, and PIN. Despite these two distinct elements attempting to authenticate the username, we can see that they each fall squarely into the ‘something we know’ category. As a result, that is a single factor of authentication.

 

What’s all the rage about MFA?

No system is infallible. Passwords are subject to compromise through brute force attacks (such as using a dictionary or rainbow table) or social engineering and phishing attacks. Security devices such as a proximity card can be lost or stolen. Biometrics are imperfect and often can result in a false positive or false negative. When security measures simply rely on a single factor, they are easier to overcome.

Using more than one factor of authentication makes it more difficult for a malicious actor to impersonate someone else. As an example, using a proximity card in conjunction with a PIN code is a common method to access a secure facility. Should the proximity card be stolen, it’s useless without also knowing the associated PIN code. Both factors are needed in order for it to work.

Dinah Weisberg: Strategy – in a time of uncertainty – needs security and reliability

| September 17, 2019

Gueldenpfennig Weisberg, DinahDinah Weisberg originally wanted a career in marine biology but admits she “had some sense talked into her by her parents.” Two computer science degrees and an executive MBA later, she is now CEO and President of REDCOM, one of the more unusual communications vendors on the circuit, and one with deep and enduring links to the Pacific and the PTC.

REDCOM, a privately-held supplier with about 170 employees, was founded by Mrs. Weisberg’s parents, Klaus and Brigitte Gueldenpfennig, in 1978. Since then, both the company and its markets have changed significantly. Ms. Weisberg took over as president in early 2017. REDCOM, she says, needed a “reset and refocus” on strategy and core competencies. She explains: “Our main mission now is to provide the most reliable, intuitive, interoperable, and secure communications solutions in the world.”

She highlights security and reliability as particular capabilities at REDCOM: “When you take a look at what you’re good at, [then] that is what you should focus on. We redoubled our efforts to focus on the security message, and on becoming a thought leader in secure communications.” Reliability, she says, is a quality that REDCOM has always been “extremely adept at.”

She continues: “We are a small, nimble company and able to adapt very quickly to customer needs.” Being small may have its advantages, but big suppliers also dominate in what is a global space. “Size matters to a particular customer [set],” she acknowledges. “It matters when you are a big player in a competitive field.” She points out that in REDCOM’s market, big players may supply lower cost product for a large market, but customers may discover particular features key to their needs will be absent. “Our solution will often be unique, but it will be what customers need,” she affirms. Bespoke features, she says, frequently become incorporated as standard offerings in successive product releases as a result.

 

Read the full PTC Blog

Nuisance call handling at the network edge

| July 22, 2019

Robocalls. Nuisance calls. We all know what they are. We all hate them. You’ve probably received at least one at some point in the last day or so. These types of calls have become the scourge of our society, they are currently the number one complaint received by the FCC. While estimates vary wildly, there’s no denying that nuisance calls are a sizable portion of the telephone calls made today. A recent c|net news article estimates that Americans received 47.8 billion nuisance calls in 2018. An unfortunate side effect of this is that legitimate calls from an unrecognized number are often ignored. The only bright side is the fodder for late night talk show hosts as seen in a comedic (and somewhat off-color) episode of HBO’s Last Week Tonight with John Oliver.

Law makers are finally beginning to recognize the problem and have started releasing legislation to address it. In January of 2018, the CRTC (Canadian Radio-television and Telecommunications Commission) mandated that telecommunications service providers (TSPs) must implement a method to verify the caller ID information of IP voice calls no later than March 31, 2019. The United States Congress has introduced the TRACED (Telephone Robocall Abuse Criminal Enforcement and Deterrence) Act in an effort to empower the FCC to take action against these types of calls.

Seriously though, how many interns did it take to come up with that acronym?

Block Robocalls

Now that we’re empowered to take action against the originators of the nuisance calls, how do we go about it? If you’re living in the telecom world, you’ve most certainly heard of STIR/SHAKEN. While STIR/SHAKEN is certainly an important tool, it is not a silver bullet. STIR/SHAKEN is a SIP-based protocol that works well in the core of the network. Class 5 end offices are still utilizing a TDM (time division multiplexing) based network. Until the rural telcos living at the network edge have access to the service provider’s SIP-based backbone, STIR/SHAKEN does little to help them. So, what can the rural telcos do to help their subscribers curb the nuisance call problem? The network edge may not yet be able to take advantage of solutions based in the core of the network, but there are steps that can be taken.

One of the more common tactics employed by the originators of nuisance calls is to spoof their ANI (automatic number identification) so the caller ID shows a local number. The intent is to try and trick you into thinking that the call may be from one of your neighbors. Configuring the end office to evaluate the ANI of inbound network calls is a simple solution to this problem. If the ANI is a local number, then it can be blocked or redirected for other special treatment.

Subscribers also have access to tools to help them address the nuisance call problem. Features such as ACR (anonymous call rejection) or white/black list allow subscribers to block calls from private numbers or allow/disallow calls from specific numbers. These can be paired with the use of an audio CAPTCHA (sometimes known as telemarketer do not disturb) to force callers to dial a digit to confirm they aren’t a computer placing a robocall.

In addition to the solutions for nuisance call handling at the network core, REDCOM also includes features and capabilities that can be used by rural telcos on the network edge. Our communications experts are standing by ready to aid you in your fight against nuisance calls.

The Security Triad

| June 28, 2019

Introduction

Stories about security breaches of organizations like Equifax or the City of Atlanta are all too common in news media outlets. These stories highlight the need to identify and mitigate or eliminate network vulnerabilities. Infiltration into business communications can be just as damaging as a data network breach, so it is important to include these components in any assessment of a network’s vulnerabilities.

Many sources equate secure communications to encryption. While encryption certainly plays a key role in a secure communications solution, it is not the only required element. The cybersecurity industry uses a model referred to as the security triad to define the various domains that need to be addressed when securing a network. The triad – sometimes also known as CIA – includes Confidentiality, Integrity, and Availability. This post will review and define these domains for a better understanding of what is required to provide a complete secure communications solution. 

Network security is receiving a tremendous amount of media focus recently and security breaches have become a common leading story in many media outlets. The risks associated with a security breach can lead to significant loss financially as well as have a significant negative impact on a company’s reputation. As a result, many companies are taking a renewed look at network security to identify potential vulnerabilities and determining how to eliminate or mitigate the risks.

When conducting a network security assessment, it’s easy to see how components like web servers or edge devices such as routers and firewalls should be scrutinized. One element that should not be overlooked, however, are the devices used to conduct an organization’s communications. Business communications are just as vital to an organization’s computer network and can be just as devastating if breached. How much damage could a malicious actor cause if they eavesdropped on a private conversation and learned proprietary or financial information? So, securing the business communications network is equally as important as securing the data network.

 

What is Secure Communications?

Depending on where you look, secure communications has many definitions. Terms like ‘privacy’ or ‘protection from eavesdropping’ are used, but one central theme is always at the heart of the definition: encryption. Too often secure communications is equated to encryption. It’s true that encryption is a vital component of secure communications but it certainly isn’t – nor should it be – the whole story.

The cybersecurity industry uses a standard concept to describe network security, referred to as the security triad – sometimes also known as CIA. The triad describes the three pillars that support the concept of security; namely confidentiality, integrity, and availability. To be a truly secure system, a solution must address the concerns in each of these three areas.

REDCOM's Security Triad

Confidentiality

In the context of network security, the goal of confidentiality is to prevent unauthorized access to, or disclosure of, information and/or media. There are two primary methods used to achieve this goal: encryption and access controls.

Encryption

Encryption provides confidentiality by preventing unauthorized disclosure of data. Encryption is the act of using a cipher (algorithm) and key (variable data used with the cipher) to convert information into encoded data. Only those that know which cipher was used and possess the appropriate key to decipher the encoded data are able to unlock and retrieve the information. Even if a hacker is able to gain access to the encoded data, they will be unable to retrieve the information since they won’t have the appropriate key.

There are two primary types of encryption, symmetric and asymmetric. Symmetric encryption uses the same cipher to both encrypt and decrypt the information. Some examples of symmetric encryption are the Triple Data Encryption Standard (3DES), Blowfish, and the Advanced Encryption Standard (AES). Asymmetric encryption uses a mathematically matched key pair – one to encrypt and the matched key to decrypt. These key pairs must be used together. In other words, the only key that can be used to decrypt data is the matched key for the one that encrypted it in the first place. Some examples of asymmetric encryption are Rivest, Shamir, Adleman (RSA) and elliptic curve cryptography (ECC).

There are a wide variety of protocols used to encrypt and transport information. These include IPSec, Transport Layer Security (TLS), Secure shell (SSH) and Hyper Text Transfer Protocol Secure (HTTPS).

Access Controls

Access controls are used to grant, or restrict, access to information. This will ensure that only the people who are authorized to have access to specific information can get to it. Access controls use a combination of identification, authentication, and authorization.

Identification is a claim of an identity. A user, for example, can claim an identity with a username during an attempt to access an account.

Authentication is used to prove the claim of an identity. Again, using the username example, a user may be required to enter a password to prove that they are indeed who they claim to be. The intent being that nobody other than the specific user will know the associated password.

Authorization is used to grant or restrict access within a system once a user’s identification has been authenticated. This defines the level of access – or privileges – a user has.

 

Integrity

Integrity provides assurance that data has not been modified, tampered with, or corrupted from its original form. The primary method to ensure that data has not lost integrity is through hashing.

Hashing

Hashing is the act of using an algorithm to generate a “fingerprint” for a piece of information. The algorithm will convert information of any size into a fixed size hash – sometimes also known as a digest or checksum. If the same hashing algorithm is used on the given piece of information, it will always result in the same hash value. In this way, hashing can be used to determine if the original information has been modified in any way. A hash value for a piece of information can be generated at two different times. If the hash values are the same then the data is the same. In other words, the data integrity has been maintained. There are several hashing algorithms in use today. These include Message Digest 5 (MD5), Hash-based Message Authentication Code (HMAC), and the Secure Hash Algorithm (SHA).

 

Availability

Availability is an assurance that systems, services, and data are available when they are needed. The availability schedule will vary depending on the purpose and the organization that is using the system. Some applications may require that the system is available from 8 a.m. to 5 p.m. Monday through Friday while others may require the system be available 24/7. With availability, there are different components that need to be considered including hardware availability, software failover, and defending against attacks. 

Hardware Availability

All systems and services operate from a hardware platform, either dedicated purpose-built hardware or a software application running on a generic server platform. The first line of defense for availability is to ensure that the hardware platform runs properly and continuously. This can be accomplished in two different ways, through reliable hardware design and hardware redundancy.

Hardware reliability is achieved through a design that ensures a long mean time between failures (MTBF). A robust design utilizing reliable components will result in an overall reliable system that is less prone to failure.

Hardware redundancy enhances the reliability of a hardware platform. Utilizing redundant processors, power supplies, disk drives, and the like can provide a hot standby system that will immediately take over operation in the event of a hardware failure on the primary component.

Software Failover

In addition to hardware redundancy, the software can also be configured in a redundant fashion. Using either the native application or a hypervisor, a system can be configured to provide both an active and hot standby solution. The active system will be online and performing the processing necessary to complete the applications functions. The hot standby will continuously monitor the state of the active system, but will otherwise remain inactive. In the event of a catastrophic failure of the active system, the hot standby can immediately take over the responsibilities of the active system.

Attack Defense

Another avenue that can be used to render a system unavailable is with a malicious denial of service (DoS) attack. Such attacks monopolize the processing power of the system to the point that is not available to perform its intended function. Attacks of this type are best dealt with using an appliance, such as a firewall, that sits on the edge of the network and shields the systems on a network from malicious attacks allowing them to carry on with normal operations.

 

Conclusion

Secure communications involves considerably more than just encryption. Encryption certainly plays a vital role, but there are many other building blocks needed for a complete secure communications solution. A complete secure communications solution must address all components within the security triad. Leaving even just one of these domains unaddressed will open a threat vector that is vulnerable to attack. 

We at REDCOM realize that protecting your business communications is just as important to you as securing your data network infrastructure. As a result, we have taken a holistic approach to addressing all domains of security in our products. We have been trusted with providing secure communications solutions to some of the most secure locations in the world and are standing ready to assist you in securing your communications network.

What is Hashing?

| June 11, 2019

What is Hashing?The security triad (also known as the CIA triad) defines the overarching principles of information security. One of the triad’s primary principles is assuring the integrity of data. The goal of this principle is to provide assurance that the data has not been modified, tampered with, or corrupted in any way, and the method most often used to do this is called hashing.

 

What is Hashing?

There are three key components involved in the hashing process: input, hash function, and hash value. The input is the data itself, which can be any size and take any form such as a text file, Microsoft PowerPoint presentation, MP3 music file, etc. The hash function is the algorithm used to generate the fingerprint. The hash value is the output of that hash function, which is the resultant fingerprint of the input data.

It’s important to note, however, that the hash value is a fixed size regardless of the input data size. The size of the output depends on the algorithm used. To illustrate this, let’s look at an example.

The MD5 hash value for the opening paragraph of this document is:

fb84fe5514eebe360ec434bc326c70d2

The MD5 hash for Ernest Hemingway’s novel The Old Man and the Sea is:

e6200a8a14a76ce2e19bac3f48d2f036

 

Properties of Hash algorithm

In order to be considered viable, there are four goals that a hash algorithm needs to meet:

  1. Running the same hash function on the same input data must yield the same hash value.
  2. Small changes to input data should result in large changes to the hash value.
  3. Each resultant hash value for different input data should be unique.
  4. The hashing process must be one way (i.e. it can’t be reversed).

 

Common Hash Algorithms

There are many different hash algorithms available for use today. Here are a few of the most common hash algorithms:

  1. MD5 – One of the most common algorithms, which provides a 128-bit hash value.
  2. SHA-1 – Provides a 160-bit hash value. Designed by the National Security Agency (NSA).
  3. SHA-2 – Actually a family of hash algorithms, SHA-2 has several variants that produce different size hash values.
  4. SHA-3 – Provides variants that produce hash values of the same length as SHA-2, but it corrects some of SHA-2’s weaknesses.
  5. HMAC – HMAC can use any cryptographic hash function as its base but also appends a secret key to the input data, serving as both a hash function and a message authentication method.

 

Hashing and Data integrity

Now that we’ve got all the background information, we can see the different ways hashing is used. One use is in verifying data integrity – which is one of the key concepts for information security. In addition, it can also be used to authenticate a sender, not only ensuring that the data remains intact but also making sure of its sender.

 

Conclusion

As we can see, hashing plays an important role in information security. When considering hashing, there are three important concepts to remember:

  1. Hashing plays a key role in assuring data integrity.
  2. Even minor changes to the input data must result in major changes to the hash value output.
  3. The hashing process must be one way.

 

Download the White Paper

 

REDCOM demonstrates effectiveness of STIR/SHAKEN caller authentication standards with the ATIS Robocalling Testbed

| May 30, 2019

REDCOM Laboratories, Inc., the leading provider of solutions for the network service layer, announced today it has successfully completed interoperability testing with the ATIS Robocalling Testbed that demonstrates the interoperability of the company’s STIR/SHAKEN implementation within the REDCOM Personalized Call Screening software. These tests are part of a broader industry effort to help service providers protect consumers against unwanted robocalls and caller ID spoofing.

“Nuisance calls are one of the biggest pain points affecting consumers today. The U.S. government has made it clear that solving this problem is a top priority this year,” said Shannon Chevier, Director of Product Management for REDCOM. “Our Personalized Call Screening solution will allow service providers to offer consumers real protection against the onslaught of robocalls. Service providers that implement REDCOM software not only get a proven STIR/SHAKEN solution, but also a ‘best of all worlds’ toolkit that includes reputation scoring, white and blacklists, and audio CAPTCHAs.”

The virtualized testing facility, hosted by the Neustar Trust Lab, supports a joint effort from the Internet Engineering Task Force (IETF) and the Alliance for Telecommunications Industry Solutions (ATIS) called STIR/SHAKEN, which gives service providers the ability to authenticate, digitally sign, and verify calling party numbers. This testing confirms REDCOM’s successful implementation of both the Secure Telephone Identity Revisited (STIR) standard and the Signature-based Handling of Asserted information using toKENs (SHAKEN) framework.

“Neustar is committed to supporting the industry in combating illegal robocalling and call-spoofing,” said James Garvert, Communications Solutions General Manager for Neustar. “One of our efforts in support of this commitment, since early 2017, is hosting and operating the ATIS Robocalling Testbed and supporting participants, such as REDCOM, with their STIR/SHAKEN interoperability testing.”

Service providers interested in REDCOM’s robocall and nuisance call blocking software can visit https://www.redcom.com/capabilities/call-screening/ for more information.

 

About ATIS

As a leading technology and solutions development organization, the Alliance for Telecommunications Industry Solutions (ATIS) brings together the top global ICT companies to advance the industry’s most critical business priorities. ATIS’ 150 member companies are currently working to address 5G, the all-IP transition, network functions virtualization, big data analytics, cloud services, the ICT implications of Smart Cities, emergency services, M2M, cyber security, network evolution, quality of service, billing support, operations, and much more. These priorities follow a fast-track development lifecycle – from design and innovation through standards, specifications, requirements, business use cases, software toolkits, open source solutions, and interoperability testing.

ATIS is accredited by the American National Standards Institute (ANSI). ATIS is the North American Organizational Partner for the 3rd Generation Partnership Project (3GPP), a founding Partner of the oneM2M global initiative, a member and major U.S. contributor to the International Telecommunication Union (ITU), as well as a member of the Inter-American Telecommunication Commission (CITEL). For more information, visit http://www.atis.org.

 

About Neustar

Neustar, Inc., is a leading global information services provider driving the connected world forward with responsible identity resolution. As a company built on a foundation of Privacy by Design, Neustar is depended upon by the world’s largest corporations to help grow, guard and guide their businesses with the most complete understanding of how to connect people, places and things. Neustar’s unique, accurate and real-time identity system, continuously corroborated through billions of transactions, empowers critical decisions across our clients’ enterprise needs. Neustar is the industry leader in Caller Identification solutions, co-author of the STIR standards, key contributor to the SHAKEN framework, and serves as the exclusive host of the industry’s Robocall Testbed. More information is available at www.home.neustar.

 

About REDCOM

REDCOM Laboratories, Inc. is a woman-owned small business that specializes in the design and development of advanced communications solutions for service providers. REDCOM offers a full suite of highly flexible, standards-based Carrier-Class Service Layer solutions and softswitch platforms. Our products enable service providers to cost-effectively converge wireline, IP, and wireless services with a common service delivery environment; migrate legacy switching; roll out VoLTE; and deploy enhanced network services such as Personalized Call Screening, Intelligent Call Routing, Real-Time Call Rating, and Mass Notification. All REDCOM products are proudly designed, built, and supported in the United States.