Are You Using a Hosted VoIP System? Investigate It
Has the service provider provisioned your voice services with security in mind?
Evaluate services such as VLAN configuration, user authentication, and encryption, as well as the security of configuring and signaling methods. Also investigate any HIPAA, SOX, PCI, or other compliance guidance that may apply.
A client of our hosted contact center service wanted voice encryption on its phones, because it’s highly protective of its data and it’s also subject to regulatory compliance,” says Rocky Livingston, CIO at USAN. A Cisco Registered Partner, USAN provides contact center communications and optimization solutions that give users flexible ways to engage customers across channels.
For this client, USAN chose the Secure Real-Time Transfer Protocol (SRTP) because it’s easy for users to use, has less overhead than IPsec protocols, and does not cause any difference in voice quality, says Mike Evenson, vice president of managed services.
“By integrating Cisco SPA525G2 phones, we give the client a customized solution that implements SRTP based on the configuration file in their DHCP server that is associated with the phone’s MAC address,” says David Al-Khadhairi, vice president of enterprise architecture.
Configure Dial Plans and User Profiles
Take advantage of features on your VoIP system that enable security. Essentially:
- Control voice network access by device certificate and/or user name and password.
- Restrict the types of callsallowed on the network, by device, user, and other criteria, such as time of day.
Protect Your Voice Systems
Apply physical and logical protection, such as:
- Set up a firewall and intrusion prevention system (IPS)to monitor and filter authorized and unauthorized VoIP traffic, and track unusual voice activities, says Krueger.
- Lock voice servers physically, and logically for administration.Centralize administration and use domain restrictions and two-factor authentication for administrative access, including to credentials, signaling data, and configuration files.
- Regularly install OS updates, and limit software loading on phones.
Use VLANs to Segment Voice Traffic and Separate It from Data Traffic
Some voice systems and switches support device discovery protocols and automatically assign IP phones to voice VLANs.
Encrypt Sensitive Voice Traffic
Apply encryption by segment, device, or user; encrypting indiscriminately can result in excessive network latency or introduce operational overhead and complexity.
Encrypt the signaling at your Internet gateway with Session Initiation Protocol (SIP) over Transport Layer Security (TLS); your service provider’s switch fabric may do this.
What are VoIPs main cyber security threats?
Common security threats that arise with VoIP are call interception, ID spoofing and Denial of Service (DoS) attacks. There is also the risk of malware attacks, which previously were not a threat to traditional handsets. However, all of these VoIP security threats are manageable provided businesses take the necessary precautions and make sure to be vigilant when transitioning to a VoIP system.
Malware
VoIP is just one of many Unified Communications Solutions exposed to the threat of malware. The original malware, WannaCrypt, and all of its derivatives, have posed a significant threat to telephony systems and computer systems, with ransomware attacks taking out all communications systems to do maximum damage during cyber attacks.
The crucial thing about malware attacks and VoIP security is that the threat itself does not come from the telephony system, but rather from a user opening a corrupted email on any device that is linked to the same channel as your Unified Communications solution. Therefore, with extra vigilance and awareness, businesses can make sure that they minimise this risk as much as possible.
Denial-of-Service
Denial-of-Service (DoS) attacks are designed to shut down a machine or network, resulting in it no longer being accessible to its users. DoS attacks are carried out by flooding a desired target with traffic or overloading it with information to trigger a crash. DoS attacks deprive users of the service they require, which often creates a ripple effect into wider company operations.
In the case of VoIP, cyber criminals could try and shut down your business operations by sending your VoIP system high concentrations of information (such as spamming phone calls), which can trigger a wider system crash.
It is easy to protect your system against DoS attacks provided you keep your eyes open and try not to treat the threat in a similar way to what you would expect from other IT systems. Phone lines do not have the protection of firewalls or other cyber security solutions, and so instil alternative security protocols within your directory information. By simply installing these, your business phone system can identify, reroute and filter calls coming from attackers.
Phishing scams
In some cases, VoIP’s are targeted by so-called ‘Vishing scams’: instances when scammers contact users on numbers that are similar to those of a legitimate organisation and leave a message about suspicious activity occurring across a recipient’s accounts (these might include banks, government agencies or tax authorities). The victim is then taken onto a separate call, where they are asked to verify their identity and hand over confidential details.
These scams can be avoided by familiarising employees with typical scamming tricks and by making sure that any scam numbers are flagged by your VoIP phone system and blocked.
Call tampering
VoIP systems can be vulnerable to call tampering as hackers try to disrupt your live calls. The effects of tampering can ruin the quality of calls or cause long delays and periods of silence while they try and share substantial amounts of data over the line.
VOMIT
Through a Voice over Misconfigured Internet Telephones (VOMIT) tool, cyber criminals can steal voice snippets and confidential and sensitive information directly from your business calls. This threat can be dangerous, as criminals are also able to gain access to other information like the original call location, which can make it easier for them to eavesdrop on future calls and other communications.
However, with a cloud-based VoIP provider, it is very easy to prevent VOMIT from being a threat to your business operations, allowing businesses to secure all of your data and sensitive information from criminals.
