Our ALM software is a crucial element in today’s Enterprise VoIP telephony security. But there are of course many more VoIP security aspects to cover. We often get the question from customers what more they have to do to protect their telephony infrastructure against hackers and fraud attempts. In this blog we try to give a high-level overview of the different angles from which you can review your Enterprise VoIP telephony security strategy. In general, we can look at VoIP telephony security from three different perspectives:
- VoIP telephony security from a network, backend and server perspective.
- We can also look at the security aspects from an outside caller perspective.
- And finally we have to carefully review the possible security problems that can arise when people abuse the phone system from within the office.
VoIP telephony security. Do you have all tools with you?
VoIP telephony security from a network, backend and server perspective
First of all, VoIP systems generally consist of an IP communication network and one or more servers handling the call processing and other telephony related processes. It makes an enterprise VoIP solution from a network architecture perspective pretty much ‘just another’ IT network solution. People can access the servers via the network and also configure the VoIP software settings and data via this remote access. These are typical IT security risks and therefore many of the recommended VoIP security measures are aimed at such generic IT risks. Some examples are listed here:
- Install the latest software versions and patches and deploy an Anti-Virus system. This is a typical systems management routine and not so different from what all IT managers must organize to protect their systems.
- Restricted physical access to network and server hardware. It is – again, like in any other IT environment – important that only authorized staff members have access to the VoIP systems and network resources.
- Use VLANs and VPN, lock down ports and deploy firewalls to filter traffic. VLANs can be used to separate the data and voice traffic and also to separate different signalling solutions and servers (like SIP and H.323). VPNs are the default way of protecting the traffic between locations. By locking down specific ports for external access and using well-configured firewalls, unauthorized external access via the network is restricted as much as possible. Also Intrusion Detection and Prevention Systems are instrumental to protect the network.
VoIP telephony security from an outside caller perspective
Some of the possible attacks from outside the organization towards Enterprise VoIP systems are comparable to ‘normal’ attacks on network infrastructures. For example, it is possible to organize DDoS attack on VoIP servers by flooding the system with SIP traffic to setup calls.
However, just a single phone call can sometimes have the same damaging effect. Since other communication channels towards organizations become better secured and protected, fraudsters move their interest towards the traditional phone channel. An increased number of inbound fraud attempts at call centers has been reported. There is an endless number of possible fraud scenario’s. Most of them are based on one or more so-called social engineering calls towards busy call center staff. Phone scams are used to steal money from bank accounts, to purchase goods without paying or to get unauthorized access to other people’s service accounts.
Many of these scams are based on faking the Caller ID and also often – to make prosecution more difficult – originates from other countries. However, some smart tools have been developed as a countermeasure against phone scams.
Phone printing and other solutions
One example is the phone printing technology of our colleagues at Pindrop security. This software analyzes the characteristics of each incoming phone call. It collects in the initial seconds of a call a set of data about e.g. the line quality and characteristics, caller ID, signal-to-noise ratio etc. By comparing these data with available data about telephony systems worldwide, the solution can detect potential fraudulent calls. For example, a caller claiming to call from the same city, while the network characteristics clearly indicate that this person in reality calls from some IP network in another country. For those calls, the system can trigger additional process steps like an extra caller verification step etc.
So, in addition to the network protection measures to protect the VoIP infrastructure, it is also possible to better secure the organization against incoming fraud calls.
VoIP telephony security from an inside caller perspective
Last but not least, there is the possible abuse of the phone system from within the organization. That is where we as RSconnect come in. In today’s office environments with open and shared desks, people can often register themselves on any telephone at any desk. By simply typing in a User ID and a pin code they get access to that telephone which loads their data. Once logged in, the phone behaves like the user’s own telephone. The user has access to his or her own features, contact lists and voicemails. And the user can make calls using his own caller ID.
Unfortunately, logging into these telephones often isn’t user-friendly. People must enter all the credentials via a rudimentary telephone keypad. The effect is that in many organizations the login procedure for telephones is removed or made very simple (which means ‘too simple’). At other occasions we saw that people who often work at the same flex-desk just never log out. Their phone is always accessible to anyone. From visitors, suppliers and co-workers to the maintenance staff. Also the cleaning and security staff in the evenings have unrestricted access.
Unprotected telephones. An open access to fraud and sensitive data
Such unsecured telephones are a golden ticket for anyone who wants to use an official Caller ID of an organization or company. People trust calls from their bank, their telecom company or the police. And will easily provide information they normally wouldn’t share. Also own colleagues are willing to fulfil a request from someone calling from an internal line. And open telephones can also be used to retrieve sensitive voicemails or download valuable contact details (which are nowadays considered personal data and should be protected under laws like the GDPR).
It is this specific aspect of VoIP telephony security we at RSconnect focus on. Using the Single Sign-On functionality of our Active Login Manager software, we make sure that each phone in an office is protected in a user-friendly way. People don’t have to manually log in or log out. Each time they start up their computer or laptop, they are immediately identified. And automatically the desktop phone on their desk is activated and loaded with their settings. And as soon as the computer is switched off or goes into hibernate, the associated phone is automatically logged out. The risk that desktop phones in your office will be abused for fraud or other illegal activities, will be decreased to a bare minimum.
Give your VoIP telephony security a 360-degree review
As described, security of your VoIP telephony operations is more than protecting the network and servers. It is also very worthwhile to protect your organization and specifically the inbound call center staff against fraud attempts via incoming customer calls. And also protecting the internal desktop telephones with a Single Sign-On login will help to protect your organization against fraud, data theft and hackers.