The Forgotten Security Frontier: The Phone Call

Monday, January 23, 2017

Myk Konrad

C834d47d31dd1a1b3371bda639105c59

If you’re reading this article, then the chances are good you’re planning to attend at least one or two security conferences this year. 2017 is ramping up to be a banner year for security, between the national stage (i.e. the unfortunate hacking saga) and the high-profile brands that have experienced network attacks at the end of 2016.   

It’s a sure bet, however, none of the conferences you plan to attend will lead with a session like “UC Communications: The Way In!” But maybe they should. IP-based Unified Communications (UC) and phone security is one of the most overlooked and misunderstood pieces in your security fabric.  

Your Communications Network Is Likely Unsecure 

In the late 90s and early 00s, a lot of companies, including Sonus, were part of a massive Voice over IP (VoIP) revolution that quietly moved most wired and wireless communications onto IP-based networks through a protocol known as SIP (Session Initiation Protocol). Most consumers weren’t even aware of the change. Prices became cheaper, and phone quality was initially an issue for some of the early adopters, but today it’s nearly impossible to tell the difference between a voice call that traverses the Internet and one that runs over a private network.  

But here’s the problem: the changeover was so subtle, many people kept thinking of their phone as a device connected to a private network, rather than one connected to the public Internet. For those of you still using a desk phone; yes, it is probably an IP device. The same goes for those of you using a softphone—that’s also an IP device just like your smartphone, laptop or personal computer. And the signaling and messaging between the devices is all over IP, typically the SIP protocol. Many companies have had to disable their firewalls for SIP communications because it doesn’t work if your firewall blocks the SIP ports. This leaves your mobile clients and your communications networks susceptible to Internet-based attacks including DDoS attacks, fraud, malware and more. Independent risk assessments, penetration testing and compliance audits have all shown this to be one of the most common vulnerability gaps in network security.  

How Much Trouble Can an IP-based Communications Cause?

Any IP-based device that is connected to both the Internet and your internal network represents a potential “hole” in your network. That device may be a smartphone that has access to business apps, a laptop carrying sensitive financial data or an office phone with access to your corporate directory. For most of us, I hope, securing our smartphones and laptops is second nature. Yet how many of us really give a second’s thought to securing the UC network and mobile clients that power our communications?  

If you need some incentive to secure your UC network, here are several powerful reasons:  

Toll Fraud

Every year, businesses lose billions of dollars through long-distance phone call fees that are placed illegally from their business. How do hackers get access to their phone system? Through the UC enabled Private Branch Exchange (PBX) or by hacking an employee’s mobile client directly. Each year, more enterprises—and, sadly, small businesses too—discover that someone has breached their phone system and racked up tens of thousands of dollars in long-distance fees. Unfortunately, these companies are often responsible for these fees even if they can prove the calls didn’t originate from their employees.  

Distributed Denial-of-Service (DDoS) Attacks

DDoS attacks have been making headlines after recent high-profile attacks temporarily took down the sites of Twitter, Airbnb, the New York Times and many others. But websites aren’t the only target of DDoS attacks; call centers are also vulnerable. By targeting a phone number or SIP URL instead of a website’s URL—remember, in the Internet world, both are simply IP addresses—DDoS attacks can paralyze customer service and shut down phone sales for hours, severely impacting business.   

Caller ID Spoofing

For better or worse, caller ID carries a more implicit sense of trust than an email. That makes the act of caller ID “spoofing”—displaying a false caller ID—more dangerous. One criminal group, for example, was able to steal millions of dollars from unsuspecting U.S. citizens by posing as the Internal Revenue Service. These calls, which claimed that the victims owed the I.R.S. various payments for taxes, prominently displayed the I.R.S. credentials on the victim’s caller ID. Never one to miss an opportunity, criminals are now using caller ID spoofing to collect personal information, a tactic known as “vishing” (a portmanteau of “voice phishing”).  

For Security Beyond the Call, Dial “SBC”

Although VoIP and SIP allowed enterprises to consolidate their voice and data networks into a single IP-based network, voice and data communications still have unique characteristics. Specifically, voice (and live video) have a much lower tolerance for latency and packet loss. These real-time communication (RTC) sessions need to be handled more sensitively in the network because they have different requirements than data, such as media transcoding, SIP message manipulation and special security considerations (e.g., network topology hiding, NAT traversal, blacklists).  

Using a standard data firewall to protect your IP network and mobile clients will likely backfire, because firewalls aren’t designed to support RTC’s requirements. Instead, companies need a session border controller (SBC) to secure RTC—and provide the transcoding and interoperability features as well. You can think of an SBC as a “traffic cop” that can enforce rules, give directions (in a variety of languages) and ensure that network real-time traffic flows smoothly and safely.  

As with many network technologies today, the SBC as a network element is increasingly being “virtualized” to reduce hardware, simplify deployment and support network service automation. In our own business, we’ve seen an increase in demand for virtualized SBCs that can be deployed in public or private clouds so they can scale up and down as traffic increases or decreases. This is especially useful in the case of DDoS attacks, which can range from light to heavy, and often do by design.  

The reality is that office voice communications are not going away any time soon. In fact, with the popularity of UC, we’re seeing the role of the UC mobile client increase to handle live video, text messages and more. Despite our longstanding comfort with the phone as a business tool, companies need to remember that each mobile client is a connected, potential doorway into their network. SBCs can shut that door—and offer a host of other benefits, from high-definition voice capabilities to toll-free routing. It’s something that every business should be talking about, because it’s only a matter of time before hackers come knocking on your communications network.  

Possibly Related Articles:
24400
IDS/IDP Network Access Control SCADA Enterprise Security
Enterprise Security VoIP DDoS voice communication
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.