SHARE



ABOUT THE AUTHOR


Thomas  Swayze
Thomas Swayze, CTO at NetFortris, has more than 26 years of technology experience. He pioneered voice-over-frame relay and ATM technologies...
Read Full Bio >>
SHARE



Thomas Swayze | June 22, 2016 |

 
   

VoIP Vulnerabilities: Protecting Against Evolving Threats

VoIP Vulnerabilities: Protecting Against Evolving Threats Modern threats against VoIP infrastructure fall into four main categories.

Modern threats against VoIP infrastructure fall into four main categories.

Security is quickly becoming the primary concern of many businesses, and protecting VoIP vulnerabilities is critical. In addition, the use of cloud-based communications is growing rapidly, but according to the a 2015 PwC global information security survey, only 50% of businesses have a security strategy in place for cloud computing.

This same research showed that information security incidents increased 45% over the previous year. As cyberattacks evolve, organizations must fully understand the different types of threats in order to combat them effectively.

Education and activation are the powerful one-two punch that businesses can use to protect their most valuable asset: information. While it is easy to get overwhelmed by the increasing complexity and maliciousness of the risks, security is not a hopeless endeavor.

Understanding the Enemy
Modern threats fall into four main categories. Data predators are crafty, but not completely original, and they utilize one or more of these methods of attack.

  1. Call Fraud: Eavesdropping and phreaking are the two types of call fraud in which attackers tap into VoIP phone lines and commandeer them to make unauthorized calls. With eavesdropping, hackers tap VoIP phone calls to steal employee names, passwords, phone numbers, and other information that gives access to private accounts and billing information. This is a popular for identity theft and corporate sabotage. With phreaking, hackers infiltrate a business's service provider. They steal account numbers and access codes to add unauthorized phone lines or make calls on existing VoIP lines, both resulting in excessive charges for the business.

  2. Malware & Viruses: Softphones are vulnerable to attack by malware, worms, and other network viruses. These viruses hijack computer systems and take control. They can send spam and other malicious data, target and permanently destroy information, and trace keystrokes and data entry to enable remote access. Credit card data and financial information are particularly vulnerable in this type of attack.

  3. Denial of Service (DoS): In this type of attack, hackers use information overload to flood a network server and consume all available bandwidth. This prevents incoming and outgoing VoIP calls and gives hackers the opportunity to gain remote control of administrative servers. They can steal sensitive business and customer data and abuse VoIP servers to make costly phone calls on the business's account. DoS attacks are, and will continue to be, the most common method of cyberattack, as PwC noted in its July 2015 report, " Communications Review: As telcos go digital, cybersecurity risks intensify."

  4. Call Hijacking & VoIP Tampering: These attacks involve the transmission of noise packets to interrupt the stream of communications and cause reduced call quality, dropped calls, and delays in voice signal. A malicious third-party can change the encryption key of a call's digital signature to make VoIP call signals vulnerable and subject to interception. VoIP servers are tricked into thinking that the original parties on the call are still in communication and the hacker has the opportunity to cause serious communication damage.

Finding the Solution
In sports, the best defense is a good offense, and this holds true with VoIP security. Savvy businesses can preemptively protect themselves from these methods of potential attack using the following techniques.

  • Encryption: Cloud communication providers offer customer guidelines for encryption and authentication protocols, and many offer encryption as an additional service. While all businesses should work to ensure ultimate customer protection, those within retail, financial services, and other industries dealing with consumer data must take extra measures.

  • Authentication Protocols: VoIP authentication protocols vary based on the type of data being transported. They range from a typical password authentication procedure to a complex three-way authentication process that protects servers and business VoIP. Password authentication, also called the two-way handshake, is highly vulnerable to attack and is easily exploited by hackers. Many times, the username and password are not sufficiently disguised or encrypted before traversing the link. Utilizing a VPN or a secure MPLS network rather than the open Internet can reduce this risk significantly.

  • Challenge-Handshake Authentication Protocol (CHAP): When the calling client (computer or softphone that sends data and initializes a VoIP call) links with the authenticator application located in the VoIP server, the authenticator uses a three-step process to determine legitimacy. Also called a three-way handshake, CHAP grants or denies access. If the encrypted messages do not match after the challenge and response steps, the client receives a failure message and is denied access to the VoIP system. This prevents fraudulent VoIP calling.

  • Antivirus Software: Because VoIP softphones are part of office computer systems, protecting them from viruses and other dangerous third-party programs is critical. Viruses enter an organization's VoIP system through email to compromise existing security protocols and interrupt or suspend VoIP network services entirely. Installing and maintaining antivirus and anti-malware software programs like firewalls is crucial. Often, VoIP vendors or network providers offer antivirus protection, also known as unified threat management software, as part of their service offerings.

  • Deep Packet Inspection (DPI): DPI locates, identifies, and classifies data packets through filtering. It can reroute or block incoming packets with unidentified code or forbidden data, deterring unauthorized use of the wide area, local area, or VoIP network. DPI monitors incoming media and signaling streams, as well as all outgoing media streams, for altered or inserted data packets and then flags them for review. These flagged data packets carry priority ratings from high to low that allow them to be routed accordingly. VoIP providers also use DPI to improve network performance and prevent peer-to-peer abuse that may result from VoIP fraud.

  • Session Border Controllers: These VoIP network devices control media streams and protocol signals. They start, conduct, and stop VoIP voice calls and adhere to quality-of-service protocols to ensure the safety and best possible voice quality of all VoIP calls.

  • Authorization Policies & Call Restrictions: A simple way for businesses to secure VoIP lines is simply by regulating their own people and policies. They can perform audits and create call restrictions to track VoIP activity and then monitor accordingly to prevent access by unauthorized parties. Businesses can secure the configuration of VoIP apps by creating whitelists of approved country codes for employee usage. These lists prevent toll fraud and other types of unauthorized activity.

Looking to the Future
Network security threats are constantly evolving and protection measures must advance similarly. Safeguarding proprietary business information and sensitive customer data should always remain paramount. Customer, employee, and internal records data remain top targets of cyberattacks, and the damage to brand reputation climbed 81%, as PwC reported. Businesses must be vigilant in order to avoid costly and inconvenient security breaches.

As the telecom industry transitions to an increasingly digital platform, new types of cybersecurity risks will continue to target data, applications, and networks. Partnering with the right security services provider enhances a business's ability to counteract these evolving network threats.

Effective partners enable businesses to detect, analyze, and respond to cyberthreats before they damage their reputations and bottom lines. Organizations can harness the knowledge of these experts and their cutting-edge tools to protect information in this increasingly hostile environment.





COMMENTS



May 31, 2017

In the days of old, people in suits used to meet at a boardroom table to update each other on their work. Including a remote colleague meant setting a conference phone on the table for in-person pa

April 19, 2017

Now more than ever, enterprise contact centers have a unique opportunity to lead the way towards complete, digital transformation. Moving your contact center to the cloud is a starting point, quick

April 5, 2017

Its no secret that the cloud offers significant benefits to enterprises - including cost reduction, scalability, higher efficiency, and more flexibility. If your phone system and contact center are

June 9, 2017
If you think telecom expense management applies to nothing more than business phone lines, think again. Hyoun Park, founder and principal investigator with technology advisory Amalgam Insights, tells ....
June 2, 2017
Enterprises strategizing on mobility today, including for internal collaboration, don't have the luxury of learning as they go. Tony Rizzo, enterprise mobility specialist with Blue Hill Research, expl....
May 24, 2017
Mark Winther, head of IDC's global telecom consulting practice, gives us his take on how CPaaS providers evolve beyond the basic building blocks and address maturing enterprise needs.
May 18, 2017
Diane Myers, senior research director at IHS Markit, walks us through her 2017 UC-as-a-service report... and shares what might be to come in 2018.
April 28, 2017
Change isn't easy, but it is necessary. Tune in for advice and perspective from Zeus Kerravala, co-author of a "Digital Transformation for Dummies" special edition.
April 20, 2017
Robin Gareiss, president of Nemertes Research, shares insight gleaned from the firm's 12th annual UCC Total Cost of Operations study.
March 23, 2017
Tim Banting, of Current Analysis, gives us a peek into what the next three years will bring in advance of his Enterprise Connect session exploring the question: Will there be a new model for enterpris....
March 15, 2017
Andrew Prokop, communications evangelist with Arrow Systems Integration, discusses the evolving role of the all-important session border controller.
March 9, 2017
Organizer Alan Quayle gives us the lowdown on programmable communications and all you need to know about participating in this pre-Enterprise Connect hackathon.
March 3, 2017
From protecting against new vulnerabilities to keeping security assessments up to date, security consultant Mark Collier shares tips on how best to protect your UC systems.
February 24, 2017
UC analyst Blair Pleasant sorts through the myriad cloud architectural models underlying UCaaS and CCaaS offerings, and explains why knowing the differences matter.
February 17, 2017
From the most basics of basics to the hidden gotchas, UC consultant Melissa Swartz helps demystify the complex world of SIP trunking.
February 7, 2017
UC&C consultant Kevin Kieller, a partner at enableUC, shares pointers for making the right architectural choices for your Skype for Business deployment.
February 1, 2017
Elka Popova, a Frost & Sullivan program director, shares a status report on the UCaaS market today and offers her perspective on what large enterprises need before committing to UC in the cloud.
January 26, 2017
Andrew Davis, co-founder of Wainhouse Research and chair of the Video track at Enterprise Connect 2017, sorts through the myriad cloud video service options and shares how to tell if your choice is en....
January 23, 2017
Sheila McGee-Smith, Contact Center/Customer Experience track chair for Enterprise Connect 2017, tells us what we need to know about the role cloud software is playing in contact centers today.