SHARE



ABOUT THE AUTHOR


Thomas  Swayze
Thomas Swayze, CTO at NetFortris, has more than 26 years of technology experience. He pioneered voice-over-frame relay and ATM technologies...
Read Full Bio >>
SHARE



Thomas Swayze | June 22, 2016 |

 
   

VoIP Vulnerabilities: Protecting Against Evolving Threats

VoIP Vulnerabilities: Protecting Against Evolving Threats Modern threats against VoIP infrastructure fall into four main categories.

Modern threats against VoIP infrastructure fall into four main categories.

Security is quickly becoming the primary concern of many businesses, and protecting VoIP vulnerabilities is critical. In addition, the use of cloud-based communications is growing rapidly, but according to the a 2015 PwC global information security survey, only 50% of businesses have a security strategy in place for cloud computing.

This same research showed that information security incidents increased 45% over the previous year. As cyberattacks evolve, organizations must fully understand the different types of threats in order to combat them effectively.

Education and activation are the powerful one-two punch that businesses can use to protect their most valuable asset: information. While it is easy to get overwhelmed by the increasing complexity and maliciousness of the risks, security is not a hopeless endeavor.

Understanding the Enemy
Modern threats fall into four main categories. Data predators are crafty, but not completely original, and they utilize one or more of these methods of attack.

  1. Call Fraud: Eavesdropping and phreaking are the two types of call fraud in which attackers tap into VoIP phone lines and commandeer them to make unauthorized calls. With eavesdropping, hackers tap VoIP phone calls to steal employee names, passwords, phone numbers, and other information that gives access to private accounts and billing information. This is a popular for identity theft and corporate sabotage. With phreaking, hackers infiltrate a business's service provider. They steal account numbers and access codes to add unauthorized phone lines or make calls on existing VoIP lines, both resulting in excessive charges for the business.

  2. Malware & Viruses: Softphones are vulnerable to attack by malware, worms, and other network viruses. These viruses hijack computer systems and take control. They can send spam and other malicious data, target and permanently destroy information, and trace keystrokes and data entry to enable remote access. Credit card data and financial information are particularly vulnerable in this type of attack.

  3. Denial of Service (DoS): In this type of attack, hackers use information overload to flood a network server and consume all available bandwidth. This prevents incoming and outgoing VoIP calls and gives hackers the opportunity to gain remote control of administrative servers. They can steal sensitive business and customer data and abuse VoIP servers to make costly phone calls on the business's account. DoS attacks are, and will continue to be, the most common method of cyberattack, as PwC noted in its July 2015 report, " Communications Review: As telcos go digital, cybersecurity risks intensify."

  4. Call Hijacking & VoIP Tampering: These attacks involve the transmission of noise packets to interrupt the stream of communications and cause reduced call quality, dropped calls, and delays in voice signal. A malicious third-party can change the encryption key of a call's digital signature to make VoIP call signals vulnerable and subject to interception. VoIP servers are tricked into thinking that the original parties on the call are still in communication and the hacker has the opportunity to cause serious communication damage.

Finding the Solution
In sports, the best defense is a good offense, and this holds true with VoIP security. Savvy businesses can preemptively protect themselves from these methods of potential attack using the following techniques.

  • Encryption: Cloud communication providers offer customer guidelines for encryption and authentication protocols, and many offer encryption as an additional service. While all businesses should work to ensure ultimate customer protection, those within retail, financial services, and other industries dealing with consumer data must take extra measures.

  • Authentication Protocols: VoIP authentication protocols vary based on the type of data being transported. They range from a typical password authentication procedure to a complex three-way authentication process that protects servers and business VoIP. Password authentication, also called the two-way handshake, is highly vulnerable to attack and is easily exploited by hackers. Many times, the username and password are not sufficiently disguised or encrypted before traversing the link. Utilizing a VPN or a secure MPLS network rather than the open Internet can reduce this risk significantly.

  • Challenge-Handshake Authentication Protocol (CHAP): When the calling client (computer or softphone that sends data and initializes a VoIP call) links with the authenticator application located in the VoIP server, the authenticator uses a three-step process to determine legitimacy. Also called a three-way handshake, CHAP grants or denies access. If the encrypted messages do not match after the challenge and response steps, the client receives a failure message and is denied access to the VoIP system. This prevents fraudulent VoIP calling.

  • Antivirus Software: Because VoIP softphones are part of office computer systems, protecting them from viruses and other dangerous third-party programs is critical. Viruses enter an organization's VoIP system through email to compromise existing security protocols and interrupt or suspend VoIP network services entirely. Installing and maintaining antivirus and anti-malware software programs like firewalls is crucial. Often, VoIP vendors or network providers offer antivirus protection, also known as unified threat management software, as part of their service offerings.

  • Deep Packet Inspection (DPI): DPI locates, identifies, and classifies data packets through filtering. It can reroute or block incoming packets with unidentified code or forbidden data, deterring unauthorized use of the wide area, local area, or VoIP network. DPI monitors incoming media and signaling streams, as well as all outgoing media streams, for altered or inserted data packets and then flags them for review. These flagged data packets carry priority ratings from high to low that allow them to be routed accordingly. VoIP providers also use DPI to improve network performance and prevent peer-to-peer abuse that may result from VoIP fraud.

  • Session Border Controllers: These VoIP network devices control media streams and protocol signals. They start, conduct, and stop VoIP voice calls and adhere to quality-of-service protocols to ensure the safety and best possible voice quality of all VoIP calls.

  • Authorization Policies & Call Restrictions: A simple way for businesses to secure VoIP lines is simply by regulating their own people and policies. They can perform audits and create call restrictions to track VoIP activity and then monitor accordingly to prevent access by unauthorized parties. Businesses can secure the configuration of VoIP apps by creating whitelists of approved country codes for employee usage. These lists prevent toll fraud and other types of unauthorized activity.

Looking to the Future
Network security threats are constantly evolving and protection measures must advance similarly. Safeguarding proprietary business information and sensitive customer data should always remain paramount. Customer, employee, and internal records data remain top targets of cyberattacks, and the damage to brand reputation climbed 81%, as PwC reported. Businesses must be vigilant in order to avoid costly and inconvenient security breaches.

As the telecom industry transitions to an increasingly digital platform, new types of cybersecurity risks will continue to target data, applications, and networks. Partnering with the right security services provider enhances a business's ability to counteract these evolving network threats.

Effective partners enable businesses to detect, analyze, and respond to cyberthreats before they damage their reputations and bottom lines. Organizations can harness the knowledge of these experts and their cutting-edge tools to protect information in this increasingly hostile environment.





COMMENTS



Enterprise Connect Orlando 2018
March 12-15 | Orlando, FL

Connect with the Entire Enterprise Communications & Collaboration Ecosystem


Stay Up-to-Date: Hear industry visionaries in Keynotes and General Sessions delivering the latest insight on UC, mobility, collaboration and cloud

Grow Your Network: Connect with the largest gathering of enterprise IT and business leaders and influencers

Learn From Industry Leaders: Attend a full range of Conference Sessions, Free Programs and Special Events

Evaluate All Your Options: Engage with 190+ of the leading equipment, software and service providers

Have Fun! Mingle with sponsors, exhibitors, attendees, guest speakers and industry players during evening receptions

Register now with code NOJITTEREB to save $200 Off Advance Rates or get a FREE Expo Pass!

November 1, 2017

Your customers (internal and external) demand that you offer them the ability to connect by any means. With the adoption of cloud communications tools you now have access to an expanded portfolio o

October 18, 2017

Microsofts recent Ignite event had some critically important announcements for enterprise communications. Namely, Microsofts new Team Collaboration offering, Teams, will be its primary communicatio

September 20, 2017

Customer experience can make or break your business. But how do you achieve outstanding customer service when you're dealing with outdated organizational structure, lagging technology, dated proces

September 22, 2017
In this podcast, we explore the future of work with Robert Brown, AVP of the Cognizant Center for the Future of Work, who helps us answer the question, "What do we do when machines do everything?"
September 8, 2017
Greg Collins, a technology analyst and strategist with Exact Ventures, delivers a status report on 5G implementation plans and tells enterprises why they shouldn't wait to move ahead on potential use ....
August 25, 2017
Find out what business considerations are driving the SIP trunking market today, and learn a bit about how satisfied enterprises are with their providers. We talk with John Malone, president of The Ea....
August 16, 2017
World Vision U.S. is finding lots of goodness in RingCentral's cloud communications service, but as Randy Boyd, infrastructure architect at the global humanitarian nonprofit, tells us, he and his team....
August 11, 2017
Alicia Gee, director of unified communications at Sutter Physician Services, oversees the technical team supporting a 1,000-agent contact center running on Genesys PureConnect. She catches us up on th....
August 4, 2017
Andrew Prokop, communications evangelist with Arrow Systems Integration, has lately been working on integrating enterprise communications into Internet of Things ecosystems. He shares examples and off....
July 27, 2017
Industry watcher Elka Popova, a Frost & Sullivan program director, shares her perspective on this acquisition, discussing Mitel's market positioning, why the move makes sense, and more.
July 14, 2017
Lantre Barr, founder and CEO of Blacc Spot Media, urges any enterprise that's been on the fence about integrating real-time communications into business workflows to jump off and get started. Tune and....
June 28, 2017
Communications expert Tsahi Levent-Levi, author of the popular BlogGeek.me blog, keeps a running tally and comprehensive overview of communications platform-as-a-service offerings in his "Choosing a W....
June 9, 2017
If you think telecom expense management applies to nothing more than business phone lines, think again. Hyoun Park, founder and principal investigator with technology advisory Amalgam Insights, tells ....
June 2, 2017
Enterprises strategizing on mobility today, including for internal collaboration, don't have the luxury of learning as they go. Tony Rizzo, enterprise mobility specialist with Blue Hill Research, expl....
May 24, 2017
Mark Winther, head of IDC's global telecom consulting practice, gives us his take on how CPaaS providers evolve beyond the basic building blocks and address maturing enterprise needs.
May 18, 2017
Diane Myers, senior research director at IHS Markit, walks us through her 2017 UC-as-a-service report... and shares what might be to come in 2018.
April 28, 2017
Change isn't easy, but it is necessary. Tune in for advice and perspective from Zeus Kerravala, co-author of a "Digital Transformation for Dummies" special edition.
April 20, 2017
Robin Gareiss, president of Nemertes Research, shares insight gleaned from the firm's 12th annual UCC Total Cost of Operations study.
March 23, 2017
Tim Banting, of Current Analysis, gives us a peek into what the next three years will bring in advance of his Enterprise Connect session exploring the question: Will there be a new model for enterpris....
March 15, 2017
Andrew Prokop, communications evangelist with Arrow Systems Integration, discusses the evolving role of the all-important session border controller.
March 9, 2017
Organizer Alan Quayle gives us the lowdown on programmable communications and all you need to know about participating in this pre-Enterprise Connect hackathon.
March 3, 2017
From protecting against new vulnerabilities to keeping security assessments up to date, security consultant Mark Collier shares tips on how best to protect your UC systems.
February 24, 2017
UC analyst Blair Pleasant sorts through the myriad cloud architectural models underlying UCaaS and CCaaS offerings, and explains why knowing the differences matter.
February 17, 2017
From the most basics of basics to the hidden gotchas, UC consultant Melissa Swartz helps demystify the complex world of SIP trunking.
February 7, 2017
UC&C consultant Kevin Kieller, a partner at enableUC, shares pointers for making the right architectural choices for your Skype for Business deployment.
February 1, 2017
Elka Popova, a Frost & Sullivan program director, shares a status report on the UCaaS market today and offers her perspective on what large enterprises need before committing to UC in the cloud.
January 26, 2017
Andrew Davis, co-founder of Wainhouse Research and chair of the Video track at Enterprise Connect 2017, sorts through the myriad cloud video service options and shares how to tell if your choice is en....
January 23, 2017
Sheila McGee-Smith, Contact Center/Customer Experience track chair for Enterprise Connect 2017, tells us what we need to know about the role cloud software is playing in contact centers today.