Just recently, InfoStructure employee Derrick Sisson came across this article in which a small business is now faced with a $166,000 bill for fraudulent telephone charges. Derrick says, “There are several ways fraud like this happens. Of course we all know the dreaded SIP hacks and VoIP weakness of being out on the internet, but that’s not the only way a customer is vulnerable to fraud….Once they have access they are able to do anything they want including making International calls undetected by the customer…” We are aware of the risks that face IP Phone systems and below are some ideas that will help maintain the security of your IP Phone System.
Hacking into phone calls via IP Telephony (also known as VoIP) opens a veritable gold mine of valuable data and information. Large financial boons are at risk in government agencies, financial institutions, and professional services firms. Also at risk are call centers where health records, confidential account information and payment card data can get hacked. Hacking voicemail has also become popular as it exposes private business information and celebrity secrets. Toll fraud is also being committed by large groups of phone pirates who are committed to compromising the security of your phones.
The risks in VoIP go beyond eavesdropping, toll fraud, and voicemail hacks. IP phones can also be entry points into your business network. VoIP calls and voicemail messages are data and can possibly get hacked. If you use a hosted IP phone service or a VoIP system, protecting these networks are similar to protecting a data network. The security policies and technologies can be complex, depending on the IP phone system you’re using, whether onsite or hosted. Following is an introduction to some IP phone security strategies:
Evaluate services such as user authentication, encryption, and VLAN configuration and also check the security of configuring and signaling methods. Also investigate any HIPAA, SOX, PCI, or other compliance guidance that apply.
- Place network restrictions on types of calls by device, user, and other criteria.
- Control voice network access by user name and password and/or device certificate.
- Install OS updates and limit software loading on phones.
- Lock voice servers for administration. Use domain restrictions and two-factor authentication for administrative access, including signaling data, configuration files and credentials.
- Set up a firewall and intrusion prevention system (IPS) to regulate authorized and unauthorized VoIP traffic and to track abnormal voice activities.
- Some voice systems and switches support device discovery protocols and automatically assign IP phones to voice VLANs.
- Encrypt your Internet gateway with Session Initiation Protocol (SIP) over Transport Layer Security (TLS).
- Apply encryption by segment, device, or user; indiscriminate encrypting can result in excessive network latency or introduce operational overhead and complexity.
- Encrypt the media (packets) with protocols such as SRTP.
- Use VPNs for network connections by remote phones. This is important when SRTP or HTTPS is not available.
- Communicate your phones’ built-in security features to users.
- Apply strong passwords to access the voicemail inbox. Immediately change the default password to a strong password, then change it as often as your company’s policy dictates for changing login and email passwords.
- Delete sensitive voicemail messages as soon as users have listened to them. Not storing voicemails is the easiest and most effective way to protect them.
- Immediately report anomalies. You may not know a phone has been hacked until an employee reports an odd occurrence, such as a saved voicemail message that has been deleted or forwarded to an unusual number.
Don’t let cybercriminals find your IP phones and voice systems accessible to attack. Equip yourself with tools that protect your sensitive data files today.