The forgotten security frontier: How secure are your phone calls?

Mykola Konrad, VP Marketing and Product Management, Sonus Networks explains how Unified Communications and phone security, often overlooked, can be a cybersecurity threat

Phone security

Author

VP, Product Management and Marketing, Sonus Networks. Mykola Konrad leads

VP, Product Management and Marketing, Sonus Networks. Mykola Konrad leads Sonus’ global product, Channel and corporate marketing initiatives.

Mykola has more than 17 years of technology development and product management experience, most recently serving as Director of Product Management at Sonus.

Prior to Sonus, he served as Senior Product Manager at Microsoft; Product Manager at Avaya; Software Developer at Panasonic and Software Developer at Ariel Corporation. Mykola holds an M.B.A from New York University’s Leonard N. Stern School of Business and a bachelor’s degree in electrical engineering from the University of Pennsylvania.

Cyber threats are constantly evolving, and 2017 is ramping up to be a banner year for security. Last year brought forth new and incomparable in scale attacks directed at high-profile brands. According to Control Risks, the attacks perpetrated by cyber criminals doubled in frequency. Across South East Asia, government, finance, and telecoms sectors were the most frequently targeted. It is becoming imperative for enterprises to invest in cyber security defense systems and collaborate with experts who can advise on the best preventive strategies.

As IP-based Unified Communications (UC) and phone security are some of the most overlooked and misunderstood pieces of security fabric, these systems will become an attractive point of vulnerability for cyber criminals looking to attack enterprises in the region.

Your Communications Network Is Likely Unsecure

In the late 1990s and early 2000s, a lot of companies were part of a massive Voice over IP (VoIP) revolution that quietly moved most wired and wireless communications onto IP-based networks through a protocol known as SIP (Session Initiation Protocol). Most consumers weren’t even aware of the change. Prices did get cheaper, phone quality was initially an issue for some of the early adopters, but today it’s nearly impossible to tell the difference between a voice call that traverses the Internet and one that runs over a private network.

But here’s the problem: the changeover was so subtle, many people kept thinking of their phone as a device connected to a private network, rather than one connected to the public Internet. For those of you still using a desk phone; yes, it is probably an IP device. For those of you using a softphone, that’s also an IP device just like your smartphone, laptop or personal computer. And the signaling and messaging between the devices are all over IP, typically the SIP (Session Initiation) protocol. Many companies have had to disable their firewalls for SIP communications because the firewall blocks the SIP ports. This leaves your mobile clients and your communications networks susceptible to Internet-based attacks including DDoS attacks, fraud, malware and more. Independent risk assessments, penetration testing and compliance audits have all shown this to be one of the most common vulnerability gaps in network security.

How Much Trouble Can an IP-based Communications Cause?

Any IP-based device that is connected to both the Internet and your internal network represents a potential “hole” in your network. That device may be a smartphone that has access to business apps, a laptop carrying sensitive financial data or an office phone with access to your corporate directory. For most of us securing smartphones and laptops is second nature. How many of us give a second thought to securing the UC network and mobile clients that power our communications?

If you need some incentive to secure your UC network, here are several reasons:

  • Toll Fraud
    Every year, businesses lose billions of dollars through long-distance phone call fees that are placed illegally from their business. How do hackers get access to their phone system? Through the UC enabled Private Branch Exchange (PBX) or by hacking an employee’s mobile client directly. Each year, more enterprises—and, sadly, small businesses too—discover that someone has breached their phone system and racked up tens of thousands of dollars in long-distance fees. Unfortunately, these companies are often responsible for the fees even if they can prove the calls didn’t originate from their employees.
  • Distributed Denial-of-Service (DDoS) Attacks
    DDoS attacks have been making headlines after recent high-profile attacks temporarily took down the sites of Twitter, Airbnb, and many others. But websites aren’t the only target of DDoS attacks; call centers are also vulnerable. By targeting a phone number or SIP URL instead of a website’s URL—remember, in the Internet world, both are simply IP addresses—DDoS attacks can paralyze customer service and shut down phone sales for hours, severely impacting business.
  • Caller ID Spoofing
    For better or worse, caller ID carries a more inherent sense of trust than an email. That makes the act of caller ID “spoofing”—displaying a false caller ID—more dangerous. One criminal group, for example, was able to steal millions of dollars from unsuspecting U.S. citizens by posing as the Internal Revenue Service. These calls, which claimed that the victims owed the I.R.S. various payments for taxes, prominently displayed the I.R.S. credentials on the victim’s caller ID. Never one to miss an opportunity, criminals are now using caller ID spoofing to collect personal information, a tactic known as “vishing” (a portmanteau of “voice phishing”).

What can be done to secure the call?

Although VoIP and SIP allowed enterprises to consolidate their voice and data networks into a single IP-based network, voice and data communications still have unique characteristics. Specifically, voice (and live video) have a much lower tolerance for latency and packet loss. These real-time communication (RTC) sessions need to be handled more sensitively in the network because they have different requirements than data, such as media transcoding, SIP message manipulation and special security considerations (e.g., network topology hiding, NAT traversal, blacklists).

Using a standard data firewall to protect your IP network and mobile clients will likely backfire, because firewalls aren’t designed to support RTC’s requirements. Instead, companies need a session border controller (SBC) to secure RTC—and provide the transcoding and interoperability features as well. You can think of an SBC as a “traffic cop” that can enforce rules, give directions (in a variety of languages) and ensure that network real-time traffic flows smoothly and safely.

As with many network technologies today, the SBC as a network element is increasingly being “virtualized” to reduce hardware, simplify deployment and support network service automation. We’ve seen an increase in demand for virtualized SBCs that can be deployed in public or private clouds so they can scale up and down as traffic increases or decreases. This is especially useful in the case of DDoS attacks, which can range from light to heavy, and often do by design.

The reality is that office voice communications are not going away any time soon. In fact, with the popularity of UC, we’re seeing the role of the UC mobile client increase to handle live video, text messages and more. Despite our longstanding comfort with the phone as a business tool, companies need to remember that each mobile client is a connected, potential doorway into their network. SBCs can shut that door—and offer a host of other benefits, from high-definition voice capabilities to toll-free routing. It’s something that every business should be talking about, because it’s only a matter of time before hackers come knocking on your communications network.

Mahesh Murthy "disappointed" with BookMyShow for "making profit"
Salesforce ups its AI game, launches Service Cloud Einstein