I’ve written a number of articles about the how to create a secure SIP infrastructure, but I haven’t really spent much time on what happens if you don’t. There are lots of nasty people out there who are determined to steal money or information from anyone foolish enough to leave the doors to their business unlocked and infrastructure vulnerable to attack.
I recently heard a number of alarming statistics that should put fear into every telecom department.
- The estimated annual loss from global toll fraud is 46.3 Billion (USD).
- Toll fraud losses are growing at rate faster than global telecom revenues.
- In a 2012 survey of telecom managers, 92% said that fraud losses had grown or stayed the same in their company. This was a 3% increase from 2011.
In this article, I will discuss a number of different ways your communications system can be breached. Some have to do with SIP and IP and a number have to do with communications in general. It’s important that you pay attention to both aspects to ensure that you’ve done what you need to do to keep your company safe and secure.
The price of toll fraud extends beyond high telephone bills. Nasty people hack into your communications to steal information. Breaking into the calls between executives might provide a hacker with inside trading information. Not only is your system being compromised, but you may be held legally liable for leaked information.
Hackers might also be fishing for potentially damaging information about your company. In the same way you treat sensitive documents with care, that same care must be given to voice, video, and instant message conversations. Don’t let a stolen phone call lead to an embarrassing situation and bad publicity.
Let’s begin with the network and devices. I’ve discussed this extensively in a number of articles and most recently in Comprehensive, End-to-End Security. You were told the importance of physical and logical security for your devices. I also discuss the need for encryption of your SIP signaling (TLS) and media (SRTP). These steps create the foundation for all further layers of security.
I also wrote about the need for password security. Allow your endpoints to use extensions or other easily guessed passwords and you are posting a big billboard above your company that says, “Welcome, Hackers.”
In addition to user passwords, take a good look at the passwords used to administer your system. Most come with default passwords. It’s always a good idea to change them and implement strong policy password policies to further protect them.
Securing your network and passwords are absolutely essential to keeping the bad guys out, but by no means does it stop there. You also need to take steps to secure your applications and user policies to stop the hackers that make it through that first line of defense.
I like to begin with your users’ class of service (COS) settings. Think very carefully about the levels of access you give to your users. For example, be very restrictive about who is allowed to dial international numbers. Perhaps only your highest executives need access. Perhaps it’s no one.
If you do need to grant international dialing, lock it down to the country codes you need to dial. If your employees don’t need to call Brazil, turn it off.
External forward can be very dangerous. I once worked for a company that was hit with a phone bill in the tens of thousands of dollars because someone hacked into our PBX, set telephones to forward to external numbers, and then used them as launching pads. If you don’t need that feature, turn it off. At a minimum, give it to carefully selected users and monitor their phone activity.
Voicemail systems and conference bridges are commonly used to commit toll fraud. Hackers call into these services and use the dial-out feature to place their calls. This can be prevented by granting it in only carefully thought out cases or turning it off altogether. Additionally, you may want all your conferences to end when the moderator exits the meeting. This prevents conferences from lingering on and being used for malicious activity.
The passwords used for these services need to be protected, too. A moderator’s conference bridge password can be just as golden to a hacker as a telephone login. Apply the same levels of policy to these entry points as you would to any other.
You’ve heard me say time and time again how important an SBC is. One thing I never really discussed is how an SBC can hide the identity of the communications system it protects. Hackers want to know the make, model, and version of the system they are attacking. This allows them to use known weaknesses and vulnerabilities to their advantage. An SBC prevents them from obtaining this potentially valuable information.
This is by no means an exhaustive list of toll fraud threats and mitigations, but it’s a good start. There is no one thing that you can do to ensure that your systems are safe and secure. SBCs, encryption, class of service policies, password protection, and everything else I’ve discussed need to be employed, monitored, and adjusted as situations change.
I can assure you that the hackers are staying on top of the tools of their trade. You need to do the same when it comes to security and protecting your valuable communications resources. Be safe or be sorry. Very, very sorry.