“You cannot choose your battlefield,
God does that for you;
But you can plant a standard
Where a standard never flew”
Just when the stress of the pandemic was starting to ease and it looked as if the world might return to some sense of normal, we suddenly find ourselves on the cusp of World War III. My news feeds are filled with stories of bombed cities, refugees, failed peace negotiations, and body counts. I think I understand how my parents must have felt in 1939 when Germany invaded Poland.
While the bullets, bombs, and missiles may be currently limited to Ukraine, this is 2022 and war is no longer completely embodied by tanks, guns, and explosions. Digital attacks are being planned and carried out across all seven continents and safety is not defined by where you live or what language you speak. Countries, companies, and individuals have been targeted by hackers for many years (be they individuals, organized crime, or state actors), but the frequency and intensity of those attacks has been greatly intensified by these geopolitical disruptions.
Being lax about cyber defense has never been an acceptable posture and recent events have made security hardening an even greater priority. It’s not a matter of “if I get attacked.” It’s “how often will I get attacked and how much damage will each attack do?” Sometimes it only takes one security breach to devastate a company or individual, but over time, smaller and less obvious attacks can wreak just as much damage.
Are you familiar with Executive Order 14028? It was signed by President Biden early in 2021 and begins with the following words:
The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors. The Federal Government must also carefully examine what occurred during any major cyber incident and apply lessons learned.
While most people might think this only applies to data attacks and ransomware, my thoughts immediately went to securing voice networks. Stolen credit card numbers and hijacked PCs and servers are certainly bad, but so is the inability to make or receive telephone calls, malicious voice spam, and toll fraud. People are taught about phishing, but many have never heard of vishing and just how catastrophic it can be to an individual or organization.
Shortly after the signing of Executive Order 14028, the National Security Agency (NSA) issued a comprehensive document that addresses the steps an organization can follow to ensure that their communications platform is given the same level of attention it pays to securing its data infrastructure. If you haven’t already done so, I highly recommend that you download and read it. It covers both the commonsense aspects of voice security along with mitigations that even the most seasoned expert might miss. I will admit to learning a thing or three.
Another worthwhile security resource is the recently released alert from the United States Cybersecurity & Infrastructure Security Agency — Destructive Malware Targeting Organizations in Ukraine. Although it is primarily aimed at securing data networks, many of the recommendations (e.g. updating software, backups, auditing, etc.) equally apply to voice networks.
There are a number of steps that an organization can (and must) take to protect their voice network. They consist of everything from securing the physical aspects of their communications system to telephone password policies to SBC hardening to training users in how to recognize and mitigate social engineering attacks. A missed step equates to a gaping security hole that malicious actors are more than happy to climb through.
Sadly, security is a moving target and best practices are constantly evolving. Hackers are like water on a roof. When it can’t get in one place, it tries every other possibility until it finds a way through the shingles. That is why you need to put into practice strategies that not only cover today, but are prepared for the challenges of tomorrow.
On the top of my list are real-time analytics tools that are dynamically updated with the most current threat vectors. Similar to virus checkers that adapt on a daily basis to the latest malware, worms, spyware, trojan horses, and ransomware, real-time VoIP security tools stay current with the “attack du jour” along with the “greatest hits.”
Assertion’s SBC Scan falls into this category. It approaches SBC security holistically and looks at everything from configuration issues to weak certificates to historical log data. Using artificial intelligence armed with a deep understanding of how hackers operate, it performs a deep level of analysis not possible by us mere humans. An Assertion SBC Scan finds breaches that have occurred and identifies where they are most likely going to occur.
A Chain of Weak Links
Late last year I worked with Assertion on an SBC vulnerability research project. Using their cloud-based scanning software, we ethically examined nearly 3000 publicly accessible SBCs around the world. I would love to say that we didn’t find any issues, but that would be a lie. Here are some of our findings:
- 2257 had certificates valid longer than 13 months — of that, more than 70% were longer than 24 months — the recommended maximum is 397 days
- 68 used wildcard certificates
- 12 of those 68 wildcard certificates had expired
- 15 out of 326 Avaya SBCs were running old, unsupported software
- 279 SBCs were running TLS 1.1 — a very vulnerable protocol that is easily hacked
- We found SBCs running weak encryption algorithms with a key strength of 1024 — 2048 is the recommended minimum
- 28% of the SBCs had one or more administration interface directly exposed to the Internet
- 4% of the SBCs still support telnet, a highly unsecure protocol
- 1382 SBCs used self-signed certificates
- 2% of the SBCs were found on block lists — these SBCs are essentially considered to be dangerous devices
The number of problems we found should frighten every telecom manager out there. Every one of these issues is an invitation to be hacked. At the same time, they are opportunities to get serious about VoIP security. We did not uncover a single issue that cannot be fixed.
Voice spam, or vishing, is any form of unsolicited or unwanted phone calls. It consumes communications resources and results in a loss of productivity.
Answering spam calls marks you as a target and hackers will continue to harass organizations with willing participants. Most importantly, voice spam is more than just an annoyance. It is downright dangerous and potentially very costly.
Here are few frightening statistics (courtesy of Mutare, Proofpoint, and the Federal Trade Commission):
- 45% of robocalls are scams
- 77% of US organizations faced vishing attacks in 2020
- Phishing awareness in enterprises is 74% while vishing awareness is only 30%
- Only 41% of organizations include vishing in security awareness training
- Highly trained criminals target contact center agents in order to steal money and private data
- Human error exposes sensitive information
- Losses due to vishing in 2020 were $3.3 billion
In addition to training employees to recognize and deal with vishing attacks, it is essential that enterprises protect their voice networks with voice spam detection solutions such as the Mutare Voice Traffic Filter. The best defense is to keep spam calls far from the ears of gullible humans.
Thankfully, VoIP security isn’t a mystery that every organization needs to solve on their own. There is a wealth of documents, comprehensive guidelines, tools, and practices that can be put into place and used by every organization of every size. The previously mentioned NSA guidelines document is a great place to start. Once that is absorbed and understood, I highly recommend the many security articles on this blog (you need to learn to love SIPVicious). Over the years, I have covered everything from identifying threats to the steps to prevent them. While I’ve placed an emphasis on SIP security, you will find that my approach is holistic in nature. No security stone should be left unturned.
After that, it is critical to enshrine activities that continually monitor security successes and failures. Knowing how you kept a bad actor out of your system can be just as valuable as keeping them out in the first place.
As geopolitical tensions rise, the risk of malicious cyber activity has magnified and will continue to soar into the unforeseen future. No matter who you are or where you live, someone is hoping to do you serious harm. That harm might be a loss of money, compromised sensitive data, or a major service disruption. In all cases, it’s not something you want to face unaware and unprepared. The plans you put into place today may be your lifeline tomorrow. Plant your standard before it’s too late.
For a more personal and less technical look at my thoughts about war in Ukraine, please take a look at We Are All Ukrainian Now.