In earlier posts, we’ve discussed how Voice Over Internet Protocol (VoIP) systems can help your business flourish and provided tips to help protect and secure utility management solutions for your business.
While case scenarios that can drive the consideration and implementation of VoIP security solutions can include reducing telephony costs, value-added features not available in traditional telephony solutions, and gaining the increased flexibility that VoIP can provide; as an internet based solution, VoIP security solutions face security threats that are uncommon in legacy telephony solutions. And a security breach of voice systems could be just as problematic and impactful to your business as a data breach. It is thus unsurprising that there is a need to integrate and incorporate data system security best practices and solutions into any VoIP security solutions: for both your business and your peace of mind.
Voice data packets transmitted over an insecure VoIP network is at risk for interception and misuse, just as data packets transmitted over an insecure data network are. Other threats that can affect VoIP systems include:
- Identity Spoofing
- Conversation eavesdropping/sniffing
- Default passwords being used and/or cracking of simple passwords
- Man-in-the-middle style exploits
- Denial of Service (DoS) attacks
- Toll fraud
- Hacking of voice mail or a web-based management console
Hackers can use an approach known as “footprinting” to initiate a breach action. Through footprinting, they gain information made publicly available by the company itself in job postings or on social media sites. For example, advertising a job opening for a precise VoIP vendor technology and implementation can alert a hacker searching for a possibility, if they come across your ad or social media posting calling out your VoIP security solution, and then access it to find it has not been kept up to date for all known exploits.
Aside from avoiding footprinting whenever possible and ensuring that your VoIP systems are always up-to-date with security patches and updates, there is a number of additional security best practices to consider.
Some of these are broadly applicable, others will depend upon your particular requirements and implementation. These best practices include:
- Never use the default vendor password.
- Ensure passwords for any management console or remote management system have a complex password and are on a non-standard port.
- Institute a policy and procedure by which passwords are disabled/changed (as appropriate) when an employee leaves the company or changes assignments
- Implement IT security training for all team members and employees, ensuring understanding of password security, not sharing accesses, and other related security control mechanisms.
- Separate data traffic from voice traffic through creating two virtual VLANs.
- Having usernames that do not equate to the voice extensions.
- Implementing encryption to secure all calls or identifiably known sensitive voice traffic.
- Limiting calling by a device and/or location.
- Using Secure Session Internet Protocol (SIPS) for protection from eavesdropping and tampering.
- Applying a layered security approach with both physical and logical protection: The VoIP server should be behind a SIP-aware firewall and intrusion prevention system (IPS), and properly securing VoIP gateways.
- Utilizing traffic analysis and deep packet inspection (DPI).
- Voicemail protections including the use of a strong 6-digit passcode or device certificate, and timely deletion of sensitive voicemail messages.
- Removing mailboxes when employees leave the company.
- Limiting invalid login attempts.
- Implementing call restriction policies, such as limiting the type of calls allowed on the network, implementing time of day policies, disabling international calls by default.
Security awareness training for team members and employees referenced earlier is necessary regardless of the depth or breadth of the above considerations implementation. And that training should incorporate employees reporting anything which appears questionable or of concern.
Many benefits arise from VoIP security solutions: reduced cost, additional features, expanded flexibility, increased ease of use. But, as with all computing solutions in today’s world, they must be undertaken, implemented and maintained with Voip security solutions mindfully considered and addressed.
Clarus Communications will conduct a VoIP security assessment to understand where your system might be lacking. We have helped hundreds of companies nationwide protect their VoIP telephone systems. This review will determine your current situation and inventory your current equipment to determine how best to protect your investment. Once this is complete, the team at Clarus Communications will provide you with a free estimate so you can compare security providers. We shop the carriers saving you time and money. Click here or contact us at 855-801-6700 for more information.