VoIP security is an area of increasing focus for enterprise executives. The rapid growth in VoIP adoption has increased the attack surface, but a number of methods are effective in protecting against these threats. Let’s discuss preventative tactics against common VoIP security lapses, and best practices for maintaining secure networks and communication channels.
Institute a system.
The establishment of an Information Security Management System (ISMS) should sit at the top of any VoIP security checklist. A comprehensive ISMS program will ensure stakeholders follow best practices for protecting potentially sensitive information. Err on the side of caution and make an exhaustive list. It needs to include anyone who stores, processes, or transmits even remotely sensitive data. (Yes, voice conversations and call records, too.)
Assess risk and authenticate use.
You will need to evaluate your method for authenticating users. Obviously, in VoIP this is an authentication system beyond username and password — one that verifies who users are over time by matching voice prints with profile-associated voice signature data. We recommend first performing an audit, identifying all accessible points of entry. These include devices or applications that don’t require physical access but through which potential saboteurs could gain administrative privileges to other machines via direct connection or remotely. (SSH, for example, will need to be secured against brute-force attacks.)
With a solid signature authentication in place, a next focus should be establishing appropriate security policies for your entire VoIP ecosystem. Your policies should be comprehensive enough to protect all aspects of a network, including fixed-line devices (e.g., PBX) as well as mobile apps on phones, tablets, and laptops. If an employee has a BYOD policy that allows them to log into company applications with nothing more than their personal smartphone — this needs to include protection against malware designed specifically for VoIP systems to bar attackers from using infected phones inside corporate networks. A plan that isn’t scaled sufficiently is worse than doomed. It engenders a false sense of security.
Control access points.
In addition to physical security, you’ll need to establish policies for logical access control. While this isn’t typically a main focus of VoIP security, it’s important to protect your PBX from unauthorized remote log-in attempts and brute-force attacks with strong passwords on all a system’s administrator accounts. Failing to do so is, in effect, leaving the front door unlocked.
Using two-factor authentication is strongly recommended. Doing this provides an extra layer of protection beyond mere password credentials. (Keep in mind how easily password credentials can be hacked or manipulated.) Implementing two-factor authentication controls will significantly decrease the chances of someone outside your organization gaining administrative privileges over network resources by way of the telephony infrastructure itself.
Maintaining VoIP security requires the ability to manage devices that connect to your network — data, voice, and video devices. Without proper management, these devices are easily overlooked and can spell doom for the security of networks and communications.
Organizations should have a comprehensive inventory management program in place to track all communication assets and how they’re utilized throughout the organization (i.e., number of employees using each phone). This will enhance the focus of targeted monitoring policies and can be enforced across an entire organization irrespective of size.
Encrypt it all.
Do not underestimate your organization’s need for encryption — specifically TLS/SSL tunneling protocols like Secure Sockets Layer (SSL) or Transport Layer Security (TLS). VoIP communication sessions should always be encrypted end to end, and there are a number of ways organizations can go about this.
All voice traffic that originates from a network ought to utilize TLS/SSL encryption for transmission. This includes both external calls as well as internal and inter-office communications. For internal calls between employees that take place via the same branch LAN, an organization may opt to use less expensive solutions, such as data-over-cable service interface specification (DOCSIS) or Wi-Fi protected access (WPA), rather than employing top-dollar protocols like IPSec VPNs.
Every business is different. Ultimately budgets will dictate which protocols are implemented, and while any protection beats no protection, you should consider the security of your organization’s VoIP network mission critical. (Because it is.)
Make a plan and test it.
While it isn’t necessarily pleasant to think about, it is necessary to brainstorm, develop, and implement a plan to recover assets quickly when a VoIP attack occurs. In the event of an attack, the entire system needs to be able to be restored within minutes, not hours or days.
Playing out scenarios in which an organization lacks protection produces harrowing results. Imagine: If attackers are able to successfully identify vulnerabilities inside your network via brute-force attacks (usually through lapses such as weak user passwords), they might decide to record calls instead of shutting them down, effectively stealing and leveraging sensitive data, as opposed to merely sabotaging a system. The irreparable damage this could cause an unprotected organization is immeasurable.
The most intelligent approach to preventing a scenario like this is to diligently maintain documentation on how each of your network component’s function, and the ways in which they interact with other components on both sides of calls. Go a bit further: Perform routine audits designed to test the efficacy of these functions. This will help to ensure the countermeasures you develop are able to be executed swiftly should real crises transpire.
The rate of VoIP system usage is growing exponentially. These systems will spread to every corner of the world (and have already). This proliferation presents an endless horizon of targets for cyberattacks aimed specifically at VoIP vulnerabilities.
Sensitive data require security measures. Protecting networks and communication channels should be a top priority for any organization. Today, cyberattacks against network systems are an inevitability and take place with astonishing frequency. Developing comprehensive information protection policies is no longer optional for an organization’s long-term survival.
Converging Networks Group (CNG) is a communications firm of specialists dedicated to tailoring solutions for medical practices, hospitals, education facilities, car dealerships and logistics industry.
Not only do we design and install systems, but we also partner with you and your business. We work with you to ensure each need and goal of your business is met and can provide a number of options that work to outfit your place of business into an extremely secure location.
You take pride in your business. So do we.
For more information or to request a free consultation or quote – click here.