If there's one rule of online crime today, it's that if something is online, criminals are looking for ways to subvert it. So when developing security systems for a network, it's vital to address every possible vector for attack. Unfortunately, one key system often goes forgotten during security reviews, and that can mean very bad news for businesses: a VoIP phone system.
It's easy to take a telephone system for granted, but hackers are coming up with new ways to exploit VoIP systems all the time. The threats presented by phone-based hacking are every bit as serious as other attack types.
There are a surprising number of ways a VoIP system can be subverted. For example:
Toll Fraud: Having gained access to your VoIP lines, the criminals then become their own private phone company - with you paying the bill. They'll often even resell your service for their profit.
Spamnets: Much like how a compromised computer can become part of a botnet spreading email spam, a compromised VoIP system can be used to spread voice spam - potentially even getting you into legal trouble under Do-Not-Call legislation.
Eavesdropping: Any and all private or confidential information discussed over your phones can be captured and used against you.
Voice Phishing: Having direct access to your VoIP system makes it easier for criminals to spoof (falsify) calls from seemingly-genuine sources, for the sake of gaining confidential information.
DDOS Attacks: If attackers want to cripple your business, directly targeting a SIP server is a great way to do it, particularly since they usually don't have robust anti-DDOS protections.
Not to mention, in many cases, gaining access to a company's VoIP system ultimately allows attackers to gain access to other critical systems. So a VoIP attack also presents all the same threats as any other network\data attack.
It's important to note that these concerns are valid whether you're receiving VoIP from a third party provider, or you run your own SIP and PBX interface on-site. However, if you're doing everything on site, you're probably at higher risk.
Largely, security for a VoIP system is the same as for any other major part of your network. The problem is that so many businesses forget to give it suitable protections. In particular:
This should go without saying, except you'd be surprised how many businesses don't bother.
Never share usernames and passwords between administrators. Everyone should have unique credentials.
Yes, there are software packages and network architectures which can provide antivirus protections to your phones too.
SBCs guard the edge of your network, such as where your VoIP system interfaces with the networks outside your building. They're like firewalls for your VoIP.
It's a bit of a pain for your workforce, but will greatly reduce the ability of someone to make calls even if they gain access to your system.
Regularly go over all your logs and look for any anomalies, particularly out-of-country calls to areas you don't do business in.
SRTP is end-to-end encryption on VoIP calls. It can degrade call quality somewhat, but in many cases - particularly if you deal in sensitive information - it's a worthwhile trade off.
Are you concerned about your on-site security? Contact Hummingbird Networks today to request a free consultation on your security measures!