So let’s be clear from the start. No system is 100% secure. Security is a challenge for businesses of all sizes, striving to maximise service availability without compromising confidentiality and integrity. Local, remote and mobile users use an array of ever changing systems and application, all presenting their own and often very different challenges and security threats.
So what are the main threats?
One of the biggest threats to your telecoms infrastructure is toll fraud. More widespread than ever, complex organised ‘phreaking’ is estimated to cost UK businesses an estimated £1.3billion a year. Because calls made are ‘legitimate’, you the business owner, are responsible for the bill. Equally as detrimental are Denial of Service attacks, designed specifically to damage your business and test the strength of your network. The threat from Social Engineering (whether human or technology based) cannot be ignored, for example, a breach of trust by a member of staff from within your own environment.
Areas of concern include gateway security, firewall configuration, patching procedures, and wireless security. It is far more difficult to remediate security issues after an installation, so be sure your security house is in order prior to implementation.
Whether you use a hosted IP phone service or an onsite VoIP system, protecting the voice network is much like protecting the data network. VoIP risks extend beyond toll fraud, voicemail hacks, and eavesdropping, VoIP calls and voicemail messages are data, susceptible to data network attacks.
Use VLANs to Segment Voice Traffic and Separate it from Data Traffic.
Immediately report anomalies. You may not know a phone has been hacked until an employee reports an odd occurrence, such as a saved voicemail message that has been deleted or forwarded to an unusual number.
Never use the default passwords for voice mailboxes, system administration, conference bridges, and use passwords that aren’t obvious or easy to guess, such as 1234. Enforce a policy of changing passwords on a regular basis, and when someone leaves the company, delete their mailboxes immediately, and block or delete all inactive mailboxes.
Voicemail, and auto-attendant configuration, is the most vulnerable area that hackers can compromise to gain the ability to make external calls, consider disabling the ability to make external calls from the automated attendant system.
A misconfiguration in the auto attendant can be an easy target for the hackers, so it’s important to check the system and its security parameters frequently to make sure it’s working correctly.
Determine whether your voice mail systems should be allowed to dial out of the PBX itself or dial international numbers, as this is where most problems occur.
Decide if you need an incoming trunk to access an outgoing trunk, and identify how to control it e.g., some users may forward their desk phone to their cell phone, or an assistant may transfer a call to the boss’ home phone.
Consider restricting call forwarding and call transfer features, especially to external numbers, and program your phone system so that extensions can forward only to known numbers, and restrict all others.
It is important to have a sensible, balanced approach to security and risk, that is formally acknowledged within the business. Security is the responsibility of all concerned parties; ensuring policies and procedures are robust and enforced at all levels; appropriate resource is allocated to defence strategies; and core infrastructure is continually monitored. However to succeed, your business must stay progressive, providing staff with communications tools that improve productivity, and improve business efficiencies without putting excessive barriers in the way.
Give your account manager a call for further advice.
Written by David Dearing, VSL Engineer