Is Your Internet Telephony System a Security Risk?

There is an old saying: "If you don't know where you're going, any road will take you there." That is especially true when anticipating threats and protecting information systems. If your organization still needs an internet telephony security policy, you must create an information systems security policy. 

This policy identifies what is being protected (e.g., financial information, trade secrets, personnel records, regulatory requirements, potential insider trading information, etc.), from whom it is being protected (internal or external miscreants), and how much it is worth to protect it.

With the answers to these questions as a base, your company can create internet telephony security policies that determine how systems are to be deployed, who can access them, how they can be accessed (i.e., internal only, remotely), when they can be accessed, and so forth.

Once the policy is created, your organization can develop a plan that identifies the specific components to implement the policy and the procedures required to safeguard the organization's internet telephony intellectual property.

Implementing firewalls, access control lists, or other tools with a carefully considered internet telephony security policy and an overarching plan is better than no plan because it can create a false sense of confidence. Internet telephony brings its unique set of threats and must be fully incorporated into the overall information systems security policy and plan.

Internet telephony software solutions — hosted or premise-based IP PBX systems — are nothing more than complex computer applications that ride on top of a server such as a UNIX, Linux, or Windows platform. One of the most common mistakes is failing to "harden" the underlying internet telephony platform before loading the Internet telephony application on top of it, thus leaving security holes and potential attack vectors.

Make sure that the servers hosting your internet telephony services have been stripped down to bare bones, eliminating all unnecessary tools and applications before they are rebuilt to house only those functions needed for your requirements. All too often, default passwords, anonymous FTP, or other such avenues for attack go unnoticed.

This may seem obvious, but it represents one of the most accessible attack vectors for intruders. These VoIP security tips help identify vulnerabilities and are patched for all operating systems almost daily. Unfortunately, many internet telephony security systems administrators may need more time to implement these patches. Hackers can read the same notices as system administrators and look for sites where the fixes have been tardy. Security Focus is one source for staying up to date on threats to your specific internet telephony operating systems.

As mentioned previously, internet telephony is an application that runs on a server. As such, Internet telephony systems must be monitored, and when bugs or vulnerabilities are identified, these issues should be immediately addressed.

The RTP (Real-Time Protocol) comfort noise processing function in Asterisk systems is vulnerable to remote DoS (Denial of Service) attacks because they improperly handle these packets.

There are solutions available, but administrators must first be aware of the vulnerabilities of your internet telephony system and promptly patch them. All systems have occasional bugs or vulnerabilities. If you think your internet telephony system is impervious, please think again.

Most operating systems and applications, such as Internet telephony, are shipped with remote access for systems administrators. This function is helpful for corporate administrators not collating with servers or contracted technical experts. Unfortunately, it also represents an attack vector that needs to be noticed.

For example, Sun initially shipped its Solaris UNIX-based operating system with its SNMP (Simple Network Monitoring Protocol), DMI (Desktop Management Interface), and admin (Distributed System Administrator Daemon) features actively. SNMP has known vulnerabilities, especially in a Sun environment, that requires patching before going live.

In addition, strong passwords are critical to protecting the remote internet telephony admin function and should be changed regularly. This may seem a "blinding flash of the obvious," but ensure all access passwords are changed when your system administrators leave the organization. There are even more robust protection methods for larger organizations, including two-factor authentication for internet telephony systems.

This is one of the basic principles for any internet telephony security plan over the cloud. It is essential to record a baseline activity so the systems administrator becomes aware of deviations occurring within your internet telephony environment.

For example, calling patterns for most businesses will be relatively regular. Usage will ramp up in the morning and then tail off until a similar "busy hour" occurs in the afternoon. High volumes of calling traffic are not expected during evenings or weekends.

Should the monitors detect such anomalous activity, the internet telephony system administrator can immediately investigate to determine if the traffic is legitimate or a symptom of an attack. With a baseline (and one that changes with company activities, such as adding employees, opening new branches, introducing new services, etc.), it may be possible to detect unusual internet telephony activity before it is too late.

Internet telephony devices are not "telephones" as in the past but relatively small computers with password access. Are your telephone instrument passwords sufficiently strong? Are they changed regularly?

These internet telephony systems can be attack targets, such as the Grandstream HandyTone-488 in the past. Because the instrument performed insufficient checks on user data, it was vulnerable to crashing from attackers, causing a denial of service (DoS) condition for that individual phone.

Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs) trigger alerts when suspicious activity occurs. There are several forms of IDS and IPS. These include network-based (NIDS), host-based (HIDS), and application-specific.

A variety of good NIDS is accessible, such as Snort and Sax2 (www.ids-sax2.com). You may also ask your internet telephony provider about an IDS specific to their application. These tools will help you become aware as soon as a threat has occurred and respond appropriately before significant damage has been done.

As part of the internet telephony security policy and plan, it is crucial to identify how much effort is worthwhile regarding voice confidentiality. Some users, such as executives, finance, or regulatory compliance personnel, may engage in internet telephony communications that must be protected. This includes standard telephone calls using an IP PBX but may also include using a "softphone" on a computer, an internet telephony application on a smartphone, or even a standard cell phone.

An essential component of your internet telephony security policy and plan is the education of your users regarding potential risks, followed by enforcement steps defined in your project. Do we allow the use of Zoom or Skype within the company network? Can we enable personnel to install softphones on their laptops and use them outside the company LAN?

There is much to consider when preparing your policies and plans. Social engineering is one of the most accessible forms of internet telephony malware attack. Unscrupulous people frequently capture the information needed to launch attacks by asking for or finding access to information that needs to be appropriately secured within your internet telephony system.

Passwords for company resources should not be stored on laptops. Anyone stealing a computer may be able to bring up an application and, if the internet telephony password has been saved for convenience, can steal, compromise, or delete information resources. If a softphone or internet telephony system is compromised, intruders can place calls and run up large bills (toll fraud).

Personnel must be taught the importance of strong passwords and how not to inadvertently share them with unauthorized people. Internet telephony systems that automate many of these functions can be implemented, but nothing prevents giving out a legitimate password to a potential hacker other than education.

Firewalls are traditionally part of an internet telephony network security plan. Unfortunately, most firewalls are not designed for Session Initiation Protocol (SIP) or the nuances of IP telephony. This may result in ports remaining open and offering an entry point into an internet telephony network for attackers.

Network Address Translation (NAT) and traditional firewalls may also create interoperability problems with some internet telephony systems. SIP-aware or IP-enabled firewalls or internet telephony security controllers are available from companies such as InGate and UM Labs. In addition to providing an elegant and protected path for Internet telephony, these systems also can help resolve interoperability and quality of service challenges.

Compare the best internet telephony providers to get the best security package.