Communications Security: Covering the BasesCommunications Security: Covering the Bases

Is it possible to go through a week without reading about another major security breach? Here's how you can stay safe.

In the past week alone, the top news stories have been the massive theft of credit card numbers and personal data from Home Depot and the hacking of celebrities' iCloud accounts. Before that it was Goodwill, JPMorgan Chase, and Dairy Queen.

These attacks not only hurt the consumers that do business with those companies, but the companies themselves are severely wounded. Just ask the folks at Target who are still doing damage control over their pre-Christmas security assaults. Profits fell and their CEO was ousted.

As much as we hear about this seemingly endless series of horror stories, I am surprised at how many IT departments aren't vigilant about the security practices applied to their communications systems.

In this article, I will discuss a number of different ways your communications system can be breached. Some have to do with SIP and IP, and a number have to do with communications in general. It's important that you pay attention to both aspects to ensure that you've done what you need to do to keep your company safe and secure.

The price of toll fraud extends beyond high telephone bills. Nasty people hack into your communications to steal information. Breaking into the calls between executives might provide a hacker with inside trading information. Not only is your system being compromised, but you may be held legally liable for leaked information.

Hackers might also be fishing for potentially damaging information about your company. In the same way you treat sensitive documents with care, that same care must be given to voice, video, and instant message conversations. Don't let a stolen phone call lead to an embarrassing situation and bad publicity.

Let's begin with the physical components that make up a communications system. It goes without saying that they must be physically secured and, if possible, logically isolated from the rest of your network. A hacker or malicious individual can do a great deal of damage by gaining access to an unprotected network port or console connection. Keep your core communications equipment behind locked doors, and limit the number of people who can make changes to it.

Encrypt everything
This includes signaling and media. If you are using SIP, turn on transport layer security (TLS). This prevents hackers from gaining access to the metadata about your communication (who called who).

Encrypt communications media with secure real-time protocol (SRTP). SRTP prevents the bad guys from listening to your phone calls and voice mails. Again, your words carry valuable information that could cause great harm if they fall into the wrong hands...or ears.

Implementing Policy
The next thing you need to examine are your password and access policies. Don't let the weak link in your security chain be an easily guessed four-digit password. I am constantly finding companies that allow a user's telephone extension to be his or her password. I've also seen just as many "1234" passwords out there. This has to stop for clients both inside and outside your network.

When my company moved to SIP, we immediately forced every user to adopt eight digit passwords. We also instituted a policy that prohibited easily guessed passwords. Next, we deployed software that aged passwords after so many days and didn't allow the same passwords to be reused. In essence, we created communications password polices that mimicked what we were already doing with our domain passwords.

In addition to user passwords, take a good look at the passwords used to administer your system. Most come with default passwords. It's always a good idea to change them and implement strong password policies to further protect them.

Securing Applications
Securing your network and passwords is absolutely essential to keeping the bad guys out, but by no means does it stop there. You also need to take steps to secure your applications and user policies to stop the hackers that make it through that first line of defense.

I like to begin with your users' class of service (COS) settings. Think very carefully about the levels of access you give to your users. For example, be very restrictive about who is allowed to dial international numbers. Perhaps only your highest executives need access. Perhaps it's no one.

If you do need to grant international dialing, lock it down to the country codes you need to dial. If your employees don't need to call Brazil, turn it off.

External forward can be very dangerous. I once worked for a company that was hit with a phone bill in the tens of thousands of dollars because someone hacked into our PBX, set telephones to forward to external numbers, and then used them as launching pads. If you don't need that feature, turn it off. At a minimum, give it to carefully selected users and monitor their phone activity.

Conferencing Bridges
Voicemail systems and conference bridges are commonly used to commit toll fraud. Hackers call into these services and use the dial-out feature to place their calls. This can be prevented by granting it in only carefully thought out cases or turning it off altogether. Additionally, you may want all your conferences to end when the moderator exits the meeting. This prevents conferences from lingering on and being used for malicious activity.

The passwords used for these services need to be protected, too. A moderator's conference bridge password can be just as golden to a hacker as a telephone login. Apply the same levels of policy to these entry points as you would to any other.

I cannot over emphasize the importance of a session border controller at your network edge. Besides protecting you from denial of service attacks, registration storms, and malicious intrusion, an SBC can hide the identity of the communications system it protects. Hackers want to know the make, model, and version of the system they are attacking. This allows them to use known weaknesses and vulnerabilities to their advantage. An SBC prevents them from obtaining this potentially valuable information.

This is by no means an exhaustive list of toll fraud threats and mitigations, but it's a good start. There is no one thing that you can do to ensure that your systems are safe and secure. SBCs, encryption, class of service policies, password protection, and everything else I've discussed need to be employed, monitored, and adjusted as situations change.

I can assure you that the hackers are staying on top of the tools of their trade. You need to do the same when it comes to security and protecting your valuable communications resources. Be safe or be sorry. Very, very sorry.