I got a request from a client to help them understand how Interactive Intelligence systems prevent the situation being experienced by the poor soul in this article Security Manager’s Journal: Slammed with a $100,000 phone bill. On an initial read of the article it appears that SIP is the culprit and as a call control protocol is insecure and not designed with security in mind. This of course is not the case, rather the result outlined in the article was and is preventable using standard security practices. While this type of security and fraud event is always a great title to catch attention it is often left unsaid how easy it is to prevent the vast majority of these situations. So, what are some quick, easy and often overlooked methods to prevent you from having to make statements like the following to your finance team?
“Last week, my company got a $100,000 phone bill." … "And it looks like we’re stuck with the bill.”
Tom’s security tips for IP Telephony period, not just a SIP based solution:
1) Your biggest security hole is your user and administrator community! Implement password policies and do not use a default password. Don’t believe me…take a look Default Passwords to IT and Telecom Systems
2) Authentication is your friend. While SIP is an open protocol by design each of the associated devices has a full security suite associated with it. Gateways, Proxies, Application Servers etc. in a VOIP network should be designed to only ‘talk’ with approved devices via authentication. In the words of one of our best SE’s…”It’s like putting a water tap or power plug outside in the open and then being surprised that people use water and electricity.)”
3) Utilize logging and real time alerting of abnormal behavior. Many systems allow you to watch in real or near real time what is going on in the system. While this is a response rather than prevention this alone could turn a $100,000 loss into a $1,000 one. I know I would sleep better with this 100 fold decrease in risk.
4) Implement a robust dial plan. As mentioned in the authentication point the vast majority of the devices in a VOIP deployment support a dial plan to limit risk. If a device is not on the approved and authenticated list a dial plan can prevent them from dialing any numbers other than the ones you explicitly allow.
5) Free is good, secure is better! Often times I see customers such as the one in this article hanging their VOIP system on the Internet to take advantage of free internet calling. While this sounds great and can save you a boatload of money don’t forget that it significantly increases your risk profile so take the necessary precautions.
6) Don’t forget your lab. More often than I’d like to admit I will walk into a customer site and see a highly secured, well managed and robust production telephony system. That’s the good news. Unfortunately their lab system is usually just down the hall with one small difference. While the production system is locked down to the 9’s the lab is usually open, accessible and most likely capable of inflicting just as much pain thru telecom bills as the production system.
7) If none of the above let you sleep at night you can always go the encrypted path. Our higher end security customers utilize something called TLS and/or SRTP which can completely encrypt all call traffic and signaling traffic preventing anyone outside your organization from even knowing your VOIP system exists.
While I know this is by no means a complete list this is at least a good starting point to significantly decrease risk. Got some other good tips? Put them in the comments below and I’ll be sure to post them.