TeleDynamics Think Tank

Is your SIP phone system safe?

Written by Daniel Noworatzky | Jun 22, 2016 7:48:00 PM

Because VOIP telephone systems send voice over a packet network, they are just as vulnerable to data breaches and cyberattacks as any other IP (Internet protocol) application. According to The Sileo Group, a data security think tank, fully 60% of small companies go out of business within a year of a data security breach.

“Cybercrimes hit companies of all sizes and affect their bottom line to the tune of several years of profit,” asserts John Sileo, CEO of The Sileo Group.

The good news is, if your data network is secure, your VOIP voice transmissions are in some ways even more secure than a traditional analog phone system. And most risks can be mitigated by putting some basic best practices in place.

DDoS attacks

Distributed Denial of Service (DDoS) attacks can obstruct your business and stifle incoming and outgoing communications over the IP phone system by saturating your network. Given how inexpensive these attacks are to carry out, and how effective they are at interrupting business, the volume of DDoS attacks is growing by leaps and bounds – according to Akamai’s Q1 2016 State of the Internet – Security Report, DDoS attacks increased 125% in Q1 2016 vs. the same period last year.

Mitigation: Some session border controllers (SBC) have built-in DDoS protection. There are also on-premise and cloud-based DDoS mitigation services provided by third parties that can detect and mitigate attacks before they compromise your network.

Packet sniffing

Packet sniffers, also known as packet analyzers, are used to monitor and analyze data in a local area network (LAN) and are used for troubleshooting and maintaining efficient traffic flow. In the wrong hands, however, these same packet sniffers can be used to “listen in” on calls or obtain sensitive non-encrypted information.

Mitigation: Because LANs are normally switched and voice flows between VOIP calls are therefore unicast (i.e., only travel between the sender and receiver of the information and not over the broader network), it is difficult to monitor LAN traffic from outside the network. So beyond the standard IT security measures, it’s important to mitigate human risk by instilling a culture of security among the workforce. Keep in mind that all cybercrimes have both a human and a technological component, so addressing the human component of the risk is just as important as the technological component. Simple things like keeping the equipment room locked and using secure passwords are not to be overlooked.

Data extrusion

Data extrusion, also known as data exfiltration, is the unauthorized transfer of data from a computer, either through physical access to the computer or through malicious programming over a network.

Mitigation: Most security measures for preventing unauthorized data egression involve rules- or role-based access and permissions. For example, data leak protection (DLP) applications can block the flow of unauthorized data beyond the enterprise perimeter based on rules defined by the company. Role-based access control (RBAC) restricts system access to authorized individuals.

Malware

Malicious network intrusion can allow malware to be embedded in signaling and media sessions, which can contaminate the whole enterprise network of computers and servers.

Mitigation: This risk is normally mitigated through a complete form of packet analysis called deep packet inspection (DPI), which analyzes every portion of content in every data packet that flows through a network.

Steps for securing your SIP telephone system

The five basic steps we recommend for keeping your VOIP telephone system secure include:

  1. Use SIP trunking, and not the public internet, for media sessions. Dedicated connections not only offer better quality of service (QoS) but greatly lessen the risk of malicious intrusion into your IP communications.
  2. Conduct an organization-wide risk assessment and penetration test, preferably implemented by an objective third party.
  3. Take action on the identified threats. While 100% security is unrealistic, “most of the vulnerabilities are easily solvable,” says Sileo. “The important thing is to identify them, then take action and address them.”
  4. Apply learnings as you go. Network monitoring does not help if the learnings are not used to make continual improvements.
  5. Create a culture of security at the company. Remember that cybersecurity is as much of a human issue as a technological one, so make everyone at the company responsible for it and involve every department, not just IT.

CONCLUSION

Ensuring the security of your data network will help protect your VOIP phone system against cyberthreats. Using dedicated SIP trunks for IP sessions and putting some best practices in place can go a long way towards protecting your company’s sensitive data and business continuity.