Cybercriminals will happily tell you: IP telephony, known as VoIP, is a wonderful thing. VoIP security can’t be an afterthought.
Eavesdropping on phone calls opens a treasure trove of valuable data. Big gems await in financial institutions, professional services firms, and government agencies. Equally dazzling are call centers, where the bounty can include confidential account information, health records, and payment card data.
Hacking voicemail is also lucrative; it exposes private business information and celebrity secrets.
Toll fraud is prized by a global armada of phone pirates, who are unrelenting in their attacks. "Unfortunately, a business decided they needed voice security after the fact," says Chris Krueger, director of operations at Cisco Premier Certified Partner PEI. "During a few hours one morning, a rogue user had easily accessed the call control in the SIP gateway and generated several thousands of dollars in calls to Eastern Europe."
Don't let security vulnerabilities decimate the financial and productivity benefits that your company can get, or is already getting, from an IP phone system.
"Some customers who have us design and implement their VoIP solution decline security services, saying with full intention that they'll do it themselves. It's amazing to see that 100 percent of them just don't get around to doing it," Krueger says. His company, PEI, is a technology consultancy and service provider focused on technologies such as networking unified communications, with security as a top priority.
VoIP risks extend beyond toll fraud, voicemail hacks, and eavesdropping. IP phones can be entry points into your business network. VoIP calls and voicemail messages are data, susceptible to data network attacks.
Whether you use a hosted IP phone service or an onsite VoIP system, protecting the voice network requires the same protection as the data network. The security policies and technologies can be complex, depending on your goals (including compliance requirements), users' applications and locations, and the IP phone system you're using, whether onsite or hosted. Fortunately, you can engage VoIP experts--such as Cisco partners--to strengthen and simplify your company's security.
Following is an introduction to some IP phone security strategies, from Cisco and two Cisco partners that provide VoIP security solutions and services.
Has the service provider provisioned your voice services with security in mind?
Evaluate services such as VLAN configuration, user authentication, and encryption, as well as the security of configuring and signaling methods. Also investigate any HIPAA, SOX, PCI, or other compliance guidance that may apply.
A client of our hosted contact center service wanted voice encryption on its phones, because it's highly protective of its data and it's also subject to regulatory compliance," says Rocky Livingston, CIO at USAN. A Cisco Registered Partner, USAN provides contact center communications and optimization solutions that give users flexible ways to engage customers across channels.
For this client, USAN chose the Secure Real-Time Transfer Protocol (SRTP) because it's easy for users to use, has less overhead than IPsec protocols, and does not cause any difference in voice quality, says Mike Evenson, vice president of managed services.
"By integrating Cisco SPA525G2 phones, we give the client a customized solution that implements SRTP based on the configuration file in their DHCP server that is associated with the phone's MAC address," says David Al-Khadhairi, vice president of enterprise architecture.
Take advantage of features on your VoIP system that enable security. Essentially:
Apply physical and logical protection, such as:
Some voice systems and switches support device discovery protocols and automatically assign IP phones to voice VLANs.
Apply encryption by segment, device, or user; encrypting indiscriminately can result in excessive network latency or introduce operational overhead and complexity.
Encrypt the signaling at your Internet gateway with Session Initiation Protocol (SIP) over Transport Layer Security (TLS); your service provider's switch fabric may do this.
Encrypt the media (packets) with protocols such as SRTP.
Use VPNs for network connections by remote phones. This is especially important when HTTPS or SRTP is unavailable, says Krueger. He says that Cisco AnyConnect® Security Mobility Client and site-to-site VPNs work well in this role.
Communicate your phones' built-in security features to users.
Apply strong passwords to access the voicemail inbox. Immediately change the default password to a strong password, then change it as often as your company's policy dictates for changing login and email passwords.
Delete sensitive voicemail messages as soon as users have listened to them. Not storing voicemails is the easiest and most effective way to protect them.
Immediately report anomalies. You may not know a phone has been hacked until an employee reports an odd occurrence, such as a saved voicemail message that has been deleted or forwarded to an unusual number.
When cybercriminals find your IP phones and voice system, how happy will they be?
Ruin their day. Cisco partners can help you protect your company's voice and business assets--and raise your happiness by simplifying your security job and providing award-winning support.
Our resources are here to help you understand the security landscape and choose technologies to help safeguard your business.
These tools and articles will help you make important communications decisions to help your business scale and stay connected.