Security

Can this service be hacked? How secure is it?

We take security very seriously and data at rest or motion is secured using the highest standards of encryption available today.

Do you have access to my log files?

Yes, we collect the log files from your SBC. We tokenize and only retain fragments necessary for security analysis.

Is there any other way out other than downloading the scanner utility?

The scanner utility is mandatory to collect, tokenize and securely transmit the data from your SBC to our servers.

What are your security certifications?

We have best-in-class security algorithms in place. We are working on the certifications and we will have them shortly.

Can your employees see my reports (summary or detailed)?

No, our employees cannot see your reports. Your data is encrypted and can only be retrieved using your login. Unless you share your token, no one can see your data.

Do you have my IP address and login? Can you login using that at a later time?

The scanner utility on your laptop must be started to initiate a scan and each session is protected by a unique token. Unless you start the scanner utility on your laptop, the session to your SBC cannot be established.

Where is the data stored? Can it be stored in my country?

The analyzed data is stored in AWS cloud in North America region.

Do you share my data / reports / findings with anyone else?

No, we do not share your data with anyone else.

What data do you upload from my laptop/system?

The scanner utility uploads data collected from the SBC. This includes key security configuration and logs of the past few months.

Will you use my SBCs details to launch background scans from cloud?

No. The scanner utility on your laptop must be started to initiate a scan and each session is protected by a unique token. Unless you start the scanner utility on your laptop, the session to your SBC cannot be established.

What do you do with my data? How long is it retained?

Most of the data collected from the SBC is purged at the scanner utility (on your laptop). About 10% of the data is tokenized and sent to the cloud for analysis and reporting. The analyzed data is retained for up to one year for historical reporting and learning purposes.



Signing Up / First Scan

I was supposed to get an OTP but have yet to receive it, it’s been a while. What should I do?

Sorry you had to wait this long. OTP usually reaches in seconds, but sometimes emails can land up in Junk / Spam folders. Maybe you can provide your phone number in addition to your email address. If it still does not work, please chat with our support.

What if someone from my company already has an account? Do I still need to create a new account?

Accounts are personal, and the best part is, it’s Free! Go ahead and create your own.

Isn’t security already covered by my existing managed services partner? Why do I need to do this scan?

Most services contracts do not cover ownership of application security. Data leaks and hacks to your SBC are your responsibility. In most countries / industries, regulatory compliance is a non-transferable responsibility. Therefore, while your managed services partner makes the best effort to keep your infrastructure in top shape, security is most likely your ownership and responsibility.

Do we need to sign any contract (NDA / MSA) to use your scan?

No, you can scan without the need for any paperwork. You just register and take it for a spin!



Scanner Utility

What does the scanner utility do?

The scanner utility establishes a data pipe between your SBC and Assertion SBC audit cloud service. It connects to your SBC, extracts security configuration and logs, tokenizes data so it cannot be reverse engineered and sends only key tokens to the cloud for analysis.

Does the scanner utility on the laptop keep running even after the scan is completed?

No, the scanner utility completes its job once data is uploaded. It can be terminated once the scan (analysis) begins.

I accidentally closed the scanner utility while it was collecting data; what should I do?

You will have to re-start a new scan since the old scan is now abandoned / terminated.

Is there a plan to support Mac or Linux for scanner Utility?

We are considering this and based on the market demand we will release the utility for Mac and/or Linux.

Scanner utility is running since long. Shall I cancel it and restart?

Please see the status update on the web page. If there is no progress on the web page, you may want to check the network connectivity with your SBC and the internet connectivity. If everything is alright but the scan is stuck, then raise a support ticket. We will look into this.

What will be the bandwidth requirements for the scan?

The total bandwidth requirements will range from 1 MB to about 500 MB, depending on how complex the setup is and how much traffic is flowing through it. The speed of the internet is not very critical as long as it is stable.

How long does a scan take?

The time taken to scan depends on the complexity of the setup. 20 mins to an hour is a ballpark average. But, do not worry, you can start the scan and get to other work. Once the scan completes, we will notify you of the same.



Scan

Why is SBC security scan required?

SBC is a voice firewall, a perimeter device. Since it is susceptible to attacks at any time, SBC needs strong security. Real-time always-on security is the best to know instantly when an attack happens.

Why are you offering a free scan? What is in it for you?

Assertion is a startup and we are using the freemium model to penetrate the market.

I only use the SBC for SIP trunking, Am I at risk? Do I need to scan?

SBC’s used as trunk gateways have been hacked periodically. Not in the traditional sense of breaking through the MPLS, but via protocol hack – both upstream and downstream. Lateral and insider threats are always existent, hence the need for a robust security practice like Assertion.

What if I get hacked even after I scan? Will you take responsibility?

To draw a parallel, if you take a ECG and after a few days have a heart ailment, do you blame the ECG report? On similar lines, Assertion’s liability and terms of use are available on the portal. Please read them carefully.

Is internet connectivity required for the SBC to scan? (The SBC is not directly connected to the internet) / Do you have an offline scan (not-cloud based)?

The scanner works in online and offline modes. In the online mode internet is required throughout the scan. The scanner utility is connected to SBC audit service on the internet and to the SBC on the local network. In the offline mode, the laptop with scanner utility can be taken off internet and moved to the private network of the SBC. Once the collect completes, it will generate a file locally on your laptop that needs to be uploaded to Assertion SBC audit service for the scan to begin.

Can the scan be run during work hours on a production SBC?

Absolutely. The scan does not create a heavy load on the system. Although, we always recommend that you scan the SBC during low traffic times.

The scan seems to be stuck/is taking too long to complete. What should I do?

Scan can take up to 60 minutes or even longer depending on how large the data set is, how fast the network is between your laptop and the SBC, and between your laptop and Assertion cloud. If the scan has reached the Scan progress page, titles as “Collect & Scan”, then you are good. Scan will proceed on the background and will send an email to you once complete. You can free to logoff / close the tab.

I do not see my vendor / version of the SBC supported. What do I do?

Do chat with our support staff and tell us which SBC you would like to scan. We would be happy to assist you with your special needs.

Does the scan follow any international security standards?

Yes! Assertion’s SBC audit is built on a set of controls based on the NIST 800-53 and NIST CSF.

How often can I use your free scanning service? How often should I scan my SBC?

You can scan as many times as you want. The recommended audit practice is at least once a quarter and at most once a month.

Are there any signs that I need to look out for to know if I have been hacked?

Many! Random beeps, extensions taking too long to register, extensions unregistering, spike in telecom bills are signs that you may be hacked or under an attack.

How have other companies benefited from the scan?

Yes! Many customers of Avaya, Avaya itself and many of Avaya’s partners have used and loved the scan.

Is there a plan for phone support during US time zone?

Not yet. Please chat to report any queries you have.



Summary Report

The report has found a lot of security issues. Are they all for real and does it mean I will get hacked now?

Our scans undergo 100s of hours of testing to remove false positives. If our report points out 100s of issues, you most likely have them. You may not be hacked today or in a few hours, but you must rectify the security issues ASAP.

The scan has found high-risk failures. Will I get hacked? Am I safe?

High risk failures need to be addressed with immediate effect. These are major security flaws that an attacker can easily spot, and exploit. You may not be hacked today or in a few hours, but you must rectify the security issues ASAP.

The scan has found only medium / low-risk failures, but no high-risk failures. Am I safe?

Great you have no High-risk failures. But medium and low risk failures are not something you can ignore. These are security flaws that an attacker can probe, identify, and exploit. You may not be hacked today or in a few hours, but you must rectify the security issues ASAP.

The scan has found no failures. Am I safe?

Great, you have your SBC in top shape. You can pat your back for configuring and maintaining it in top shape. Do remember to come back next month to scan your SBC.

I have not received summary report email even after 30 mins, what should I do now?

Scan can take up to 60 minutes or even longer depending on how large the data set is, how fast the network is between your laptop and the SBC, and between your laptop and Assertion cloud. If the scan has reached the Scan progress page, titles as “Collect & Scan”, then you are good. Scan will proceed on the background and will send an email to you once complete. You can free to logoff / close the tab.

Summary report email gone into my junk box and I lost it. How can I retrieve it again?

You can login to the dashboard and see the report there.

Can someone from your team at least help us understand the findings? Is there some basic consultation provided?

Assertion does not provide interpretation services. You can chat with our support on the website and they can guide you to our preferred partner who can help you understand the findings and even remediate them.