“If you have built castles in the air, your work need not be lost; that is where they should be. Now put the foundations under them.”
― Henry David Thoreau
Over my 30+ years working in the world of technology, I’ve experienced incredible changes. I started in the days of analog, witnessed the birth of digital, and now find myself immersed in hyper-connectivity, the Internet of Things (IoT), and artificial intelligence. I try to keep up as best as I can, but there are days when I wish change would stop coming at me at such a furious pace.
Perhaps the areas that have experienced the biggest turmoil are security and privacy. I still have my college identification card and guess what was used for my student ID? My social security number. Can you imagine anyone foolish enough to do that today? Of course, that was well before the days of big data. Identity theft has become infinitely more possible with just a few crucial pieces of information. With little more than my social security number and the name of my elementary school (or something just as seemingly insignificant), criminals can wreak havoc on my life and my pocketbook.
Of course, identity theft is only the tip of the security breach iceberg. Hackers and criminals look for security holes in everything from medical records systems to personnel databases. As we open up our communications systems to the Internet with Web services and VoIP protocols, we are essentially putting targets on our backs that say to the would-be digital thieves, “Here I am. Come and get me.”
I recently came upon a statistic stating that SIP is the most targeted VoIP protocol, accounting for 51% of the security events activity analyzed in the last 12 months. Some of that has to do with the fact that SIP has grown in popularity over its closest competitors, but it’s more than simply a rise in the number of SIP connections.
SIP is both an internal (SIP extensions, applications, etc.) and external protocol (SIP trunks, remote users, etc.). While internal hacks are very concerning, it’s the external nature of SIP that makes it especially vulnerable to compromise. Without taking the proper precautions, breaking into an enterprise can be as simple as downloading a free SIP soft client from the Apple Store, learning a company’s external SIP address, and guessing at passwords. And although that might be where the hackers start, once inside your communications system they will quickly move to attacking even more critical resources.
I am sure you’ve heard about the Denial of Service (DoS) attacks that caused major disruption to websites such as Twitter, Netflix, Spotify, and SoundCloud? Hackers used the fact that most people rarely change the admin passwords for IoT devices such as smart baby monitors. Using the default settings, hackers took control of those devices and suddenly those baby monitors became an army of tools that prevented Airbnb subscribers from booking vacation rentals.
Sadly, a similar thing occurs with far too many users of VoIP technology. I won’t ask for a show of hands, but how many of you log into your SIP phones with a password identical to your extension? If not that, how many of you use “1234”? Unfortunately, I come across both behaviors far more often than I care to say. Sometimes these inadequate passwords are due to a lack of understanding of just how dangerous they are, but it’s often the fault of the communications system itself. I don’t want to name names, but I know of some really big communications products that do not provide their users with an easy way to change the passwords on their SIP endpoints. Honestly, that is like sending out an invitation to be hacked.
Unsecure communications systems and endpoints allow the bad guys to do all sorts of mean and nasty things to your platform. Whether it’s spoofing caller-ID, listening in on telephone calls, logging into voice mail accounts, or uploading harmful firmware, criminals steal valuable information that can be used for everything from insider trading to corporate espionage and blackmail.
Fortunately, there are solutions. While some are more complicated than others, none are out of reach of any IT department. Here are a few basic procedures that everyone needs to implement right away:
- Lock Down Your passwords. Some systems natively support “strong” passwords, and if yours doesn’t, invest in an external password management system. Do this for endpoints, servers, voice mail accounts, etc.
- Encrypt. This is important for both internal and external traffic. Make sure that you encrypt both media and signaling. Meta data can be as valuable as the media it wraps.
- Harden Your Session Border Controller. I strongly suggest regular scans of your SBCs to ensure they are doing all they can to protect your communications platform.
- Look to the Cloud. There are a number of security measures that can be taken before telephone calls ever get to your enterprise. Stop the hackers before they even get to you.
Mischief Managed
Did I scare you? Good. This is serious stuff and I am surprised at how many organizations still have gaping security holes in their communications platforms. Not taking the necessary steps to lock down SBCs and endpoints is like putting a social security number on a college ID. Thankfully, Assertion is here to help you take control of your VoIP security.
Write to sales@assertion.cloud to see what this looks like in action.