Twenty weeks, one article a week, and three minutes per article – that’s all you need to get the basics of voice security in place.

Let’s jump straight to Week 1 and talk about the key security threats you need to track.

Nearly all voice (and video) is data now, or soon will be. And yet, voice (and video) will always remain different from data. Different enough that they need to be studied as a special case of data security. The most obvious difference is in what you need to protect. This article will not delve into what data security aims to protect; we will keep our focus on answering just one concern: what you should protect against when you want to safeguard your communication networks.

Do voice networks need protection?

• Enterprises lose billions of dollars to Telephony Denial of Service attacks. As per the Communication Fraud Control Association (CFCA), losses due to abuse or misuse of network and IP PBX hacking in 2021 were over 3 billion dollars[1].
• Toll fraud losses in 2021 were over 9 billion dollars, the CFCA found.
• Losses due to traffic pumping to Toll-free numbers in 2021 were over 4 billion dollars. It is estimated that more than 10% of all toll-free calls are toll-free pumping fraud[2].
• Enterprises lose on average about $40,000 per remote worker exploit[3]

Almost every major enterprise and SME leaks money from its communication systems because it simply does not know that it’s being attacked, tracked, or hacked. What you cannot measure, you cannot manage. In summary, yes, communication networks need protection.

What are the key threats and risks to communication security?

The Assertion Threat Model[4] groups security risks to communication systems into the following categories and subcategories:

1. Toll and Revenue Fraud
   • Toll Fraud
   • Traffic pumping
   • TDoS attack
2. Robo and Scam calls
   • Robocalls to users
   • Robocalls to call center
   • Voice Phishing (Scam calls)
3. Compliance Risks
   • OFAC violations
   • E911 abuse and failures
4. Unauthorized Traffic visibility
   1. Incoming call traffic analysis
   2. Outgoing call traffic analysis
   3. Outgoing spam analysis
5. Remote worker security
   • Endpoint brute-force attacks
   • Resource mis-utilization
   • Spying and Monitoring
6. Configuration issues
   • Configuration issues
   • Cloud Posture

Another way to slice these risks is to categorize them based on what they impact and how they are identified. This is based on the analysis of:

1. Incoming calls
   • Traffic pumping
   • TDoS attack
   • Robocalls to users
   • Robocalls to call center
   • Voice Phishing (Scam calls)
   • OFAC violations
   • E911 abuse and failures
   • Incoming call traffic analysis
2. Outgoing calls
   • Toll Fraud
   • OFAC violations
   • E911 abuse and failures
   • Outgoing call traffic analysis
   • Outgoing spam analysis
3. Remote worker signaling
   • Endpoint brute-force attacks
   • Resource misutilization
   • Spying and Monitoring
4. Configuration
   • Configuration issues
   • Cloud Posture
5. Internet-facing IP interfaces
   • Cloud Posture

The benefit of looking at communication risks in this fashion is that it makes it easy to focus on the operational aspects of risk and threat management; for example, if you are an outbound call center, you’d want to focus on outgoing calls first.

In the coming weeks, we will discuss each category in detail. In 20 weeks, you will understand the need for communications security and know enough to have informed conversations about it. Yes, the purpose is educational – we want to help you learn how you can contribute to securing your company’s communication networks, and create a safer and more secure Internet for voice and video.

---

[4] Based on the NIST Cyber Security Framework (CSF) principles(Security and Privacy Controls for Information Systems and Organizations) and the Mitre ATT&CK Framework (Mitre ATT&CK Framework)