Understanding VoIP Risks and How to Protect Against ThemGrant Maye
Businesses successfully deploy a VoIP system, and once it is in place, it is easy to neglect the need for a security strategy; however, security should be a priority, especially since cybersecurity and privacy risks continue to grow. Loss of employee and customer records is the most-cited consequence of security breaches, which can have negative repercussions on customer relationships and a company’s brand reputation. Additionally, businesses should be aware that a security breach could go beyond customer data and disrupt their services – or even physically damage a network. It is important to be aware of some common VoIP security issues and know what solutions can provide a good defense against them.
Common VoIP Security Threats
Vishing, the voice-based equivalent to the e-mail phishing scheme, occurs when attackers use ID spoofing to trick call recipients into giving up sensitive data. Attackers pretend to be reputable businesses, such as banking institutions or credit card companies. These attacks generally target end users, not the entire VoIP system, which can make it more difficult to prevent.
Denial of Service (DOS) Attacks
When a DOS attack occurs, a hacker floods a VoIP network server with SIP call-signaling messages, which will consume available bandwidth and slow down or stop system traffic. This halts incoming and outgoing VoIP calls and can disrupt the flow of daily business, equalling a loss in sales and a decrease in productivity. A DOS attack can also allow hackers to gain remote admin control of servers, meaning that sensitive data can be stolen and expensive calls can be made on the business’s account.
One headache that can occur is eavesdropping, one of the most common VoIP threats. Audio streams are intercepted with no authorization, putting information from conversations at risk. Unfortunately, packet capture tools allow hackers to tap into any unencrypted VoIP traffic, making conversations easily accessible. Most of the data collected from eavesdropping is used for identity theft.
Another type of call fraud is phreaking, where hackers steal service from a service provider. Hackers who engage in phreaking can change calling plans, add more credit to an account, or rack up calls on an account. This leads to excessive charges on the business’ account.
Malware & Viruses
When utilizing softphones with a VoIP network, hardware and software are vulnerable to attacks by malware, worms, and viruses. Softphone applications run on user systems, so they are exposed to these malicious attacks. The different viruses will take over a computer system, sending spam, destroying information, and tracing keystrokes to enable remote access. It has been found that financial data and credit card information are the most vulnerable during these attacks.
Solutions to Prevent VoIP Security Threats
The best way to counteract these VoIP security threats is to be proactive and stop them before they occur. There are a few different ways smart businesses can go about protecting themselves from potential threats and attacks:
- Encryption: When VoIP calls are transmitted over the Internet, they are unencrypted, which means information is easily accessible. Most times, it is easy to turn on and enable or configure encryption of your communications between already existing points on your network. This will depend on how your VoIP network is setup, what hardware is being utilized, and what the settings are on Firewalls, Session Border Controllers, and routers. Encryption is important for all types of businesses but critical for any industry that deals with consumer data, such as financial services.
- Strong Passwords: When setting up your VoIP network, make sure never to leave a default password on any IP phone, router, switch, firewall, SBC, or essentially any other device that requires a password. When you do choose a password, make sure you’re following rules to make it a strong one. The best passwords are long strings of characters that do not include common phrases. Add some capital letters, numbers, and/or special characters. Also, make sure you are using a different password per device.
- Close Monitoring: Your network admins should be monitoring everything closely – and they probably are; they should continue to do so. If something suspicious is going on, such as strange calls coming in on the network, your office should be advised and trained on how to handle these unwanted vishing calls. Your end users should know how to handle a cybersecurity attack, too.
- Utilizing a VPN: A Virtual Private Network, or VPN, is a service that will allow a business to connect to the Internet through a server run by a VPN provider. All data will then be securely encrypted, protecting sensitive data. Utilizing a VPN is a great and easy way to ensure that remote workers’ connections are secure. What a VPN will do is create a “tunnel” through the public Internet and only filter through secure information to and from an office network. So, remote workers will have secure access to the onsite network through a public network.
- Utilizing a Session Border Controller: These devices provide a secure entry point for UC, starting, conducting, and stopping VoIP voice calls. They create a secure connection between the enterprise and SIP trunking provider. Session border controllers provide protection against overflow attacks, DoS attacks, intrusions, and some worms that can be contained in a single packet.
- Antivirus Software: This may seem like a given; however, not all businesses who utilize softphones are fully equipt with this software. As part of the office’s computer system, protect softphones by installing and updating antivirus and anti-malware programs, such as firewalls.
It is imperative to take precautions to prevent VoIP threats and attacks. The VoIP specialists at 888VoIP can assist with VoIP security issues and can also provide insight into what VoIP security products are the best for you and your end users. Contact the leader in VoIP distribution at 888-864-7786 or by e-mailing the team at [email protected].