VoIP Security: Do You Have a Good Voice over IP?

Transcription

1 VoIP Security: Do You Have a Good Voice over IP? Voice Over Internet Protocol (VoIP) services was first introduced in 2004, but it was six years later when first criminal was charged with hacking 1. The six year lag time, however, does not indicate VoIP is any less vulnerable to hacking than other technologies. This 2010 charge appears to be only the tip of the iceberg. The Good VoIP has been a boon to businesses worldwide. The high costs associated with phone calls, national and international, are a thing of the past with what VoIP offers today. Early concerns about VoIP s reliability, robustness, quality, and convenience have been stifled by years of satisfied customers and proven success, and the commercial world is now on board viewing VoIP as an equal competitor to traditional LAN line service. What started out as a personal-use technology has today turned into a serious business enabler. The Bad In spite of all of its success, VoIP still faces a serious threat to information security: Service Theft The most basic thing a hacker can do with your VoIP service is to steal it. In doing so, the perpetrator can make free calls and possibly start off a new VoIP telephony business of his/her own at amazingly cheap rates --just like the first criminal who was charged with hacking VoIP 1. Service theft is relatively easy with VoIP because the Session Initiation Protocol (SIP) that is used for authentication in VoIP calls does not use encryption by default. Identity Theft Close on the heels of service theft is the risk of identity theft. If someone can steal a service, they have everything else they need to steal the identity of the person(s) using the service. Accounts as basic as utilities and as critical as financial loans are often tied to a specific phone number. If all else fails, the hacker can, at a minimum, gather significant information about the target individual(s) to be able to take the next step towards stealing the person s identity.

2 Eavesdropping One might remember when tapping a phone required some serious instruments that needed to be installed at the right places while at the same time the person bugging the phone would have to make sure that nobody watches him/her in action. This procedure is a lot easier with VoIP. The instrument might still look like a phone and work like a phone, but tapping this phone is not at all difficult for someone with the right knowhow and tools and the wrong intentions. Hackers today can take control over several VoIP features such as voic , call forwarding, caller ID, call forwarding, calling plan selection, and billing details. Stealing the VoIP service to enable free calls is actually much less profitable and desirable for hackers. Instead, with businesses increasingly using VoIP, sensitive corporate information is now the target. VoIP packets flow over networks like packets of data that can be sniffed just like regular data packets. These packets can then be merged together to play the voice conversation in a normal media player software. Mix VoIP hacking with corporate espionage and you end up with a very lucky and enabled hacker. Vishing What if you were to receive a call from your bank or your credit card company that had an automated voice at the other end asking you to enter your debit/credit card number, PIN, and other details? Chances are you might comply with the request. Better still, if you were the person making the call to your phone banking number then these chances are actually quite high considering the fact that you were the person making the call. In both these cases, a Vishing attack could have been launched using VoIP that could lead you to believe that you re calling an entity that you trust. Specifically in the second case, redirecting your call to a Visher would actually be much easier if you use a VoIP based phone. Denial of Service One VoIP hacking method that can cause significant frustration and losses to businesses is the Denial of Service. As the name suggests, the main aim of the hacker is to ensure that your organization is denied the usage of your VoIP telephony service. Voice calls made by an organization can be manipulated, tampered, and even dropped. Hackers can even flood the target VoIP infrastructure with several call-signaling SIP messages. Many times, these DoS attacks are actually a smokescreen for hackers to plant malware or even take control of systems in the background. Spyware and Malware VoIP infrastructure rests on the same architecture as a normal computer system. Essentially, the issues that a normal computer system can face are quite applicable to VoIP infrastructures as well. Top of the list is spyware and malware. Consider the example of a software application that is used to enable VoIP telephony.

3 A user would have to run this software over a computer, a PDA, an iphone, or such. This introduces the vulnerability of falling prey to viruses, spyware, malware, worms, and just about all forms of malicious code. SPAM Spam exists with VoIP, although it is known as SPIT or Spam over Internet Telephony. While more typically just an annoyance, SPIT does at times carry viruses and malware, just like spam. While the occurrence of SPIT is not very common today, trends definitely dictate that SPIT is heading in the direction of SPAM. The Ugly Business today is a highly regulated space. The Gramm-Leach-Bliley Act (GLBA), the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Family Educational Rights and Privacy Act (FERPA), the Fair and Accurate Credit Transactions Act (FACTA), and even standards like the Payment Card Industry Data Security Standards (PCI DSS) all require the protection of the confidentiality, integrity, and privacy of sensitive information. If a hacker attacking your VoIP infrastructure was bad, organizations that have been hit by the regulatory whip will bear testimony to the fact that it gets ugly when the regulators come knocking. Improving Your VoIP The key to securing a VoIP infrastructure is to remember that it involves sending voice over the Internet Protocol (IP). So, the way to secure it is quite similar to the way you deal with an IP data network. Here are the key aspects to keep in mind when securing a VoIP infrastructure Encryption VoIP packets, by default, are transmitted in clear-text and so encryption is vital to ensure confidentiality. VoIP infrastructures based on Secure Real-time Transport Protocol (SRTP) take a step ahead of the unencrypted SIP and ensure that VoIP traffic privacy and confidentiality is maintained. Alternatively, encryption in the form of Transport Layer Security (TLS) or Internet Protocol Security (IPSec) can also make a great difference. Network Design A basic rule of thumb to remember is to logically separate voice and data networks. The best case scenario would be to let the VoIP infrastructure have its own isolated network with only the minimum necessary interactions with other sub-networks via secure firewalls. Having dedicated VoIP servers with audited and hardened operating systems and all unnecessary services disabled is the next step to fortifying your VoIP infrastructure.

4 Soft Phones Soft phones add to an administrator s misery by offering another end point that needs to be secured. The ideal solution is to avoid using Soft phones altogether. If they must be used, ensure that they are fully hardened and patched at all times. While it adds an additional burden, it is absolutely paramount to the security of the VoIP infrastructure. Hard Phones Hard phones offer a great alternative to soft phones, especially when coupled with private branch exchange (PBX) systems running on a hardened and, preferably, dedicated server. Periodic checks and updates are essential to ensure that the IP-PBX and IP Phone firmware is fully patched. Physical Security This is an often understated aspect of VoIP security. While an organization can spend countless hours and resources securing the medium of transmission, it is critical to also ensure the physical security of the enabling infrastructure components like the hard phones, the VoIP servers, and any other device that directly or indirectly supports the VoIP infrastructure. Physical security can become the Achilles heel of your VoIP infrastructure if it is not respected. Defaults and Passwords More often than not, default passwords and settings are not secure. These defaults are created with a generic scenario in mind and will most likely not fit the requirements and customization that your organization demands. It is important to replace all default passwords with strong passwords that are at least eight characters long, and employ a combination of uppercase letters, lowercase letters, numbers, and special characters. This should be further bolstered by good password policies and robust identity management. Voice Messaging Systems and Storage One typical area that is easy to miss is the security of calls that are stored on voice messaging systems. Ensure that the voice message boxes of all users require that the password be changed each time the service is used. It might cause a bit of inconvenience, but it will also offer a mile of improved security. It is also important to secure the storage of voice messages by performing periodic checks and audits to look for exploitable holes. Vulnerability Assessments Last, but most important, a periodic vulnerability assessment of the VoIP infrastructure can ensure that no holes have emerged due to the ever-changing nature of business requirements and the networks that support them. Independent audits can often provide useful insights into the state of the VoIP infrastructure and serve as an additional piece of evidence of due diligence in the regulatory compliance armory.

5 Make VoIP Work For You VoIP has truly been a genuine money saver for businesses all over the world and the world is a smaller place, in part thanks to VoIP technology. The security issues around VoIP are serious and very real. However, taking the right steps and countermeasures can truly help your organization make the most of VoIP. The Internet is like alcohol in some sense. It accentuates what you would do anyway. If you want to be a loner, you can be more alone. If you want to connect, it makes it easier to connect. - Esther Dyson Commentator on Emerging Digital Technology References

6 ERM wants to hear from YOU. With this edition of our newsletter, we re rolling out a new format and new features. Tell us what you think! What features or topics would you like to see covered in future issues? Who else should receive this newsletter? Your feedback is welcome and encouraged. Please send your comments to editor@emrisk.com. Enterprise Risk Management: At a Glance ERM brings clients the highest level of expertise to assess and address risks, comply with standards and regulations and mitigate risks, using integrated and reasonably priced security services and solutions. Our practice provides organizations with the tools they need to address the compliance and risk management issues of today, as well as the broader and ever-increasing security challenges of the future. Services IT Security Regulatory Compliance IT Audit Computer Forensics Risk Management Attestation Certifications Certified Public Accountant (CPA) Certified Information Systems Security Professional (CISSP) Certified Information Systems Auditor (CISA) Certified Information Systems Manager (CISM) Certified Information Technology Professional (CITP) GIAC Security Essentials Certification GIAC Systems and Network Auditor Qualified Security Assessor (QSA) Approved Scanning Vendor (ASV) Some of our Clients ABN-AMRO Private Banking Bacardi-Martini, Inc. Bancafe International Banco Industrial de Venezuela Banco ITAU Bank United Caja Madrid Bank Carnival Cruise Lines, LLC CitiBank Coconut Grove Bank Commerce Bank E-data Financial Florida International University Florida Power & Light Company Heico Aerospace Helm Bank Knight Ridder Nova Southeastern University Rinker Materials Rudy, Exelrod & Zieff, LLP Seabourn Cruise Line TecniCard, Inc. The International Bank of Miami TransAtlantic Bank U.S. Century Bank For more information, visit info@emrisk.com Phone: Douglas Road North Tower, Suite 835 Coral Gables, FL 33134