Safeguarding Networks Against Fraud. Connections 2014

Transcription

1 Safeguarding Networks Against Fraud Connections 2014

2 Safeguarding Networks Against Fraud Agenda Toll Fraud and VoIP Hacking Elliot Zeltzer, VP IP Engineering, BullsEye Telecom BroadSoft Tools & Tips for Fraud Prevention Rodney Barney, Director, BroadSoft Global TAC Comments on Fraud Detection Jim Dalton, CEO TransNexus Questions for the panel / Open Q&A David Dibert, Sr Director, BroadSoft Global TAC Highlights of Partners at Connections Elvis Tucker #BC14 BROADSOFT CONNECTIONS 2014 PAGE 2

3 Watch for news about our 2015 Technical Summits! Over 350 customers attended in 2014 April - June, 2015: USA (East and West coast) Europe Melbourne Australia CALA or S. Korea?

4 Toll / Network Fraud and VoIP Hacking Elliot Zeltzer, Vice President of IP Network Engineering BullsEye Telecom

5 Toll / Network Fraud and VoIP Hacking The escalating cost of toll fraud The estimated cost of toll fraud, or phone hacking, to businesses is $4 billion annually; double the cost of credit card fraud.. Toll fraud is alive and well NetworkWorld the U.S. government announced it had broken up a $55 million toll fraud ring that was operating internationally and targeting enterprise PBXs authorities in the Philippines arrested six adults and three minors for hacking AT&T and causing a $24 million loss for the carrier and its clients over the past few years #BC14 BROADSOFT CONNECTIONS 2014 PAGE 5

6 Toll / Network Fraud and VoIP Hacking How is Toll Fraud and VoIP hacking manifested Direct theft of services Monetization Industrialization of theft Not kids, not the curious Speed which the vulnerability's are converted into cash will amaze you Malicious disruption / denial of service Compromise Customer service delivery Carrier service delivery Extortion Cryptolocker Social engineering to gather and construct elements of identity theft #BC14 BROADSOFT CONNECTIONS 2014 PAGE 6

7 Toll / Network Fraud and VoIP Hacking How did we get here? Moved from TDM to VoIP Applied the same security and control constructs that we have used (or not) to VoIP Or Failed to assure that all of the IP best practices we instituted #BC14 BROADSOFT CONNECTIONS 2014 PAGE 7

8 Toll / Network Fraud and VoIP Hacking What is Toll Fraud and VoIP hacking (an abbreviated list) Toll fraud legacy model Traditionally a function on the TDM network Carrier based Call / traffic pumping Call redirection Voice mail hijacking / outcalling Platform remote access credential compromise Toll fraud new model (IP based telephony) Anyone who has a IP based telephony platform! Endpoint hijacking Host or Remote SBC (session boarder control) compromise Platform credential compromise VoIP session VoIP customer portal VoIP management platform Call forwarding redirect Voice mail hijacking / outcalling #BC14 BROADSOFT CONNECTIONS 2014 PAGE 8

9 Toll / Network Fraud and VoIP Hacking Why have we become (more) vulnerable TDM have points of entry that have been known for nearly 100 years Moved to VoIP TDM folks didn t understand that all the flaws of IP Immediately became an open door to attack VoIP #BC14 BROADSOFT CONNECTIONS 2014 PAGE 9

10 Toll / Network Fraud and VoIP Hacking Your VoIP Delivery Network An IP telephony eco system Best practices for IP Network design Firewall Host server setup and administration Partitioning and logical function separation NIDS, NIPS, HIDS Log collection digestion and interpretation Aggressive interaction with suppliers Periodic security audits and intrusion testing #BC14 BROADSOFT CONNECTIONS 2014 PAGE 10

11 Toll / Network Fraud and VoIP Hacking Tooling to catch and prevent Secure your VoIP eco system Secure the front door! Best practices IP network VoIP headend VoIP endpoints Credentialing Use Broadsoft security toolkit Activate toll fraud script Central credential infrastructure Encrypt device management Forensics Use CDR analytics Syslog and SIP heuristics for threat detection #BC14 BROADSOFT CONNECTIONS 2014 PAGE 11

12 Toll / Network Fraud and VoIP Hacking Who can help you? Join CFCA (Communications Fraud Control Association) Your suppliers Make each and every one of your VoIP technical supplier chain put skin in the game Hire the right staff Hire the right consultant(s) Do periodic security audits and intrusion tests #BC14 BROADSOFT CONNECTIONS 2014 PAGE 12

13 Toll / Network Fraud and VoIP Hacking Goal No system is perfect Build defenses high enough to cause the Fraudster / Hackster to go to someone else All of us raise the barriers high enough to have them go to somewhere else Build a moat with flaming oil, broken glass and barbed wire around your VoIP Eco system. #BC14 BROADSOFT CONNECTIONS 2014 PAGE 13

14 Thank You!

15 Protecting Your Network Against Fraud Connections 2014 David Dibert, Sr. Director, Global Technical Assistance Centers, BroadSoft Inc. Rodney Barney, Director, Global Technical Assistance Centers, BroadSoft Inc.

16 Highlights on BroadWorks Fraud Concerns Risk Areas and Reporting Process

17 Fraud Risk Perpetrators Fraud Attempts can occur from three types of parties: An Outside Hacker A Dishonest Customer Internal Employee Attack #BC14 BROADSOFT CONNECTIONS 2014 PAGE 17

18 Fraud Risk Areas And BroadWorks Toolkit Industry Identified Fraud Risks Areas Voice Portals Web/Client Portals SIP Endpoints The BroadWorks Security Toolkit can be used to help identify and mitigate fraud Identify tools available via BroadWorks #BC14 BROADSOFT CONNECTIONS 2014 PAGE 18

19 Industry Identified Fraud Risks Areas Voice Portal High Risk Area BroadWorks Voice Portal supports two services that can be the source of fraud Voice Portal Call Forwarding Always programming and activation Voice Portal Calling Service How do they get in? Hacker aware of number ranges belonging to Service Provider Once Voice Portal accessed, hacker tried to brute force passcode (Weak Passwords are a concern) Once the account is compromised, hacker looks for Call Forwarding Always Programming or Voice Portal Calling options #BC14 BROADSOFT CONNECTIONS 2014 PAGE 19

20 Industry Identified Fraud Risks Areas - Web/Client Low Risk Area Hacker identifies XSP addresses and attempts to compromise account Common XSP applications and what is accessible OpenClientServer (OCS), CommPilot, OciOverSoap XSI-Actions bwcallcenter & bwreceptionist HTTP is the main target Brute force attack #BC14 BROADSOFT CONNECTIONS 2014 PAGE 20

21 Industry Identified Fraud Risks Areas - SIP Endpoint Low Risk Area SIP endpoint are subject to two types of vulnerabilities SIP Session Hijacking SIP is vulnerable to a number of session hijacking threats when SIP Digest-Authentication is not used SIP Identity Hijacking Password was compromised or brute force attacked SIP Digest-Authentication counters these threats #BC14 BROADSOFT CONNECTIONS 2014 PAGE 21

22 Areas to Concentrate Hardening Efforts Discuss ways to eliminate/mitigate these vulnerabilities and resulting fraud DMZ XSP Hardening Password Controls Call Processing Policies Outgoing Origination/Redirection Controls SIP Hardening Options Device Management Hardening Security Tool Kit #BC14 BROADSOFT CONNECTIONS 2014 PAGE 22

23 BroadWorks Security Toolkit Helps detect fraud and identify exposures in the BroadWorks system Fraud Detection Tool Parses CDR files, report upon and/or act upon Weak Password Checker Validate AS DB passwords Redirecting Services Pattern Checker Search AS DB for Frwd-to Numbers of concern Authentication Services Assignment Checker Search the AS database for users without Authentication service assigned or with blank passwords #BC14 BROADSOFT CONNECTIONS 2014 PAGE 23

24 BroadWorks Fraud and Security Reporting Process Reporting Security Vulnerability, Security Issue, or Fraud Through the BroadSoft Ticketing System Via the problem category field Direct Contact via the BroadSoft TAC line Contact #s on ticketing interface or in the TAC Overview on Xchange These actions will alert the BroadWorks Security Response Team (SRT) of potential Security or Fraud issues #BC14 BROADSOFT CONNECTIONS 2014 PAGE 24

25 BroadWorks Fraud and Security Reporting Process How are Security and Fraud reports handled? Upon report, the Security Response Team (SRT) is alerted We meet on a regular basis to review all tickets submitted as a Security, Security Vulnerability, or Fraud We assess the criticality of each report and score them per Common Vulnerability Scoring System (CVSS) #BC14 BROADSOFT CONNECTIONS 2014 PAGE 25

26 BroadWorks Fraud and Security Reporting Process According to criticality and risk BroadSoft will take actions, which may include: Alerting customers and partners with a remedy designed to reduce the risk to customer's BroadSoft product and to avoid further exposure or fraud. Provide patches for current releases covered under maintenance and support. Provide any necessary updates to the BroadSoft security documentation. Provide updates to our security ToolKit #BC14 BROADSOFT CONNECTIONS 2014 PAGE 26

27 Thank You! A special thanks to Mark Kushnir of BroadSoft for publishing a comprehensive Security Best Practices guide: Technical Summit Report on Security Response Metrics: - Fraud and Security Best Practices Updates.pdf The BroadSoft Security Vulnerability Response Process: Vulnerability-Response.pdf

28 Traffic Pumping Fraud Connections 2014 Jim Dalton, Founder TransNexus

29 Traffic Pumping Fraud (International Revenue Sharing Fraud IRSF) Traffic Pumping Fraud is the Number One Risk for Retail Service Providers Your Customers are your Primary Vulnerability A Growing Fraud Eco-System has Developed to Attack Your Customers Telecom Hacking Instructions are Plentiful #BC14 BROADSOFT CONNECTIONS 2014 PAGE 29

30 Telecom Hacking Tutorials #BC14 BROADSOFT CONNECTIONS 2014 PAGE 30

31 Traffic Pumping Fraud (International Revenue Sharing Fraud IRSF) Traffic Pumping Fraud is the Number One Risk for Retail Service Providers Your Customers are your Primary Vulnerability A Growing Fraud Eco-System has Developed to Attack Your Customers Telecom Hacking Instructions are Plentiful Scores of Premium Number Service Providers Enable Easy Monetization #BC14 BROADSOFT CONNECTIONS 2014 PAGE 31

32 Monetize Fraud with Premium Rate Numbers #BC14 BROADSOFT CONNECTIONS 2014 PAGE 32

33 Premium Rate Number Providers Czech BVI Belize Austria Albania Spain Hong Kong Dominica Cyprus Australia UK USA UK USA Australia Cyprus Dominica Hong Kong Spain Albania Austria Belize British Virgin Islands Czech Republic India Netherlands Pakistan Russia Seychelles Singapore UAE #BC14 BROADSOFT CONNECTIONS 2014 PAGE 33

34 Premium Rate Number Services #BC14 BROADSOFT CONNECTIONS 2014 PAGE 34

35 Premium Rate Number Services #BC14 BROADSOFT CONNECTIONS 2014 PAGE 35

36 Premium Rate Number Services #BC14 BROADSOFT CONNECTIONS 2014 PAGE 36

37 Traffic Pumping Case Study $166,000 Fraud Loss in 44 hours Fraud victim had four analog lines Over 568 simultaneous calls during attack to three telephone numbers in Gambia Premium Rate Numbers Gambia Maldives Somalia Fraudster Forwarded Calls are maintained by TW Network and do not overload Enterprise Phone System Public Telephone Network 22.5 calls per minute in fraud attack TW Telecom Network Fiber Integrated Access Device Telephone signaling per call instructs TW Network to re-route forwarded calls to PRNs FSF Enterprise Phone System Four Analog Phone Lines Norstar ICS Call Pilot 100 Fraud Victim #BC14 BROADSOFT CONNECTIONS 2014 PAGE 37

38 SDReporter CDR Analytics Real Time Fraud Scoring Blacklisted Numbers Subscriber Credit Controls GroupId, UserId or SIP trunk 1. CDR Files 2. OCI-P Command Offnet Termination Networks #BC14 BROADSOFT CONNECTIONS 2014 PAGE 38

39 NexOSS SIP INVITE Analytics SIP Trunking NexOSS SIP Phones 1. SIP INVITE Admission Request 2. Route, Divert or Block Soft switch DID Providers Inbound SIP Calls X Session Border Controller SIP Terminators Stop Fraudulent Calls Before They Enter Your Network #BC14 BROADSOFT CONNECTIONS 2014 PAGE 39

40 Thank You!

41 BOOTH # Fraud and Security Connections 2014 Partners BroadWorks collects data on every call that flows through your network BroadSoft partners utilize big data and VoIP analytics techniques for preventing and managing fraud and security incidences User Profiling Reporting trend analysis Cloud-Based Appliance-Based SaaS User Portal Notification Attack Prevention Cost Analysis #BC14 BROADSOFT CONNECTIONS 2014 PAGE 41

42 Thank You!