Business and home users have taken to VoIP like ducks to water. To both, it offers cost savings and convenience. To businesses, it provides the opportunity to use advanced communications features over and above the traditional land-line POTS solution. Rolling out toll-free International calling and video-conferencing, providing advanced call management to customer support centres and improving their overall business profile is now achievable and a modest and controllable cost.
Originally needing big iron, small businesses can run a virtual PBX on a dedicated desktop PC and take advantage of those new offerings.
However, as with all digital advances, security comes into play and VoIP Security is no exception.
It might appear at first sight that VoIP Security is not a significant requirement, but it is something that needs to be taken seriously. Because VoIP is a digital platform and integrated with your network, it can act as an entry point for malware and enable Intellectual property and data theft if not managed and secured properly.
A new and particularly intrusive threat is that of eavesdropping. You may remember crossed lines and misplaced calls from the days of the POTS environment.
VoIP eavesdropping can take several forms. It can be the tapping of a call to listen to the caller, it can be a remote programme that records calls to and from a specific number, it can be a mechanism to deploy malware to the corp[orate network and desktops.
It can also be an internal issue to bypass call restrictions or find credentials for systems the caller isn’t authorised to have.
It is important to remember that external VoIP calls travel over the Internet, and cybercriminals can use vulnerabilities in intermediate systems to capture voice packets and extract sensitive information. Understandably, government intelligence and security services such as the police have sophisticated tools and techniques to bypass most security measures. Some of these have leaked into the private sector. There is also unsubstantiated evidence that some suppliers have built trapdoors into hardware and software to allow easy eavesdropping.
It is therefore important to remember that the first step in VoIP security is to understand that VoIP calls are inherently insecure, even if encrypted. Most VoIP applications provide an encryption capability, and several security applications are an option. A VPN to carry voice traffic is another level of security that can be applied.
It’s not strictly speaking VoIP, but there have been media reports where celebrity cellular traffic has been hacked, recorded and released to the public.
Bottom line, be careful what you say, you don’t know who is listening.
Remember that analogue systems are tied to devices, VoIP systems are tied to users. In the past phones had a fixed physical location and security measures were tied to use of that physical device. With VoIP, users can use the system from a variety of locations using a variety of devices. Security now needs to be tied to the user, not the device.
- Make sure that you have an up to date and accurate phone list, showing phone numbers and assigned users.
- Make sure each user is assigned an appropriate security level, internal only, local, national and international are common security levels.
- Make sure each user has unique VoIP credentials.
- Make sure that IT has installed and operates up to date security software and operational controls over the VoIP system.
The switchover to the VoIP system needs to be as seamless as possible. No individual or business wants to be out of communication for an extended period. This can lead to errors because the roll-out is carried out in a rush, and corners are cut. One to be particularly wary of, and it should never happen is to deploy VoIP with default configurations.
A potential hacker or cyber criminal has access to the VoIP vendor documentation and therefore to things like default configurations, including password credentials.
At the very least the default passwords for the system functions need to be changed, and handsets can be manually configured as they are issued and installed.
Doing this will make it more difficult for a cybercriminal to piggy-back into your systems.
It is also important to encrypt your calls.
VoIP is a definite boon to business, but as with all digital deployments, security is a major concern.