VoIP, like almost all other technologies, can be abused; it’s susceptible to attacks that allow calls to be hijacked, fraudulent calls to be made or even gain unauthorized access to the corporate data network. For all the benefits of VoIP it is important to be aware of and realistic about the risks that need to be mitigated. SIP and other VoIP channels need to be secured the same as any company laptop or facility, and the great news is that securing VoIP is simple as long as you do a little planning first.
One of the biggest abuses of VoIP comes in the form of toll fraud. WIRED contributor Jim Murphy reminds us that toll fraud has been around for decades and was a common problem even in the arcane days of landline telephones. The threat never went away nor is it new; it simply evolved. Learning how to handle it in its modern incarnation is critical to protect your enterprise communications from the unsavory predators of the internet.
Murphy notes “For companies and service providers, there exists a balance between using real-time detection to cut off service and ensuring business operations are not unnecessarily interrupted" and that "providers are asking themselves what their responsibilities are to their clients, and what safeguards they can institute to lessen the threat of fraud attacks through VoIP networks."
So how do you find the balance? As with the landline attacks of old the answer lays partly with providers and partly with solid enterprise security processes.
Fool me once…
It used to be that firewalls only needed to protect data connections and because most traffic was outbound (read: people were mostly watching cat videos) any IT novice could lock the firewall down entirely and sleep securely. VoIP, however, requires that you open services to the outside world to receive inbound calls. Done improperly your firewall becomes a nirvana for hackers or a harsh blockade against communications. VoIP security starts with ensuring your IT staff or service providers have the skills to handle modern requirements.
SAP contributor Daniel Newman notes that "With this in mind, network security professionals must add another service to their list of networked services to protect, requiring them to implement policies and procedures that mitigate breaches and theft of service."
Communications providers can help in developing these policies and processes, but ultimately to maintain control of your fate cybersecurity has to have an internal champion.
“Could” is not “Will”
As mentioned above, toll fraud is neither new nor VoIP-specific and it requires attention no matter what kind of network is in place. According to Toolbox contributor Jon Arnold, the idea of toll fraud should not deter organizations from implementing and leveraging VoIP.
"Even though the hackers are usually a step ahead of you, there are ways to mitigate most of these threats," Arnold wrote. "Getting your risk down to zero is not realistic – for any size of business – and certainly, taking some core steps is much better than doing nothing. All new technologies carry some form of risk, and when you think about the benefits of VoIP, you just have to look at this as part of the overall package."
At the end of the day VoIP is quickly becoming non-optional; as landlines disappear and traditional telecommunications circuits migrate to SIP at blazing pace the path of is running out of road. If you aren’t watching your cybersecurity already you can rest assured that someone else is.