Sections of the comms sector continue to reduce VoIP security threat levels to ‘moderate’ and sit on their hands in the face of belligerent cyber attacks.
That's according to Ollie Clutterbuck, Head of Product Architecture at 9 Group, who says any withdrawal from the severity of the issue is an urgent industry challenge.
The communications industry in general has perhaps never before failed so much to act on a matter of importance as critical as VoIP security, according to Clutterbuck, who too often sees resellers and ITSPs fail to make the security grade. “It is far too easy now for a malicious user to obtain software that takes all the complexity out of attacking peoples’ systems,” he commented. “It is clear that the frequency and sophistication of attacks is increasing. You have to accept that at some point you are going to get attacked but it’s up to you, your customers and your service provider to make sure you have done as much as possible to mitigate this attack.”
Clutterbuck noted that the same failures are repeated over and over again – poorly secured phone systems, weak voicemail security and user error. “The good news is that these are easy to fix,” he stated. “Use strong passwords when securing phone systems and don’t use the same password on all systems; restrict access for phone system management to known IP addresses; lock down SIP access to only your ITSP (this isn’t always possible with remote workers so consider none standard ports and if possible a session boarder controller); use strong PIN access for voicemail; if possible don’t allow external access; don’t allow users to dial out from voicemail; don’t let users share passwords and where possible do not give users any SIP credentials. You also need to make sure your ITSP is protecting your customers’ security from within their own network.”
On ITSP security there are certain points to look out for, pointed out Clutterbuck. “Make sure they have a regular security programme and are employing external penetration testers to find vulnerabilities in their network,” he added. “Check they monitor for malicious activities and can offer fraud detection and mitigation, such as call spend limits, including the cutting of live calls and employing the use of AI for spotting unusual call activity.”
According to Clutterbuck, resellers often make the assumption that their upstream provider will handle security on their behalf, but the majority of fraudulent activity originates from phone systems or a lack of network security so an ITSP would be unable to have any influence on such cases. “Where security is in the hands of the service provider don’t make any assumptions, but do ask questions and make sure your provider is looking after your customers’ security,” he stated. “Recent regulations have increased penalties for the loss or misuse of personal data, enough to sink a well established company, so do not leave this in the hands of others.”
Cost and time are the main barriers to effective security, observed Clutterbuck, but for resellers basic security need not cost too much and can often be included as part of the installation process. “For ITSPs though the cost of securing and monitoring a network can be significant, and it should be,” stated Clutterbuck. “As ITSPs we are responsible for the security of hundreds of thousands of users’ communications and this should not be undertaken lightly. With open source technologies the barrier to becoming an ITSP is far lower and we have seen hundreds of smaller service providers pop up over the past five years. “However, being able to register a phone and make a call is only a small part of the whole piece. Network resilience, and of course security, take expertise and money. To not invest in them amounts to nothing less than negligence. As a reseller, do your due diligence on your providers and make sure they are investing in their product beyond the basic telephony elements.”
In terms of VoIP security, the integration of mobile devices will be a key shift over the next five years, believes Clutterbuck. “We will see business telephony switch from the desktop phone to softphones and mobile clients, where VoIP is heavily integrated with the native dialler,” he explained. “This puts security very much in the hands of the user. Another interesting development is the use of machine learning to create AI for mining through large quantities of data. And we are seeing the emergence of IoT and its integration with telephony, whether it be location detection to change a user’s availability, or motion sensors that text the user when someone enters their house, which needs to have security at its core when these systems are designed.
“Security versus usability has always been the trade off. With increased security comes a worsening user experience, so our job is to keep that balance, protect customers and provide a rich and engaging user experience at a time when integration is becoming key and still emerging as a requirement. Yes people are doing CRM integration, but I’m talking about integrating with your car, or your home, integrating with Facebook or WhatsApp. The way we communicate is evolving and we need to be looking to the future and how we can get a user’s communication system to integrate seamlessly with their everyday life – effortlessly and securely.”