We don’t usually worry about having our telephones hacked. But we should.
With the rise of voice-over-IP, we’ve entered a brave new world of voice communication that is easier, cheaper and more integrated with other communication systems. All this is good. But, one of the costs of VoIP is increased security risks since, unlike the telephone network of old, VoIP is digital and therefore subject to the same kind of hacking that challenges other computer-related services.
“VoIP is a form of data just as much as it is a mode of telephony,” noted telephony consultant, Jon Arnold (News - Alert). “However, these two ideas have different implications for your network, and if you don’t view VoIP as a data application, then you’re putting your network at risk. In fact, you’ll be putting your entire business at risk, especially if you understand how sophisticated hackers and malicious network attacks are becoming.”
Some of the potential uses for hackers breaking into the VoIP network of a business include misrepresentation. In other words, it is possible for hackers to use the telephone network of a business and pretend to be a member of the business that has been hacked.
There is, of course, the related act of using a hacked phone system to place free calls—especially international calls.
Hackers can use hijacked VoIP services to send voice spam to others, creating a big headache for all. There also is, for the particularly smooth cybercriminal, the possibility of listening in on VoIP traffic and using the tap in conjunction with speech analytics software to capture important business information.
Regardless of the uses, however, the threat is real. Businesses need to take the same security precautions with VoIP as they do with other digital services such as email and corporate data network access.
First, develop a VoIP security implementation guide that addresses how you will isolate data traffic from voice traffic, how you will use firewalls and IPS systems to beef up security, how you will prevent eavesdropping, and how security will be handled by the IT team.
Next, develop a VoIP security policy and create security architecture. This architecture should ward off known attacks through, for instance, placing an IPS in front of mission-critical subsystems such as call management, IVR and voicemail servers.
Leverage existing security controls to also help manage VoIP data, and do systems hardening through a post-installation VoIP penetration test.
Finally, learn from the VoIP penetration tests by mitigating the risks that have been uncovered.
VoIP is a wonderful technology, but it is not as naturally secure as the telephone network it replaces. So, make sure security is in place for such systems.