February 9, 2021
Good morning, everyone!
|This week’s critical vulnerabilities:
Patch all the things!!
When Analog Communications Go Digital
Last week I ran across this very useful article by Cisco with a lot of detailed info on how to protect your Voice over Internet Protocol (VoIP) phone system:
Cybercriminals will happily tell you: IP telephony, known as VoIP, is a wonderful thing.
What is a VoIP phone system?
Wikipedia offers this definition:
Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. The terms Internet telephony, broadband telephony, and broadband phone service specifically refer to the provisioning of communications services (voice, fax, SMS, voice-messaging) over the Internet, rather than via the public switched telephone network (PSTN), also known as plain old telephone service (POTS).
In the old days, telephone calls on the POTS network were analog signals sent over dedicated copper lines. To listen in on a phone call, you had to physically tap into the cable. With VoIP, however, phone calls are just data packets, sent over the Internet just like photos and social media posts. They can be intercepted in the same way, from the comfort of one's own cyber criminal home, millions of miles away.
Why do you need to worry about securing your VoIP phone system?
- Eavesdropping on phone calls and accessing voicemails can expose sensitive company and client information.
- Toll fraud is rampant. One client was billed several hundred thousand dollars in long distance charges over a single weekend, when their VoIP phone system was hacked.
- Your VoIP system can be a back door to your computer network.
How do you protect a VoIP phone system?
It's important to remember that VoIP phone calls and voicemails are data, just like emails and Word documents and databases, and will benefit from the same types of protection.
Secure your VoIP system the same way you do your data network, starting with basic things like:
- put everything behind a firewall
- use encryption for transmitting calls
- restrict access to authenticated users
- use VPNs for remote phones
- keep the software and firmware updated
- don’t use systems past the end of vendor support
- use network segmentation to separate voice & data traffic
What is network segmentation?
Network segmentation is a means of either physically or logically separating discrete parts of a network. Using network segmentation to separate voice and data networks has the added benefit of taking your VoIP system out of scope for your security compliance requirements (whatever they may be -- NIST, DFARS, CMMC, PCI DSS, HIPAA, etc.).
Physical segmentation is ideal. Having phones on separate cable runs to a switch dedicated to voice traffic, in a separate zone on the firewall, restricted from access to the data network.
Logical segmentation is more common. One of the main things small businesses love about VoIP phone systems is that you can run your computer cable through the phone, to save on cabling expense. However, this brings your voice and data network together in a way that doesn’t meet standard security best practices. If physical separation isn’t feasible, use a VLAN to isolate voice traffic from data. Most modern VOIP equipment supports this natively; it just needs to be configured.
What about faxes?
Ah, I’m glad you asked that! Faxing is the other major means of communication that has changed from analog to digital. In the old days, faxes were also sent as analog signals over the same dedicated copper lines used for voice traffic. But just as voice has moved to data packets over the Internet, many businesses use an Internet-based “fax to email” service. (This is especially common for organizations with VoIP phone systems, as faxes don’t play well on VoIP networks).
What does this mean? Well, faxing used to be a pretty safe way to send confidential information like bank account data, SSNs, DOBs, etc., but that’s not necessarily true anymore. You don’t know when someone is using a fax to email service, nor how well it is secured. If you have the option of a secure file transfer, that’s a safer bet than faxing. And there’s always the old “print it out and put a stamp on it” method!
Thus endeth the lesson. Until next week!
Talk to you again soon!
Security Awareness Training Goes Virtual
Thanks to COVID-19, lots of things are going virtual, and that includes my employee Security Awareness Training. I've set up a small studio in our conference room (nobody there but me) so I can provide live training (almost) just like before! You can see me wave my hands and make faces while a wall of fascinating facts and practical tips slideshow across your screens, wherever you and your employees may be.
Contact me to schedule your employee training sessions. They're fun! ☺