Editor's note: While unified communications (UC) increase productivity and collaboration in the enterprise, UC also gives hackers more opportunities to attack the network. With the adoption of Voice over IP (VoIP), malicious attacks have become easy and inexpensive. Enterprises must now make it a priority to learn what UC network security issues they face and what they can do to protect their networks.
San Antonio, Texas-based UC security provider SecureLogix released its 2014 Voice and UC State of Security report, which found that telephony denial of service (TDoS), financial fraud and social engineering threats are on the rise.
In this Q&A, Mark Collier, SecureLogix's chief technology officer and VP of engineering, discussed with SearchUnifiedCommunications at Enterprise Connect the results of the report, which enterprises are most vulnerable to malicious attacks and how enterprises can mitigate them.
The most prevalent UC network security issue found in your report was TDoS attacks. Is TDoS the main threat enterprises should focus on when it comes to securing their voice and UC networks?
Mark Collier: Certainly, if the enterprise has contact centers and is in the financial business. TDoS is happening primarily at two ends of the spectrum: one end is hospitals, public safety and healthcare. The basic use case is [attackers] will get a list of numbers and call David, who works at a hospital in the ER, and they'll say "David, you haven't paid your payday loan, you owe us $1,000… if you don't pay us, we're going to flood your place of business with calls and not only affect your business, but make you look bad." If they don't pay, attackers will flood an emergency room, ICU or public safety number. Since March 2013, [the Department of Homeland Security] recorded about 650 of those events.
At the higher end [of the spectrum], we're starting to see it affect the bigger contact centers. Like a big financial contact center, if they can't service customer calls, that's a huge issue. They lose money, they have brand issues and their customers will go to the next bank. So, the same type of attack is starting to affect them as well.
What are the methods attackers use to accomplish these attacks?
Collier: At the low end [of methods] they're using people, at the high end it's done with automation. Attackers introduce calls to the network through SIP; they're getting smarter and smarter. They're [caller ID spoofing] or they're picking audio that will dwell in an Interactive Voice Response (IVR) for minutes. They might even use social networking. They'll get on Facebook and say "let's get all these people to call a bank because we're upset with them."
With each passing month the attacks get more sophisticated. There's more volume that's originating from more points, which makes it hard to detect and mitigate.
What steps can enterprises take to mitigate these threats?
Collier: What we recommend is to put in an application security product, or an application firewall, for UC. Typically at a high level, what we do is we deploy technology -- it can be at the enterprise or it can be in a public cloud -- that watches all of the traffic coming into a contact center. It's looking at all the signaling, it's looking for patterns, it's looking at the content.
Learn more about UC network security issues
Securing VoIP to prevent toll fraud, security breaches
Social engineering: Is security focused on the wrong problem?
TDoS attacks: Who is at risk and what to do under attack?
The technology sits at the perimeter of the network, watches all the traffic and sheds the TDoS calls so that you have bandwidth for the good calls to come in. We're working with service providers. For example, when an AT&T customer has this issue AT&T does things in their network, but when Bank X or Hospital B has a TDoS issue, AT&T brings us in to address it.
How does bring your own device (BYOD) impact these UC network security issues?
Collier: Many of these same issues are going to affect mobile devices as well. There's a bunch of underlying security issues that have nothing to do with voice with these devices -- sharing enterprise data versus personal data and so on. But if I'm getting harassing calls on here, if I'm getting robocalls, if I'm getting denial of service to this thing -- then that's unacceptable.
When the enterprise is supporting use of these devices for business, there's an expectation that it's useable. If [my mobile phone] is my primary business device… the business is going to have an expectation this is secure and usable. SecureLogix doesn't secure the entire BYOD mobility space, but if this thing is constantly ringing or there's fraud on it it's hard to use.