Pavel Ignatov - Fotolia
Organizations have implemented session border controllers to secure SIP trunking services, but many SBCs are considered one-off investments and one-off deployments. And yet, amid denial-of-service attacks and toll fraud, SIP trunking is inherently vulnerable -- and that vulnerability continues to escalate.
Companies routinely update their antivirus software. So, why assume session border controllers (SBCs) can protect against changing threats without similar routine updates? In their current guise, most SBCs actually leave organizations with a false sense of security.
While many companies have recognized the risks and implemented an SBC to improve security, far too many session border controllers are left unmanaged and become out of date, fundamentally undermining the value of that investment. To determine how secure Session Initiation Protocol (SIP) deployments may be, companies need to consider the following questions:
1. Was the SBC easy to deploy? Session border controllers that are complex to deploy create several problems. One option is to opt for expensive external expertise to handle the configuration, which negates the VoIP business case. Alternatively, attempts to manage the process in-house will be constrained by the complexity -- the only option would be to implement simple rules that could leave the organization open to a potential breach. The SBC will be in place, but it will not deliver the required, or perceived, level of security.
2. Who manages the SBC? If a third party manages the SBC for a business, who is managing that provider? Who is checking to see that the SBC is updated routinely and blocking threats? If the outsourced provider is not providing reports about SBC performance, the evolving risk landscape and the way the product is updated to counter threats, then the SBC might not be very secure. A third party can do a good job with management, but be proactive and check. Out of sight should never be out of mind.
3. How often is the SBC updated? The security threat level is never static; it is continually evolving, and security products need to evolve in tandem if the business is to remain safe. Any "deploy once, update infrequently or never" security service is inherently flawed. Organizations routinely update antimalware services, harden infrastructure and update policies -- attitudes toward secure SIP should be the same. Routine SBC updates are essential in response to new threats.
4. Does the SBC send alerts? Considering the number of breaches and attempted breaches that organizations face, the SBC should be busy. But who knows? Does the SBC notify the business when something happens, when it has blocked a call and why? Real-time alerts -- via email, text or management alerting -- are an essential part of an SBC product. These alerts let a company know it has been attacked and raise any remediation steps that need to be taken.
5. Does the SBC vendor routinely communicate? An SBC provider should be sharing valuable insight into the changing threat landscape. Routine updates about newly identified threats should be backed up with information about the new SBC features to counter these threats. Understanding how the software is amended to protect the business -- and when the updates will occur -- is key to ensuring the SBC deployment remains up to date.
6. How often is the effectiveness of the SBC reviewed? Every security product should be evaluated routinely to ensure it's operating effectively. Including session border controllers in that review process is essential if the business is to remain protected against toll fraud, voicemail hacking, telephone denial-of-service or other threats. Whether that review occurs weekly or monthly will depend on the business plan. But without a routine assessment, how can a company feel confident it is getting value for its money, or the business is secure? Routine reports from the vendor about SBC activity and updates also help to prove the value of the ongoing investment.
7. Does the SBC vendor share best-practice guidelines? The right deployment of a routinely updated SBC is key to a secure SIP environment. Yet, perimeter technology alone is not enough. Best-practice guidelines should also include educating staff to spot new threats, such as vishing attacks. Ensure employees are aware criminals may call to try and obtain credentials that can be used to compromise other systems.
VoIP hacking: The risks are real
The security risks of poorly configured SIP trunking extend beyond call jacking. Other risks include eavesdropping on sensitive communications with malicious intent, such as harassment or extortion; misrepresenting identity, authority, rights and content, such as modifying billing records; or gaining access to private company and customer contacts. Simply put, hackers are cashing in on the widespread adoption of VoIP.
In the first quarter of 2015, attacks on VoIP servers represented 67% of all attacks recorded against U.K.-based servers that are monitored by Nettitude Inc., a cybersecurity provider. In addition, 84% of U.K. businesses are considered vulnerable to toll fraud, according to NEC. These stats clearly raise awareness of the evolving threat landscape.
The security implications are significant and extend beyond the obvious financial costs of huge phone bills or the increasingly common telephone denial-of-service threats, where the object of the attack is to extort money. Ultimately, among the repercussions, telephony services can be disrupted or taken offline completely. For contact centers, banks and any organization reliant on telephone business with customers, the results could be disastrous.
Cloud-based, continuously updated session border controllers address all these issues, but security insights from different companies also help. With the combination of routine product updates and shared intelligence among organizations, an attack on a single company can quickly transform into a patch or update that protects every business from the new risk.
This speed of response and continual change is key to achieve secure SIP trunking. Understanding the need for an SBC is a great step, but organizations cannot afford to rely on a one-off deployment. It is time to determine the true level of security and effectiveness delivered by the SBC today.
Paul German is CEO of VoipSec, a VoIP security provider.
A guide to session border controllers, IP telephony's traffic cop
Lock down your SIP trunks with this SIP security checklist