The cost savings and flexibility benefits of voice-over-internet protocol (VoIP) have made the technology popular with enterprises and small businesses alike. However, as its prevalence has grown among business users, so has its popularity among hackers.
There are several high-profile examples of expensive VoIP security breaches, and a disturbing portion of them have been caused by rather elementary security flaws, like weak passwords, the failure to detect rogue calls or phone systems directly connected via public IP addresses outside of a firewall.
It is unrealistic to rely on employees to be responsible for VoIP security. They just want an easy and reliable way to make calls. Fortunately, IT managers and CSOs can do several things to shore up their phone system.
Proper configuration of the firewall is especially important in an environment where the VoIP system is remotely accessible via the internet. I recommend that only IP phones and the VoIP telephony provider’s servers be allowed to access the company’s private branch exchange (PBX). Strict firewall configuration is a preference, but a company may have mobile clients who change their IP addresses often.
Second, administrators should require consistent enforcement of strong password policy and set passwords themselves. There are VoIP products available that protect against password guessing by blocking an IP after a specified number of login attempts. This critical security feature limits the likelihood that unauthorized persons will gain access to a phone system and take control over it.
In addition, password-protection techniques aren’t foolproof. A critical layer of defense also is creating system usage “rules” and getting real-time alerts when they are violated. If an admin knows the business will never make an international call, then disable that capability. If that is not possible, limit the number of calls. Rules like these will tip an admin off to attacks and enable a quick reaction to minimize the damage.