Securing the Enterprise from Voice Network Attacks

This Industry Viewpoint was authored by Roger Northrop, Chief Technology Officer, Mutare

More phone calls are being transmitted by digital protocols today, rather than over physical analog lines, due to the prevalence of online VOIP communications and session initiation protocols (SIPs). Unfortunately, this evolution in telephony has provided hackers with new pathways to infiltrate organizations through their voice networks.

When security teams work to protect an enterprise, they seek to secure their data networks for web apps and email. The dangers from voice traffic have largely been overlooked. Likewise, many business leaders and IT executives are simply unaware of the risks stemming from unwanted voice traffic, but every call into an organization is either wanted or unwanted. The goal should be to guard against unwanted robocalls and voice phishing scams that can trick employees into giving away private information or network access over the phone.

Cybercriminals regularly adopt clever new tactics to steal private information and credentials which can then be sold over the dark web. Their attack strategies evolve over time, but they generally fall into five main types of voice scams that create vulnerabilities for unprotected businesses.

Ransomware attacks can be extremely damaging when ransomware gets transferred from a mobile device to a networked system via corporate Wi-Fi. These blackmail attacks succeed when untrained employees innocently click on a malicious text message link, allowing the bad guys to lock down entire computer networks and demand ransom payments.

Data thefts occur when the attackers build up enough trust to convince employees to share information or logins over the phone. With that entry point, the crooks can gain access to other critical systems for customer, employee, and stakeholder data.

Telephony denial of service (TDoS) attacks seek to overwhelm a victim’s telephone system by hitting it with a barrage of inbound distraction calls that can delay or block legitimate calls for service.

Identity thefts can result from voice phishing (vishing) and SMS text phishing (smishing) attacks. These kinds of spear-phishing attacks provide a way to impersonate a company executive and gain access to secure files or data.

Similarly, cybercriminals execute intellectual property thefts by fooling employees into unlocking company ideas, projects, inventions, or other assets, which can provide further access to valuable trade secrets, patents, and proprietary software.

The Risks Are High, But Defenses Remain Stubbornly Low

To gauge market awareness of these voice traffic threats, Mutare recently conducted a survey of attendees, presenters, and vendors at two high-profile technology industry conferences, RSA and Cisco Live. The Mutare Voice Network Threat Survey found that nearly half of organizations (47%) experienced a voice phishing or social engineering attack in the past year.

More than four-in-five respondents (81%) agreed or strongly agreed that their organizations identified vishing, smishing, social engineering, and robocalls as major security threats. Yet surprisingly, more than one-third of respondents to the survey (38%) said their organizations still do not collect any data on the amount of inbound, unwanted, and potentially malicious voice traffic hitting their organizations.

In addition, more than one-fourth of survey respondents (26%) were unsure about which tools were being used to protect their voice networks, and 9% said their organizations had no solutions in place whatsoever to protect their voice networks.

The responsibility for overseeing voice security was almost evenly divided between responses for the Security Team with 38%, and the Network Team with 37%. In addition, 15% of respondents cited the Unified Communications/Collaboration/Voice Team as being responsible for their company’s voice network security. Regardless of which team owns this function, their security practices should incorporate multiple layers of defense to create a robust mesh that reduces the attack surface of the voice network.

Organizations can first scope out their vulnerabilities by running a voice traffic analysis to understand the calling volumes and patterns on their voice networks. Voice traffic filters can then be set up to block bad traffic coming from known scam numbers. Organizations can also create their own custom rules for specific call numbers and geographies to decide which calls to let through and which ones to send to a block list.

Innovative new voice captcha technologies can further help by quarantining suspicious calls before they even ring to determine if they are scams or not. In addition, security teams should implement security awareness training programs for all employees to recognize potential scammers. Fallible humans present an ongoing risk at the edge of the voice network, especially among call center agents whose sole focus involves pleasing the caller. As this voice network problem continues to grow and evolve, organizations will clearly need to allocate more staff time and budgets to protect the voice side of the house.

Roger Northrop, Chief Technology Officer, Mutare

In his role as CTO, Roger is responsible for driving innovation through R&D activities in Mutare Labs, monitoring industry trends, and leveraging leading-edge and emerging technologies to launch solutions that modernize enterprise communication processes and protect the security of the customer IT environment.

Roger serves as an expert resource for customers and partners, and he ensures that the voice of the customer is incorporated into every stage of Mutare’s product development, continuous improvement and quality control processes. Prior to joining Mutare, Roger served as a Systems Engineer and Global Account Manager for Nortel.

If you haven't already, please take our Reader Survey! Just 3 questions to help us better understand who is reading Telecom Ramblings so we can serve you better!

Categories: Industry Viewpoint · Security · VoIP