IT security should include Telephony security

By Wim Brouwer, Product Manager, RSconnect

Protecting sensitive and personal data is a key priority today at many organizations worldwide. This focus is stimulated by the many examples of cyber crime, often with serious impact for the companies involved. Also, many organizations work hard to implement new data privacy laws. An example is the European General Data Protection Regulation (GDPR). This set of data privacy rules has been approved by the European Parliament in 2016 and has to be implemented by companies in all EU member states in 2018. So, IT security experts make long days to help their customers to implement the appropriate data protection measures.

However, data is not just ..data
Since we are talking about IT and data security, the focus typically is on the IT infrastructure and services. Either implemented on-premise or used from a cloud service provider. All attention is on issues like computer access, data encryption, etc. Which sounds reasonable, since we are talking about data protection, aren’t we?

Data protection also involves telephony and voice!

Given the serious threats delivered to us via computer software and data infrastructures, we tend to develop a blind spot for our telephones. Perhaps not so much for our smartphones since we are aware that they have similar capabilities to our computers. But we do have this blind spot for fixed-line telephones. Although they have become technically advanced devices as well, we often consider them as basic equipment. You can use them to make a voice call and that is it.

Nevertheless, as I will illustrate in a few examples, there are serious security risks which make it worthwhile to review the security aspects of your enterprise telephony system.

Risks at the back-end of your Unified Communications and VoIP systems

The risks which are most comparable to the ‘well-known’ IT security risks are hackers attempts to access the ‘back-end’ of enterprise telephony systems. When someone gets unauthorized access to centralized PBX or call manager servers, there are numerous security breaches which we can think of. It is for example possible to access voice mail systems. It is possible to use the system for toll fraud scenario’s and it is possible to launch Telephony Denial of Service Attacks. Just to mention a few examples.

Don’t ignore the front-end risks of your Telephone system

It may be worrying if we realize that at the ‘front-end’ even more is possible. At the telephony front-end, we see something strange. While it is for computers and laptops considered to be a minimum level of security to use usernames and passwords, this is certainly not common practice in enterprise telephony. Many people have a phone on their desk which is configured with their settings, gives access to their contact data and allows to listen to their voicemails. And which is not protected at all.

This even is the case when advanced features liked extension mobility or hot-desking are used, allowing people to log into any phone in the office. For these services typically a username and pin code are required. However, typing in your user credentials on a numeric keypad of a telephone is very inconvenient. So, quite often people only log in once and don’t log out anymore as long as they use that same desk.

Day and night, their phone is logged in with their personal setting. And – tired of all questions, complaints and forgotten pin codes – there are even systems managers who simply recommend the users not to log out. Or make life easy by providing simple user names and short default pin codes.

As a consequence, there are many situations thinkable where telephones are logged in day and night, loaded with someone’s personal settings and accessible for anyone. From colleagues to the cleaning staff. If you replace the word ‘telephone’ in the sentence above by ‘laptop’ or ‘computer’, we would find this a serious security blunder. But for telephones, it is common practice, I’m afraid.

What’s the problem? It is just a telephone, not a computer, one could argue. That’s true, but still, the damage from unauthorized access to an unobserved telephone could be serious. I will give three examples.

Security threat 1: Unauthorized access to voicemail

In business environments voicemail isn’t used for chit-chat. Of course, people can ask someone to return their call. But very often they also take the opportunity to explain already what the subject of their call is. So, the voicemail is used to exchange information. The information which could be very confidential. It could be the financial details of a contract. It could be a scenario for a restructuring. Or it could be the opinion of a medical expert on a patient. They are all examples of information which is highly confidential, but accessible for anyone with access to that telephone. Did anyone forget the News of the World scandal some years ago?

Security threat 2: Unauthorized access to contact information

Contact information can be extremely valuable. It is not that difficult to find out who are the executives or other key players in an organization. But it can be a challenge to find their direct contact details. Or to find out with whom they are in contact. So, the corporate directory and other personal contact lists can indeed be high-value company information. And this valuable and sensitive piece of information can be retrieved by an unobserved visitor or staff member with unauthorized access to an open telephone in the office.

Security threat 3: Unauthorized calls

The Caller ID has sometimes the status of a formal ID. If someone calls from a certain business telephone number, he or she is considered to be calling from that company or organization. Of course, you can nowadays use online VoIP services where you can actually choose any telephone number in any country as your caller ID.

But most often the sound characteristics of these services are worse than you would expect and some companies even use software to detect such malicious calls. But a call from the real number? With the right call characteristics and excellent quality? Many people will absolutely believe that it is a call from their bank, a college or a supplier. They believe the caller since he has the right Caller ID.

And often it is not the call itself which will do harm. But a trusted caller is the best starting point for an effective social engineering call. How easy can it be to acquire confidential company information if you call someone from an internal number within the same organization? I once saw an example of a person calling the companies’ internal helpdesk. He asked the helpdesk agent to help him since he failed to open a certain web service from his computer.

On his request (‘çan you try it for me?’), they kindly typed in the URL to try it on their computer, clicked and at that moment they already downloaded malware to the company infrastructure. Stupid? Not according to the rules? Indeed, but the problem is that helpdesk people are evaluated – sometimes on a daily basis – on the satisfaction levels of their clients. They are conditioned to help people, not to be suspicious.

So, What shall I do?

You can improve your security plans substantially by checking if advanced IP telephones in your organization are easily accessible for unauthorized people. If that is the case it is highly recommended to implement the right security measures (i.e. username and pin code or a Single Sign-On solution) to protect these telephones. It is a simple measure to remove a potential security breach from your checklist.

About The Author
Wim Brouwer is a product manager at RSconnect. RSconnect develops Security and Single Sign-On solutions for Unified Communications, IP Telephony, and Call Centers. The main product is the Active Login Manager software for Cisco Unified Communications and IP Telephony. Wim can be reached online at wim@rsconnect.net and at our company website https://www.rsconnect.net