What SIP Security and Ice Cream Have in Common
As enterprises continue to put SIP technology into their telecom environments, they need to do whatever they can to support the integrity of their networks. That starts with SIP security, which organizations would do well to think of as the very top part of an ice cream sundae: Security first, with other protections underneath it.
In previous years, SIP has not been known as the most airtight technology. Attacks such as phishing, toll fraud and identity theft have plagued these networks, and the frequency of those attacks is expected to remain steady throughout 2017, said Jeffrey Pearl, CEO of OTG Consulting.
Dieter Rencken, senior product manager at ShoreTel, agreed. “We’re in an age where the rising tide of bad things is happening on all levels,” he said. Every day, enterprise data networks face the threat of invasion. And while traditional security challenges remain prevalent, enterprises must deal with new ones from open-source software and script kiddies, for example. Due to the larger number of ports in SIP technology, hackers have more avenues through which to attack.
In addition, enterprises could be exposing themselves by not fully understanding SIP before adoption. Wes Rogers, COO of NexVortex, has seen how this lack of understanding can come back to bite users. “We’ve had cases where a customer got hacked and fraudulent calls were made,” Rogers said. “We shut them down, had a conversation about how this happened, and made firewall changes.” Two months later, the exact same thing happened. Only this time, it was because a new employee took out the firewall changes that were made to prevent the initial attack. “It was a comedy of errors,” Rogers said.
Where Enterprises Go Wrong, and How to Get Back on Track
Besides misunderstanding the technology, enterprises are making other mistakes with SIP security. A classic problem comes from the passwords that lock the network. Enterprises still make these codes too basic, allowing for unauthorized users to gain access to enterprise devices, Pearl said. The fix? Combine letters, numbers and symbols, and avoid simple, obvious construction and subjects.
Next, recall that SIP can use a range of ports to move information. Providers will tell customers to open ports for SIP, but then enterprises fail to monitor these ports after they’re opened. This leaves holes in the firewall and invites security breaches. Session border control (SBC), designed for SIP traffic, presents an easy solution to this problem. But enterprises often do not want to invest in SBC and choose to secure their network with basic firewalling instead. As Rencken explained, providers may tell customers to deliver SIP over a private network, a strategy that tends to re-quire less security. Enterprises, often smaller ones that have no other way of dealing with bad traffic, will trust this rec-ommendation rather than question its merit. “Enterprises need to ask, “Do I trust my provider to protect me?” Rencken said.
While there are many ways in which enterprises can be vulnerable to an attack, there are signs enterprises can look for to detect a breach. Start by checking phone bills each month for any large or unexpected charges, as well as any unauthorized international calls, Rencken said. Spotting fraud this way can be hard, so some enterprises may not notice anything for months, even years, after an attack. And if unauthorized international calling is a problem, shut off capabil-ities for employees who do not work with overseas clients.
Enterprises can also work with service providers to help identify and eliminate any fraudulent activity within the network. “Identification and shutoff should be automated,” Rogers said. “Otherwise, you can burn a lot of money quickly.” Even with every method in place to prevent an attack, SIP breaches can still happen. In the event of attack, follow the steps on the infographic to the right. Moving into 2017, security is likely to be a top priority for most enterprises. Rogers predicts SIP is on the verge of becoming mainstream, and could see popularity on par with video conferencing. As this trend continues, enterprises should get used to asking about security prior to a deployment. “It’s like the sprinkles on ice cream,” Rogers said. “Security needs to be on top.”
— Kelly Teal, Editor-in-Chief, AOTMP Telecom Management Industry Update