VoIP Security Essentials for Small Businesses

FRANCE

In a sluggish economy, businesses, particularly small and mid-size companies, are doing all they can to trim costs. And one big cost savings many are making is to switch from costly landline phone service to the less expensive Voice Over Internet Protocol (VoIP).

Although VoIP is ridiculously cheap, (think Vonage, Ooma, etc.), it comes with its own set of problems - particularly when it comes to security.

The number of hacker attacks against VoIP systems has steadily increased over the past year. These threats include listening in or recording phone conversations, stealing sensitive information discussed during calls, and phone hijacking to make expensive overseas calls.

Most of these attacks don’t make money, which for the most part keeps professional Internet criminals away. But the relative ease with which the average person can “sniff” out an unencrypted VoIP line is alarming. These attacks are so easy, almost anyone can carry them off. All a would-be hacker has to do is make a quick Google search and he can find the tools he needs to launch a VoIP attack.

Admittedly, VoIP security is not the biggest hacking threat facing businesses. But business owners and managers shouldn’t overlook. After all, it’s an easy way for almost anyone to eavesdrop on your business affairs, steal banking information and learn other sensitive information about you and your business.

So, what should small businesses do if they want the cost savings of VoIP without the privacy risks? Here are a few basic steps to take to protect a VoIP account:

Change the Default Password

The first thing a business should do when set up with VoIP is to reset the account’s default passwords. Leaving the default password intact happens far more frequently than it should.

Encryption 

A business absolutely needs to use some sort of data-in-transit-encryption for its service. This makes sure the voice that’s traveling over the line in the form of data is encrypted, preventing a hacker from listening in on the conversation. Encryption will also keep thieves from using your VoIP connection to make costly overseas calls.

DoS Mitigation Planning

Because VoIP phone lines transmit via the Internet, they are vulnerable to denial of service attacks (DoS).

A DoS attack crowds the line with too much data so that nothing can get in or out, which means your phone line could be out of service until the provider fixes it. It’s important to pre-screen your VoIP provider to make sure it does have DoS mitigation planning in place. Ask them what happens to your service if the provider is hit by a DoS attack.

Don’t Piggyback

Businesses that use the same router for both VoIP and Internet service (i.e., “piggybacking”) are leaving themselves extremely vulnerable to hackers. An unencrypted VoIP router can be a hacker’s way into a network that is otherwise protected. VoIP should always have its own data line.

Beware of VoIP Phishing

Believe it or not, “phishing,” the practice of scamming someone in an e-mail by appearing to be a credible person or company, also takes place on VoIP. Attackers send a phishing e-mail with a specific phone number to call that gets the victim to enter his/her account information using the keypad. The thief will record the call and have the victim’s account information.

VoIP hacking is a real threat - so businesses need to plan accordingly. In September 2010, a VoIP hacker was sentenced to 10 years in federal prison and more than $1 million in restitution for re-selling unsecured VoIP lines. Prosecutors say the hacker stole more than 10 million minutes of unauthorized telephone time and caused more than $1.4 million in damages in less than a year.

Joshua Daymont is the principal of Securisea, Inc., an independent information security company that provides security reviews, vulnerability testing, audit assistance, training and advisory services to US and international companies in several verticals. He is a highly regarded national authority on cybersecurity issues for businesses and has presented his research at BlackHat and other prestigious conferences. www.securisea.com