Since the turn of the century, IP telephone systems have provided a huge advantage to businesses. From reduced costs, to the flexibility to add new users, to the opportunity to form an entirely unified communications system, to the ability to use almost any device and connect to workers anywhere, opening up flexible and remote working, the benefits are impossible to deny. This doesn't mean that implementation is without challenges; but if managed correctly they should be easily overcome.
For instance, take security. Session Initiation Protocol (SIP) trunking, the key connection between private networks and the wider internet, forms the backbone of any IP phone system. Yet at the same time, it represents one of the easiest ways to enter any IP system, and so a ripe target for attack. The last year has contained a lot of harsh lessons in how security is a real threat: including from TalkTalk, Tesco Bank and, repeatedly, Yahoo. The growing popularity of IP phone systems in the UK has made them a tempting target for attackers, yet businesses in the digital age can't simply disconnect from the internet. So how can organisations ensure that they aren't letting the enemy in through the front door?
Know the threat
The greatest vulnerability of SIP trunking comes from its ubiquity. The very connectivity that lets businesses communicate with fixed and mobile phones and other devices around the world also opens the business up to anyone watching. SIP trunk attack tools are also widely available online, the best-known of which is “SIP vicious”. Attackers can use these tools to cause anarchy in the UK, or anywhere: exploiting vulnerabilities in the SIP trunking structure to enter a network and do whatever they wish.
These actions may be as simple as a Denial of Service attack, taking a business's communications or other systems out of action either for an undefined period, or until a ransom is paid. The attackers may simply steal data, whether intellectual property that can be ransomed or sold on, or personal data that can be used for identity theft. They may modify data to allow unrestricted access to the system at a later date, to cause further mischief. Or they may hijack communications themselves, allowing them to, for instance, constantly dial expensive premium numbers, running up hefty costs for the business and hefty profits for whoever owns the number. Lastly, attackers could simply listen in to all communications made over the SIP trunk, giving them unrivalled insight into the business and its employees, and allowing them to gather information they can use for any purpose they wish.
To an extent, the threats facing SIP trunking are the same as those facing any other internet connection. And as in all these cases, protection means first understanding the level of exposure. Is the SIP trunk provided as a dedicated physical connection to your network, with no means of accessing it online? Or is it shared with internet access, meaning there may be multiple means of access? There is also the question of whether the SIP trunk has additional security supplied by the provider, or whether more needs to be layered on top. For instance, quality system providers should provide security that not only authenticates traffic that attempts to access the trunk, but also recognises, detects and blacklists SIP trunking attack tools.
At the same time, connection to the SIP trunk shouldn't be a free-for-all. Only devices that need to communicate with the outside world should be authorised; for instance, employees' desk and work smart phones may be quite acceptable. Yet a brand new personal smart phone, or strange laptop brought in by a contractor, should be kept well away. By taking this approach, organisations can reduce the SIP trunk's exposure, leaving the more manageable task of checking and vetting only approved devices to ensure they don't carry security threats.
However, as with any technology, regardless of what precautions you take there is always the risk that the SIP trunk will be compromised and security breached. As a result, part of a successful security programme is taking steps to mitigate the effects of any breach. For instance, to prevent the risks of communications being hijacked, it may be prudent to introduce a whitelist or blacklist of specific telephone numbers or connections that devices are either restricted to, or restricted from, contacting. Data and communications should be encrypted wherever possible, to ensure that even if attackers can eavesdrop or steal, they won't learn anything of value. And the business should always be watching for any unusual behaviour by a system that might signify an attack, to shut it down before any serious damage is done.
The risks SIP Trunking faces aren't out of the ordinary. Ultimately, it's just one angle of attack, among many that any business will have to face. However, intelligent security strategy means recognising that, like anything else, SIP trunking can be a target. And a key consideration of security is not only recognising targets, but then making them as hard to hit as possible.
Contributed by Paul Clarke, UK manager, 3CX