Best practices for keeping your systems secureFollow
Use good cyber-hygiene
Since most local VoIP systems, voicemail systems, and enterprise grade Session Border Controllers (SBCs) are built on off-the-shelf computing platforms, (ie; Linux servers) we recommend that you exercise Linux and IP network cybersecurity best practices.
Implement a company-wide security plan that includes instituting policies on call restrictions, leveraging call blocking, creating processes around closing unused customer accounts or services, utilizing password best practices, actively managing voice mails, and reporting anomalies. Educate all of your employees on the established security plans.
Back up your systems fully and often
In the event a system is compromised, you can restore from a known ‘clean’ backup. Although you may lose some amount of data, you will be able to restore your critical systems.
Leverage traffic data analytics
By collecting and graphing call logs and Call Detail Records (CDRs) from your VoIP platform, you can see incoming and outgoing calls and determine if any of the ‘graphed’ traffic behaviors match or conflict with your business model and service offerings.
Secure your voicemail (VM) systems
Implement strong PIN and VM password policies. Disconnect/disable outbound calling or call-through functionality within the voicemail system. Never allow call forwarding, or return call features within a voicemail system. Hackers often exploit voicemail platforms to program fraudulent outbound calling.
Institute security measures for International Calling
Consider adding an authorization code, or PIN that must be used by end-users before placing international calls. If you can determine the countries that calls from your platform will go to, then for added security you can restrict calling to all remaining countries.
If you wish to allow ‘global’ calling services, then we recommend that you create a list of approved countries and enable international calling only to those countries. The Communications Fraud Control Association (CFCA) most recent list of the top 5 countries most likely to have fraudulent traffic are: LV-Latvia-371, GM-220-Gambia, SO-Somalia-252, SL-Sierra Leone-232, PG-Papua New Guinea-675.
Additional geographic areas (country codes) to consider restricting include:
- 216 (Tunisia)
- 242 (Bahamas)
- 246 (Barbados)
- 256 (Uganda)
- 264 (Anguilla)
- 268 (Antigua/Barbuda)
- 284 (The British Virgin Islands)
- 340 (The U.S. Virgin Islands)
- 345 (Cayman Islands)
- 370 (Lithuania)
- 441 (Bermuda)
- 473 (Grenada)
- 509 (Haiti)
- 649 (The Turks and Caicos Islands)
- 664 (Montserrat)
- 670 (U.S. commonwealth of the Northern Mariana Islands)
- 671 (Guam)
- 680 (Palau)
- 684 (American Samoa)
- 721 (Sint Maarten)
- 758 (St. Lucia)
- 767 (Dominica)
- 784 (Saint Vincent and the Grenadines)
- 809, 829 and 849 (Dominican Republic)
- 868 (Trinidad & Tobago)
- 869 (St. Kitts & Nevis)
- 876 (Jamaica)
Keep IP-PBX & voice platform operating systems up-to-date
Be sure your systems are updated with the latest releases and security patches. Hackers often exploit outdated and unpatched operating systems. Please remain vigilant about maintaining and enhancing your security.
Set-up a SIP-based firewall within your IP-PBX systems
A SIP-based firewall can inspect voice and data packets as they pass through your network, and only allow what is authorized between your platform and your service provider. Firewalls can also alert you when various thresholds or unauthorized access attempts occur. SIP traffic should be monitored and automatically block suspicious IP addresses that are SIP scanning the equipment for access.
Disable DISA (Direct Inward System Access)
Prevent external callers from accessing internal PBX features by disabling DISA. Delete unassigned voice mailboxes and associated DISA codes.
Disable all IP ports not currently in use.
On Linux based IP-PBX systems and ancillary platforms like voicemail systems, disable all IP ports that are not being used or needed. Hackers look for unused IP ports that can be exploited to gain unauthorized access.
Utilize Enterprise-Grade Session Border Controllers (SBCs)
Enterprise-Grade SBCs will provide added layer of security, which is especially important if you use Unified Communications (UC) services like video conferencing. Hackers will quite often ping the IP address of an IP-PBX. However, with an SBC in place, they will get a response from the SBC, not the IP-PBX, and they will not gain access or visibility into your IP-PBX. Hackers most always seek the path of least resistance. If they encounter an IP address that’s protected, they’ll move on to IP addresses that are not.
Enterprise grade SBCs also provide additional layers of protection by allowing operator configured rules to be executed based on authorized calling patterns and services offered. Enterprises can configure SBC rules for geographic restrictions, number of calls per hour, time of day and days of the week. This can be very effective in preventing robocalls, toll fraud, international fraud and suspicious calling behaviors during nights or weekends when employees are not typically in the office.
Set strong passwords (long, random and hard to hack!)
Never use or allow default passwords set by the manufacturer. Always set system passwords as soon as possible before connecting any new system to an internet connection. Change passwords often. Changing passwords every 60 to 90 days is a good practice. Use a Zero (0) knowledge based password manager to help with managing large numbers of passwords and accounts. Use passwords with more than 10 characters and use a combination of numbers, and special characters like ‘%.!@…’. Spaces are now supported in many system passwords, so utilize spaces in passwords too. Be sure to change passwords when there are employee personnel changes and delete voicemail, email and security credentials of all former employees.
Improve security through rate limiting login attempts
Never allow unlimited login attempts. Enable system lock-out functionality on all voice processing and voicemail systems that only allow a finite number of attempts, typically three, to enter a password before being locked out. Consider using multi-factor authentication for enhanced security.
Monitor for and block account scanners
Look for unauthorized user agents (UAs) like ‘User-Agent: friendly-scanner’ or UAs that are free and/or do not match your authorized user’s systems.
Monitor for and disable or remove fake accounts and account sign-ups
Look for random email addresses (i.e., email@example.com) or addresses and Zip codes that don’t align. It is not recommended to solely rely on 3rd Party Platforms or application stores to validate your new account sign-ups.
If you already use 3rd Party Platforms or application stores for account validations and sign-ups, contact your account manager confirming their current practices leverage security features that will monitor and alert you to fraudulent activities.
Install security software applications on all of your voice processing systems
Most security products can flag and reduce the rate of incorrect authentication attempts. They can check for login and VoIP/SIP registration errors and stop brute force attacks against root passwords, injections of malicious traffic and registration attempts of unauthorized peers with suspicious credentials.
Implement the "least privilege" concept of role-based access to systems
Only allow people to access the systems they need to do their job and nothing more. Use activity logs to monitor and enforce security policies.