Good cyber hygiene

Stephen Thayer

Updated

Customer obligations/disclaimer      

Bandwidth provides Recommended Fraud Mitigation Best Practices (“Fraud Best Practices”) to help its customers reduce fraud by taking measures to protect themselves and the networks connected to Bandwidth. Neither Bandwidth's provision of these Fraud Best Practices nor anything included in these Fraud Best Practices alters any customer's contractual obligation to manage its network and its end users.

Overview

This article is part of the Recommended Fraud Mitigation Best Practices intended to help Bandwidth Customers to reduce their fraud attack surface and help them take measures to protect themselves, including their connections to Bandwidth. This document is not all-inclusive and can’t guarantee that the recommended best practices will stop all fraud. The intent is to provide a framework our customers can use toward the prevention and mitigation of fraudulent events and to lessen the risk associated with all types of telecommunications fraud.

Good cyber hygiene

In today’s telecom environment, the same servers and computing hardware used for websites and databases are also used for IP-PBXs, voicemail systems, call-center platforms and Interactive Voice Response (IVR). These servers typically operate with Windows and/or Linux (CentOS, RHEL) operating systems, which continue to be exploited by hackers and fraudsters everyday. For this reason, it’s extremely important to exercise good cyber hygiene (i.e., good cybersecurity best practices,) in order to protect your systems from being hacked, breached, or exploited for fraudulent phone calling all over the world.

Customer premise equipment (CPE)

The following suggested best practices are drawn from industry-wide sanctioned practices, as well as Bandwidth-approved actions that can help secure your communications systems. 

Often referred to as Customer Premise Equipment (CPE), servers and their connection to IP networks and the internet represent your single most vulnerable point of fraudulent entry. It’s critical for you to take all necessary and practical measures to secure these customer-owned systems, so you can reduce your attack surface and slow/prevent the perpetration of telecom fraud.

It’s important to keep in mind that there are no guarantees to preventing all telecom fraud. The criminals who perpetrate telecommunications fraud, in its numerous forms, are always working to circumvent countermeasures and security features that enterprises may deploy. 

Implementing some and/or all of the listed suggested best practices to secure your CPE can dramatically reduce your exposure to several types of telecom fraud.

Best practices for securing your CPE

Since most local VoIP systems (PBX, IP PBX, Call Managers), voicemail systems, and enterprise grade Session Border Controllers (SBCs) are built on off-the-shelf computing platforms (i.e., Linux servers), we recommend that you exercise Linux and IP network cybersecurity best practices. Implement a company-wide security plan that includes instituting policies on call restrictions, leveraging call blocking, creating processes around closing customer accounts or unused services, utilizing password best practices, actively managing voicemails, and reporting anomalies. Educate all of your employees on the established security plans.

Here are the best practices you and your employees can follow to secure your CPE:

BWFBP132

Back-up your systems fully and often. 

In the event a system is compromised, you can restore it from a known “clean” backup. Although you may lose some amount of data, you’ll be able to restore your critical systems.

BWFBP133

Review and utilize traffic data. 

By collecting and graphing call logs and Call Detail Records (CDRs) from your VoIP platform, you can see incoming and outgoing calls, and determine if any of the “graphed” traffic behaviors match or conflict with your business model and service offerings. Monitor and review your LD usage on a regular schedule, or as often as practical.

BWFBP134

Secure your Voicemail (VM) Systems.

  • Implement strong PIN and VM password policies.
  • Disconnect/disable outbound calling or call-through functionality within the voicemail system.
  • Never allow call forwarding or return call features within a voicemail system. Hackers often exploit voicemail platforms to program fraudulent outbound calling.

BWFBP135

PBX management

Keep IP-PBX and voice platform operating systems up-to-date

Be sure your systems are updated with the latest releases and security patches. Hackers often exploit outdated and unpatched operating systems. Please remain vigilant about maintaining and enhancing your security. 

BWFBP136

Consider adding time of day/day of week call handling.

Turn off/disable outdial features (allow inbound calls and 911 only) during non-business hours. At a minimum, restrict international dialing to core business hours only

BWFBP137

Set-up a SIP-based firewall within your IP/PBX systems.

A SIP-based firewall can inspect voice and data packets as they pass through your network, and only allow what’s authorized between your platform and your service provider. Firewalls can also alert you when various thresholds or unauthorized access attempts occur. 

  • Monitor SIP traffic and automatically block suspicious IP addresses that are SIP scanning the equipment for access.
  • Monitor and alert on all registration events into your PBX, IP PBX, and Call Manager, including failed attempts. Blacklist foreign IPs you don’t recognize/do business with.
  • Utilize strong Access Control Lists designed to allow for secure communications while preventing unauthorized access.

BWFBP138

Disable DISA (Direct Inward System Access).

  • Prevent external callers from accessing internal PBX features by disabling DISA.
  • Delete unassigned voice mailboxes and associated DISA codes. 
  • Consider two-factor authentication for any remote access and/or administrative users

BWFBP139

Disable ALL IP ports not currently in use.

On Linux based IP-PBX systems and ancillary platforms, like voicemail systems, disable all IP ports that aren’t being used or needed. Hackers look for unused IP ports that can be exploited to gain unauthorized access. Pay special attention to IP ports 5060 and 5080 on IP-PBXs, like Asterisk, Mitel, Polycom, Cisco, and Avaya. 

BWFBP140

Utilize enterprise-grade Session Border Controllers (SBCs)

Enterprise-grade SBCs will provide an added layer of security, which is especially important if you use Unified Communications (UC) services, like video conferencing. Hackers will quite often ping the IP address of an IP-PBX. However, with an SBC in place, they’ll get a response from the SBC, not the IP-PBX, and won’t gain access or visibility into your IP-PBX. Hackers most always seek the path of least resistance. If they encounter an IP address that’s protected, they’ll move on to IP addresses that aren’t.

Enterprise-grade SBCs also provide additional layers of protection by allowing operator-configured rules to be executed based on authorized calling patterns and services offered. Enterprises can configure SBC rules for geographic restrictions, number of calls per hour, time of day and days of the week. This can be very effective in preventing robocalls, toll fraud, international fraud, and suspicious calling behaviors during nights or weekends when employees aren’t typically in the office.

User management tips for securing your users (UAS, handsets, remote users)

BWFBP141

Improve security through rate limiting login attempts.

  • Never allow unlimited login attempts. 
  • Enable system lock-out functionality on all voice-processing and voicemail systems that only allow a finite number of attempts, typically three, to enter a password before being locked out. 
  • Consider using multi-factor authentication for enhanced security.

BWFBP142

Monitor for and block account scanners.

Look for unauthorized user agents (UAs) like “User-Agent: friendly-scanner” or UAs that are free and/or don’t match your authorized user’s systems. In a VoIP network environment, numerous unauthorized registration/attempts should be a significant red flag that your network and systems are being probed/scanned for vulnerabilities.

BWFBP143

Block/filter traffic from suspicious IP addresses.

You should filter, block or blacklist suspicious IP addresses (especially in high-risk countries), as they’re identified, so no traffic is allowed to enter your network from them.

BWFBP144

Monitor for and disable or remove fake accounts and account sign-ups.

Look for random email addresses (i.e., slijcg@emaildomain.com) or addresses and ZIP codes that don’t align. It’s not recommended to solely rely on third-party platforms or application stores to validate your new account sign-ups.

If you already use third-party platforms or application stores for account validations and sign-ups, please reach out to your Bandwidth Support Team confirming their current practices leverage security features that will monitor and alert you to fraudulent activities.

BWFBP145

Install security software applications on all of your voice processing systems.

Most security products can flag and reduce the rate of incorrect authentication attempts. They can check for login and VoIP/SIP registration errors and stop brute force attacks against root passwords, injections of malicious traffic, and registration attempts of unauthorized peers with suspicious credentials.

General best practices for working with Bandwidth

BWFBP147

Develop a Fraud-Contact distribution email address list. This will allow Bandwidth to contact more than one person at your company about fraudulent events or behaviors. You’ll need to manage the distro list, as your staff changes.

BWFBP148

Update all “fraud” contacts every 6 months within your account and reach out to your Bandwidth Support Team to alert them that you made edits/changes. 

BWFBP149

Any/All Fraud-Contact distribution email address lists provided to Bandwidth must reach people that are on-duty or on-call, in a way that allows Bandwidth to communicate with someone regarding fraud events 24 hours a day, 7 days a week, 365 days a year (24X7X365).

BWFBP150

Any/All Fraud-Contact distribution phone number lists provided to Bandwidth must reach people that are on-duty or on-call, in a way that allows Bandwidth to communicate with someone regarding fraud events 24 hours a day, 7 days a week, 365 days a year (24X7X365).

BWFBP151

Any/All Fraud-Contact distribution lists provided to Bandwidth must reach people that are technically capable of mitigating fraudulent events on your network.

BWFBP152

Any/All Fraud-Contact distribution lists provided to Bandwidth  must reach people that are authorized to make network decisions, such as blocking fraudulent traffic, disabling fraudulent international calling, and/or accepting “Fraud” charges, as spelled out in your Bandwidth Master Service Agreement - Contract. 

BWFBP153

If you need to reach the Bandwidth Fraud Mitigation Team, you can contact us in any of the following ways:

  • Email: voicesecurity@bandwidth.com (note: this will auto-open a ticket with Fraud Mitigation Team) 
  • Customer Support: 855-864-7776 
  • Bandwidth Corporate: 888-969-5009, Press 3, Press 1, Press 1

Article is closed for comments.