With the rise in VoIP usage, so too, comes the rise in security breaches and risks. While the only secure server is one disconnected and buried ten feet into the ground, there are several steps you can take to mitigate the destruction and frequency of these security breaches.
If you've been reading our blog lately (and of course, you have, right?), you undoubtedly noticed a theme that we've been discussing lately--VoIP fraud. We've defined it for you and most recently we named six common ways to suffer a VoIP attack. Today we have another post to add to our series.
We present to you, the Top 10 Ways to Prevent VoIP Fraud Attacks:
1. USE STRONG PASSWORDS - Also, it would behoove you to have a secure username/password for everything. These should include the standard uppercase, lowercase, numbers, and symbols. Since you may need to type these in multiple times, it will most likely have to be something that you can easily recall. Keeping a note on your phone, or a text message with the password (preferably with no label) is more secure than “password123”. Additionally, you should guard these passwords by only giving them to those who are required to have them. Think of it as being on a "need to know basis." If someone isn't required to have them, they didn't need to know. You would not want to give access to these passwords to anyone in your organization who is not required to have them for operations. Always remember to change these passwords if an employee leaves or is terminated.
2. DETECT AND DROP SPECIFIC SIGNATURES – Detect break-in attempts early. For example, any IP addresses attempting to register with the same value for extension and password (e.g. Extension: 100 Password: 100) or attempts to register to multiple invalid extensions.
3. BAN IPs WITH AUTHENTICATION OR MALFORMED FAILURES - Set up scripts to ban any IP addresses that have significant amounts of registration or malformed packet failures.
4. DROP 401 AND 407 FROM SUBSCRIBERS - Set your server up to not accept or ignore 401 and 407 responses to protect from SIP digest leaks.
5. VALIDATE SEQUENTIAL REQUESTS, MAINLY BYEs - Make sure your softswitch adheres to the SIP RFC and validates Call Sequence and Routing sets in provision level SIP packets.
6. USE SECURE PROVISIONING FOR PHONES – Use HTTPS if available or some sort of encryption on configuration files for phones that are pulling their configuration from a provisioning server.
7. DO NOT ALLOW UNSECURE EXTERNAL ACCESS TO YOUR SYSTEM - Using firewall or ACLs, make sure your system is only open to the IP addresses that need to access it.
8. UPDATE PHONES REGULARLY - Make regular updates to the passwords of your phones.
9. USE TLS WHEN POSSSIBLE TO AVOID MitM ATTACKS – When at all possible, use secure connections between phones, PBXs, and vendors when passing possibly compromising information.
10. USE A SECURE NETWORK - Make sure you have proper security set up on your network. Both physical and network.
There you have it. Getting to the bottom of an attack and fixing it can create a world of issues. Hopefully if you're proactive, these 10 ways will save you time and a lot of headaches. Be sure to check out our next post where we continue with the theme as we discuss eight ways to reduce VoIP fraud damages!