Voice over IP (VoIP) is slowly but surely infiltrating enterprise
customer contact centres. About 50 per cent of contact centres are
expected to be IP-based by 2010, according to Nortel. A security
mind-shift will need to accompany the transition as voice and data
systems merge. Physical security, agent training, securing off-site
teleworkers: VoIP will have far-ranging impacts beyond network
security.
While VoIP attacks are still rare today, these are expected to increase by 50 per cent in 2008, according to McAfee research. The prediction is based on extrapolation of recent trends: more than twice the number of VoIP-related vulnerabilities were reported in 2007 versus the previous year.
“The knowledge to hack into VoIP systems follows the level of VoIP penetration,” says Bogdan Materna, CTO at Ottawa-based security provider VoIPshield Systems Inc. “Hackers lack the experience now, so it’s not that popular. We know cases are happening but affected parties are not going public, and this is one of the issues in the industry. There are no entities like CERT (Computer Emergency Response Team) or surveys to track VoIP incidents like there are for data security breaches.”
From a staffing perspective, security management for integrated platforms introduces new headaches, he says. “Telecom staff understand voice but not IP networks, with IT people it’s the reverse, and security guys know something about IP but voice is foreign to them. These groups have to merge and work together, so just from a process point of view, this can cause security issues.”
Physical security VoIP networks are vulnerable to all manner of familiar data network exploits such as denial of service attacks, worms, and viruses. While there are best practices for securing converged networks with technology, there are areas of concern outside the network.
Physical security around VoIP is an area that requires rethinking, as many functions become logical ones, says Materna. “The old PBX boxes used to be physically separate systems with a separate telecom group looking after them. But VoIP is just servers and computers running software, so all kinds of new issues — weak passwords, who can access servers to do what — are introduced.”
But traditional physical security measures are still needed. A U.S. National Institute of Standards and Technology (NIST) report warns that even if companies deploying VoIP systems follow all security best practices by installing VoIP-enabled firewalls, intrusion detection systems and voice traffic encryption, they will still need locks and security guards to make sure attackers don’t get access to the servers.
There are also access and role-based issues to consider in a call centre environment, which has sensitive functions that can be more easily abused. The call recording function to monitor quality, for example, can now amass large quantities of calls containing customer information in digital, easily downloaded formats, says Materna.
Other managerial functions are also vulnerable. “Supervisor functions that allow managers to listen in on calls to review how agents interact with customers are software functions in a VoIP system,” says Gary Audin, president of Delphi Inc., an Arlington, VA-based telecom consultancy. “With PBX boxes, this was a wired separately with a physical connection, and no one else could use it unless they had access to the physical station. Now that it’s a logical function, anyone who can take on a supervisor role can eavesdrop.” Audin adds that Cisco’s own VoIP system was abused by an employee who used this tactic to eavesdrop on his boss’ discussions about performance evaluations and salaries.
To tackle these shifts in logical and physical security, Nortel best practices recommend general controlled and monitored access to data centres, secure rooms with privileged access and role-based access to VoIP and call centre infrastructure, in addition to audit trails, threat assessment/intrusion detection systems, and securing external access to infrastructure via VPN or other methods for networks.
Human VoIP factors “VoIP networks are capable of being secured with a layered security architecture – but hackers can bypass all that with social engineering, which defeats all the technology,” says Tracy Fleming, IP telephony practice leader at Avaya Canada. As with data networks, security training will need to be extended to call centre agents to help them resist being tricked into revealing passwords or other access information to hackers masquerading as IT staff once voice and data networks merge.
At the customer end, one profitable new form of social engineering that combines new technology with human trickery is “vishing,” or phishing using VoIP networks, says Materna. In this new scam, hackers set up a 1-800 number and a fake call centre for a legitimate financial institution, then send e-mails to induce unwitting customers to call and divulge their account numbers, personal identification numbers (PINs) and other information. “All the voice prompts sound the same as their bank, but they’re actually talking to hackers,” he says. “These incidents haven’t been revealed in the public domain, but we’re heard this has already happened at some banks.”
