In the past year, the VoIP industry faced a loss of $50 billion US dollars due to VoIP fraud and attacks. When threats become unpredictable and remote-work-related risks ever increase, security is key. VoIP hacking and attacks can come from the Internet or telephone lines exploiting any vulnerabilities and eventually exposing your organization to toll fraud and theft of confidential information.
So how can you protect your business-crucial PBX system from potential net threats and internal malfeasance?
This blog introduces the must-have security policies and Yeastar PBX System’s innovative services and features that effectively shield you from attacks.
6 Types of Common VoIP Vulnerabilities and Attacks
To avoid security breaches in your VoIP PBX phone system, it is important to understand the potential vulnerabilities and the common types of cyberattacks.
Potential PBX Security Vulnerabilities
- Weak or stolen usernames and passwords
- Back doors and application vulnerabilities
- Poor access control
- Unencrypted connections
- Data breach caused by human error
Common Types of Cyberattacks and VoIP Security Treats
1. Toll Fraud
- Attack Action: Make international calls from your VoIP network, at your expense.
- Attack Purpose: Generate a high volume of international calls to premium rate numbers and then collect the revenue.
2. Reconnaissance
- Attack Action: Gather all possible information about the target before launching an actual attack.
- Attack Purpose: Identify vulnerabilities and weaknesses, and then create a successful exploit.
3. Denial-of-Service (DoS)
- Attack Action: Flood a server with an overwhelming amount of requests and use up all of its bandwidth.
- Attack Purpose: Prevent users from accessing connected online services or sites.
4. Spoofing
- Attack Action: Impersonate an individual or a company that the victims trust.
- Attack Purpose: Gain access to personal information or steal data.
5. Man-in-the-Middle
- Attack Action: Eavesdrop on the communication between two targets.
- Attack Purpose: Steal sensitive data, such as login credentials, account details, and credit card numbers.
6. Spam Over Internet Telephony (SPIT)
- Action: Bulk and unsolicited robot calls and voicemails over VoIP to phones connected to the Internet.
- Purpose: Trick the victim into answering or listening to a robocall for high international calling fees.
VoIP Security Checklist: How to Secure Your VoIP Phone System
The complexity and variety of cyberattacks are ever-increasing, with different types of attacks for different malicious purposes. While countermeasures differ for each type of attack, good security policies help mitigate the risks. In many cases, the best way to safeguard a PBX phone system is to implement a multi-layered security solution. This means that you need to deploy multiple defense measures to protect the vulnerable points of your phone system. Each layer increases overall protection and continues to offer system defense even when one of the layers is breached.
The following are some best practices that can be used to build multi-layered protection for your VoIP phone system.
1. Keep Your PBX and SIP Endpoints Updated
An up-to-date firmware or software version works like a protective cover to shield your PBX or SIP endpoints from security threats. Typically, the most recent version is often the most secure with bugs and other vulnerabilities being found and fixed. In addition, with technology evolving, some critical security features or layers of protection are only supported on the latest version.
2. Defend Against Network Security Threats
Your organization’s network is the first line of defense against cybercrime. If a hacker gains access to your organization’s network that supports VoIP communications, it can result in Denial of Service (DoS) attacks or significant decreases in Quality of Service (QoS). To prevent this from happening, you need to avoid exposing the PBX’s intranet to the public and block unauthorized access.
- Best Practice 1
Avoid Port Forwarding
In an attempt to offer remote access for remote and mobile users, most on-premises PBX providers will recommend Port Forwarding. But this is not a good idea at all.
Essentially, Port Forwarding maps an external port on your public IP address to the PBX that is within your private Local Area Network (LAN). This exposes your PBX on the Internet and brings potential risks because hackers could penetrate your network through the forwarded port. As a matter of fact, hacking through port forwarding has been the most common way for hackers to launch attacks.
You will need a more secure way to maintain remote access for needed features and in the meanwhile, avoid using port forwarding that exposes your LAN.
To solve the dilemma, you might leverage tunneling services like Yeastar Linkus Cloud Service Pro (LCS Pro) or Remote Access Service (RAS). Coming packed with industrial-grade cloud and encryption technology, the Yeastar tunneling service creates a secure way for PBX’s remote SIP access and business communications. It not only avoids the PBX port forwarding but double-secures the system with granular permission control. You can decide which IP addresses and Extension accounts are allowed to access your PBX remotely via the service, and what PBX services are allowed for remote access.
- Best Practice 2
Block Unauthorized Access to Your PBX
Block unwanted and unauthorized access to your PBX can significantly decrease the possibility of your system being hacked. It is a vital step to prevent telephone hacking and mitigate the potential damage and financial losses to your business.
a. Global Anti-hacking IP Blocklist
Yeastar P-Series Phone System comes equipped with a Global Anti-hacking IP Blocklist Program, which centrally records a wide range of IP addresses that have been blocked by Yeastar PBXs worldwide and that are suspected of malicious activity or attack.
The IP blocklist is shared among all the Yeastar PBXs and is regularly updated on a weekly basis to incorporate the newly discovered malicious IP addresses. With the Global Anti-hacking IP Blocklist, all connections to your PBX from the IP addresses in the blocklist will be dropped
b. Restrict system access from specific countries or regions
If you find an increase in attacks on your PBX from a particular country or region, you can use geographic restrictions (also known as geo-blocking) to prevent visitors in specific geographic locations from accessing the PBX. By checking a visitor’s IP address against the PBX’s database, unauthorized access can be denied.
c. Restrict system access with firewall rules
Yeastar P-Series Phone System has inbuilt firewall rules to only accept trusted traffic. You can also create firewall rules on your PBX to allow or block traffic from specific source IP addresses/domains, ports, and MAC addresses. In doing so, suspicious access that might contribute to attack fraud or call loss will be automatically blocked.
To prevent massive connection attempts or brute force attacks, you can also utilize the PBX’s inbuilt IP-Auto-Defense feature to define the allowed number of IP packets within a specific time interval. If any IP sends IP packets exceeding the limit, the system will automatically block the IP.
3. Restrict the Use of Outbound Calls
In the event that hackers gain access to extension credentials, they could exploit extensions to make fraudulent calls at your expense. Restricting the use of outbound calls can minimize the potential financial loss to your business when toll fraud occurs.
- Best Practice 1
Set Rules for Outbound Calls
a. Different rules for different time periods
Hacking attempts are usually made during non-business hours, over weekends, and during holiday periods when the system is less attended. You can leverage the Time Condition feature to implement different inbound or outbound call restriction rules for different time periods to reinforce the automatic control. For example, you might create a Time Condition called “Holidays”, and disable outbound calls during holidays by applying the Time Condition to an outbound route.
b. Permission to only those who need it
Your employees perform different tasks in your company, and not all of them need to make long-distance or international calls. Consider configuring different outbound routes for different trunks (e.g. local, long-distance, and international), and assign outbound route permissions only to the users who require the use of it.
c. Password-based Authentication
Set password for outbound route to require callers to enter a PIN code before dialing out.
Only when a valid PIN code is entered can the call be routed out through the outbound route,
this avoids fraud, abuse, or misuse of calls. Beyond that, you can easily track the originator of
outbound calls for auditing or other purposes.
d. International Calls to Only Trusted Countries/Regions and Only If Necessary
If your company is engaged in international business and your employees need to make international calls, you can set up international dialing on the PBX. However, this puts your system in danger of international toll fraud and may result in significant financial loss.
To mitigate the risk, restrict country codes to allow international outbound calls only to the countries/regions that your employees need to call. In the meantime, give international dialing permission only to the extension users that are required.
e. Frequency Caps within a Given Time Period
Once hackers infiltrate your phone system, they can easily rack up tens of thousands of dollars
by making large volumes of calls. It is recommended that you limit the number of outbound
calls that extension users can make within a certain time period. When the limit is reached, any further outbound calls from the extension will be denied
f. Simultaneous Call Limit
Limiting the number of simultaneous outbound calls on SIP trunks helps meet specific licensing or billing requirements and, more importantly, prevents hackers from generating a high volume of calls over the trunks without limitation. Once the specified number of simultaneous calls is reached and a user attempts to place another call, that call will be rejected.
g. Auto Hang-up with Call Timer
Implement call duration restrictions on the whole system or on specific extension users to automatically terminate outbound calls when the specified time limit is reached. This helps
prevent potential misuse and abuse of the phone system and allows for better control over call
costs.
h. Ceiling on Telephone Bills
Telecom providers protect customers from exorbitant call costs by placing an upper threshold
on the amount of billable calls that a company is able to incur. Contact your provider to limit the amount of credit and cancel auto-refill, this will help minimize the losses caused by toll fraud, if any.
4. Harden SIP Extensions
When unauthorized access is gained to SIP extensions, the potential for disruption is particularly significant. Criminals can exploit your phone system to make calls and launch other malicious attacks. Enforcing a strong password policy and placing restrictions on extension registration will help secure SIP extensions.
- Best Practice 1
Prevent Unauthorized Extension Registration
Yeastar Phone System has a built-in account lockout policy to prevent unauthorized access to extension accounts by automatically locking out the risky accounts after a certain number of failed registration attempts from the same IP address.
Moreover, there are several options available to enhance extension registration security:
- Use complex names and passwords for registration
- Configure a complex authentication name that is completely different from the general default one for authentication.
- Restrict extension registration based on user-agent strings.
- Restrict the IP addresses from which extensions can register.
- Restrict multiple registrations on the same extension.
- Best Practice 2
Enforce Strong Authentication & Granular Access Control for Extension Login
Yeastar P-Series Phone System has a built-in account lockout policy to prevent unauthorized access to PBX by automatically locking out the risky accounts after reaching the maximum number of failed login attempts. Moreover, there are several options available to enhance extension login security:
- Two-factor Authentication (2FA)
- Single Sign-on (SSO)
- User Roles and Permission Management
- Best Practice 3
Encrypt SIP Signaling and Media Streams
Yeastar PBX System also provides you with the choice to add a layer of encryption to phone calls and streaming media of SIP extensions. This encryption can be implemented using the two standard internet protocols:
- Transport Layer Security (TLS): A widely accepted cryptographic protocol that provides data security and privacy between two communicating applications. When SIP signaling is encrypted by TLS, the users’ names and phone numbers are hidden and unable to be retrieved by prying eyes and ears.
- Secure Real-time Transport Protocol (SRTP): An RTP (Real-time Transport Protocol) profile intended to add further security measures such as message authentication, confidentiality, and replay protection to the RTP data. With SRTP enabled, the actual audio of the call and video media stream are encrypted to prevent interception and eavesdropping on phone calls.
5. Make Contingency Plans
Though a wide range of measures can be taken to protect your PBX, there is no absolute safety. If an attacker successfully infiltrates your PBX or forces your PBX to fail, you should have a contingency plan.
- Best Practice 1
Establish Real-time Monitoring, Logging, and Alert on System Events
Leverage event logging to monitor and record the anomalous operations on your PBX, and subscribe to the critical events. When something goes wrong, you can get notifications timely and quickly find out where the problem lies and work out a solution.
If you are using a Yeastar PBX system, you can realize real-time monitoring on the following two platforms:
- PBX Administrator Portal: manage a single PBX.
- Yeastar Remote Management: centrally monitor and manage numerous customer-premises PBXs.
- Best Practice 2
Schedule Auto Backup
- Schedule regular backups. If your PBX cannot work, you can reset it and restore configurations from the backup file to ensure a fast recovery.
- Store backups in external locations to prevent the risk of data loss from physical destruction or theft.
- Apply a backup retention policy. This helps limit the amount of historical and outdated data.
- Best Practice 3
Implement a Redundancy Solution
a. Hot Standby for on-premises PBX System (Hardware & Software-based)
Yeastar’s on-premises PBX system is equipped with the Hot Standby feature for free, which allows you to create a mirroring server pair and recover immediately when a failure occurs. To deploy the solution, you need two identical PBX servers, which should be the same in the following aspects: Product model, Firmware and hardware version, Software configuration, Local Area Network (LAN) Settings, and Hardware installation.
With Hot Standby set up, the following can be achieved:
- Fast 1 to 10 seconds of automatic recovery in the event of any failure.
- Shared virtual IP between the paired active and hot-standby PBX servers, which ensures a complete system switch to the standby server when the active server fails, including all IP phones and third-party integrations connected to the PBX.
- Instant email notification via email or call when a failover event occurs
b. High Availablity for Cloud PBX
Reliability is not a feature of the cloud; it is a requirement. Delivered in a cluster-based environment and managed by Yeastar, Yeastar Cloud PBX services feature a high-availability redundant deployment for enhanced disaster recovery, which is not the case for many single-instance cloud deployments.
PBX instances are deployed as primary and secondary pairs, i.e. the hot standby mode, to support seamless failover. We also leverage active/active load balancing to ensure optimal resource utilization among SBC servers. These servers are all powered by Amazon Web Services and located in various regions across the globe, adding more resilience to the entire service. There are more built-in security mechanisms in place to safeguard against malicious attacks.
c. Disaster Recovery
Disaster Recovery is a crucial aspect of any modern communication system. It refers to the ability to smoothly continue telephony services in the event of a disaster or unforeseen event. Yeastar Software PBX users can create a PBX replica in a redundancy site and ensure uninterrupted telephony services in case of a primary site failure.
The geo-redundant setup boasts the following key advantages:
- Real-time data mirroring to the redundancy site. No data loss or manual backup is required.
- Automatic failure detection & fallback, ensuring minimal downtime during critical situations such as natural calamities, power outages, or network failures.
- Inbuilt SD-WAN service for secure remote server networking or bring your own VPN service
- Instant notification by call and email for any PBX server failure or automatic failover
- Super simple setup
- Can be combined with PBX Hot Standby (local redundancy setup) to build a higher level of system redundancy