“Bosses are oblivious to the damage hackers could wreak on their businesses and are already out of touch with a threat landscape that is constantly changing.” Discuss.
Statistics show cybercrime costs the UK economy £27bn a year – £21bn to businesses, £2.2bn to government and £3.1bn to citizens. People don’t realise how significant a threat it is, it seriously needs addressing. Unfortunately businesses need to be bitten once before they consider any kind of information security policy.
Discussing the difficulties presented by an ‘always on’ workforce that uses mobile devices to access all manner of company information, Philippe Jan, a cyber-security specialist and lecturer at Lancaster University, recently said: “Businesses are facing a big problem. A firm’s internal systems are accessible from so many different devices including personal phones and other mobile devices and we have more or less lost the battle of keeping those devices secure.”
Referring to reports that show less than 20 per cent of organisations have any form of security awareness policy in place, Dave Whitelegg, of ITSecurityExpert.co.uk, said, “Businesses are dropping their guard on this. They need to realise that hackers, the bad guys, are always out there testing the locks on your windows and your doors. The question is, ‘what are you doing to secure those windows and doors?’”
Making Margin
When it comes to selling voice security for PBX systems it would appear the issue of security is still a long way down the agenda for many resellers and end-users yet this is where the loss is often directly a financial one rather than the indirect loss associated with stolen company data – although with more and more UC-focussed systems being provided the leap from voice to data (or vice versa) is but a short one.
Brian O’Sullivan, CTO of Voicenet Solutions, “It is still paramount for all telecoms providers to offer the highest levels of security at every link of the network chain. Hackers are always getting smarter and it has been known for data centres to be targeted by organised crime. However there are security measures available that should keep every call safe and give businesses absolute peace of mind, but are all suppliers offering these safeguards?
“An aspect of those security issues is one of fraud – where people are hacking in to systems, stealing data, making illicit calls or transferring calls to premium rate numbers - that is the pre-eminent threat, which can impact clients and their business.
“Our approach at Voicenet Solutions has always been different to the large carriers, which see it as a profit stream: So say a customer leaves a voice mail account with a default password, a hacker finds it and forwards it to a premium rate onward calling platform. The customer who has a PBX only finds out that the company has been defrauded at the end of the month when they receive a bill for tens of thousands of pounds.
“It is our opinion that carriers have the technology to identify the fraud; it’s simply that they chose not to implement it due to cost issues.
“A large amount of the time, the hacker is able to attack such systems due to the weakness of a customer password. That hacker could even be an ex-employee or someone with a modicum of technical ability. It is quite straightforward to presume that passwords that are easy to remember, in some cases for whole departments, are also the ones that are easiest to hack into. This is one area that is easy to confront but can often be ignored.
“With hosted platforms, the premise is that customers pay their provider to worry about all aspects of their company’s telecommunications, so they don’t have to. However, for the embryonic hosted carriers, buying an off-the-shelf fraud management system isn’t an option – they are expensive, and require development to integrate.”
UC Threats
With the adoption of unified communication and SIP there is an increased security risk which organisations are not taking seriously. Datapoint believes that VoIP targeted attacks are now running at 25% of scanning attacks and according to Nemertes Research half (50%) of SMBs are using or evaluating SIP trunking, yet only one third are using any kind of UC/VoIP security.
John Fenech, principal consultant at Datapoint’s UC Practice says the ability to grab communication channels for use in fraud or to resell long distance call minutes is proving attractive to organised crime.
“There were spikes in threat levels throughout 2010. For example, a major service provider offering VoIP services found that fraudsters had run up thousands of pounds in charges placing international calls using spoofing attacks. Following the incident, the service provider deployed Sipera’s UC-Sec security appliance to test the security architecture and mitigate the security gaps. In December 2010, a major Romanian VoIP fraud ring was broken up after fraudulently reselling minutes but others still exist in Europe, Asia and the US.
“Datapoint is seeing a strong demand from its enterprise customers for UC security such as Sipera which it is integrating as part of broader communication systems to address the vulnerabilities. Sipera’s UC-Sec security appliances help customers to maintain the confidentiality, integrity and availability of mission-critical communication in the new converged network.
“With Sipera’s UC-Sec, customers can migrate to VoIP and UC while remaining compliant with privacy, monitoring and archiving requirements. Also, they can deploy encryption, prevent threats, and implement access control and user authentication for VoIP, video, collaboration and messaging tools without affecting performance. Most importantly, they can still get the benefits of low-cost SIP trunks while protecting against toll fraud, intrusion and identity theft attacks. Last, they can extend UC safely and securely to any supporting device in any location over any network – including IP phones, smartphones, soft-clients and other devices.”
Always Overlooked?
Phone systems have always been the overlooked and poor relation when it comes to security and they have been left to rely solely on their resident, rudimentary options to provide some protection. And this was fine in the days when phreaking was the realm of geeks just having fun and not causing too much damage. But things have changed. Now phreaking is controlled by organised crime with links to terrorists and it’s big business. This means phone systems everywhere are significantly vulnerable and when they are attacked businesses are often faced with phone bills up to 100 times higher than usual. In the UK alone this crime is five times bigger than credit card fraud.
To keep phone systems safe now requires heavy-duty, automatic, around-the-clock security but voice security remains a dangerously overlooked sector in business security. Most businesses don’t even know how great the threat is. Nor do many resellers and PABXs continue to be sold with only default, resident security active - usually passwords - and these are easily bypassed using readily-available password-cracking tools.
Roger Ansin of the Callista Group, “One of the most dangerous perceptions too is that only SIP trunks are vulnerable to attack when in fact all trunks, including analogue and ISDN, are also at risk.
“But the stigma businesses feel at having their voice security breached means that this vast international crime is largely swept under the carpet and ignored by the telecommunications industry. The embarrassment and silence surrounding phreaking is common. On our website we maintain a growing list of reports of phreaking attacks everywhere. This information is gradually becoming easier to source as phreaking increases. The embarrassment of businesses that have been hacked is no longer enough to stop the media from reporting on it.
“As such it’s crucial that resellers understand and acknowledge the full magnitude of this form of hacking, which leaves PABX maintainers and minute providers exposed to potential litigation from customers who have been attacked and who are increasingly demanding compensation. We have, in conjunction with our distributors, and through considerable reseller education programmes throughout the UK, raised the profile of phreaking and the methods to combat it so that resellers can see the easy part they can play in completely securing phone systems against this crime and the positive impact this will have on their customer relationships. The response to this has been overwhelmingly positive.”
Halt the Hacker
The true cost of telephone PBX hacking is likely to be far greater than current estimations - increasing the urgency for resellers to offer their customers complete security protection. The full extent of the multi-billion-pound fraud empire is probably much more acute than first feared and is getting worse almost by the day. The UK is now one of the top five global hot spots for communication fraud.
Tom Maxwell, Dealer Sales Director at Nimans “It’s likely that the current estimations are just the tip of the iceberg and that the true problem is much bigger than anyone imagined. Through dialogue with resellers and industry experts we are finding that some customers are reluctant to report they have become a victim. Solicitors and security firms for example are embarrassed to admit they have been hit. They like to keep things as quiet as possible as it doesn’t look good on their businesses. Schools and colleges are also sites where reputations are important - and these are particularly vulnerable as they get targeted when they are closed, perhaps during holiday periods.
“One thing that is clear is that it’s a growing problem which is only going to get worse.”
Nimans offer a range of solutions to protect resellers and their customers, as Maxwell added: “Very often both of these two parties face a heavy financial responsibility to foot the bill. In a double whammy resellers often lose the customer as well.”
He concluded: “There was a very interesting panel debate at Convergence Summit North when it became clear how the voice industry needs to catch-up with IT suppliers who always sell firewalls and antivirus software with all relevant products. Ten years ago that wasn’t necessarily the case, but it’s a very different scenario today. The voice industry needs to follow their lead.” Smartphone Impossibility? Amir Peles, Chief Technology Officer, Radware, works on the security strategies with IT teams from private and public sector organisations.
According to Peles, there is no sure way to secure a smartphone; therefore the threat to business networks is ever-increasing now wireless devices are accepted business tools. This quarter, 50 percent more smartphones than mobile handsets have shipped to the UK and more wireless devices than PCs have been sold.
“There is no way to secure a smartphone. The key reason is that the mobile industry is focused on developing new access devices and revenue-generating applications, and not on the embedded security needed to make these devices impenetrable.
“If mobile host security is not made widely available, the threat from cyberterrorists will start costing private and public sector organisations dear; financially and in brand reputation.”
Daniel Fuller-Smith, Sales Manager - Toshiba Business Communications Division tends to agree that smartphones are an evergrowing problem for businesses, “Many employees are asking for smartphones to be integrated into office communications systems, and not just for data. Allowing users to integrate a smartphone into the company system creates a vulnerable gateway so resellers need to discuss the benefits of smartphone integration carefully to ensure the customer is aware of potential security threats and ways to protect against it.”
The mobile protection tools including anti-virus, anti-spyware and anti-phishing applications, and most data encryption methods for smartphones, are extremely easy to hack and open the core networks up to malware, Trojans, Bots, phishing and the new wave of ‘cyberjackers’ and zero-day attacks that have plague major organisations including Facebook, the French F1 team and a number of UK Government agencies recently.
Daniel Fuller-Smith adds, “Security is something resellers should expand their knowledge of this year, as this will only help to improve customer relationships, satisfaction and improve sales. It should be part of their solutions and recommendations, as solutions often include data solutions as well as voice, it’s an area where resellers face a challenge both in educating customers and making sure they are well equipped to advise on security considerations.
“Businesses are looking to adopt solutions they consider to be cost-effective, such as VoIP or out-of-the-box solutions. It is therefore important that resellers remind their customers of the security challenges which can often accompany these services and recommend solutions such as VPNs or voice and data firewalls.
“For example, those using IP need to examine an organisation’s existing firewall, as although it may protect them from online threats, they may not be protected from voice hacking once a service such as VoIP is installed. Upgrading to a voice capable firewall should be an all-important purchase which resellers can recommend and capitalise upon.”
Ed Says...
Selling security solutions is clearly a margin maker for resellers but the security market often overlooked is the prevention of voice hacking and the leap from voice to data within converged IP solutions. Distributors have not been slow to pick up on this channel opportunity and resellers could make their current distributor of choice their first port of call for sourcing the right product for them and their customers.