Organisations have latched on to the need to secure SIP trunking solutions by implementing a Session Border Controller (SBC). The problem is that the vast majority of SBCs are considered not just one- off investments but also one-off deployments. Yet from denial of service attacks to toll fraud, SIP trunking is not only inherently vulnerable but that vulnerability continues to change and escalate. Few companies would fail to update anti-virus software – so why assume the SBC can protect against changing threats without similar routine updates?
The fact is that in their current guise, most SBCs actually leave organisations with a false sense of security. Paul German, CEO, VoipSec, considers the questions to ask to determine the truth about the SBC.
Understanding Risks
The risks associated with poorly secure SIP trunking extend far beyond call jacking. From eavesdropping sensitive communications with malicious intent such as harassment or extortion, to misrepresenting identity, authority, rights and content – such as modifying billing records – or gaining access to private company and customer contacts, hackers are cashing in on the widespread adoption of VoIP.
The fact that attacks on VoIP servers represented 67% of all attacks recorded against UK-based services according to Nettitude has raised awareness of the evolving threat landscape. With 84% of UK businesses considered to be unsafe from hacking according to NEC, the implications are significant and extend far beyond the obvious financial costs of huge phone bills or the increasingly common Telephone Denial of Service threats, where the object of the attack is to extort money, otherwise telephony services will be disrupted or taken offline completely. For contact centres, banks and any organisation reliant on telephone business with customers, the results would be disastrous.
Yet while many companies have recognised the risk and implemented an SBC in a bid to improve security, far too many SBCs are left unmanaged and become out of date, fundamentally undermining the value of that initial investment.
To determine how secure the current SIP trunking deployment may be, companies need to consider the following questions:
- Was the SBC easy to deploy?
An SBC that is complex to deploy creates a number of problems. One option is to opt for expensive external expertise to handle the configuration – and break the VoIP business case in the process. Alternatively, attempts to manage the process in house will be constrained by the complexity – the only option will be to implement very simple rules which could leave the organisation open to potential breach. The SBC will be in place but it will not be delivering the required – or perceived – level of security. A bit like having a firewall with a “permit any” rule.
- Who manages the SBC?
If a third party is undertaking that role for the business, who is managing that provider? Who is checking that the SBC is being routinely updated; that it is blocking threats and risks? If the outsourced provider is not routinely providing reports about the performance of the SBC, the evolving risk landscape and the way the product is being updated to counter those threats, the likelihood that the SBC is genuinely secure is low. A third party can do a great management job but be proactive and check – out of sight should never be out of mind.
- How often is the SBC updated?
The security threat level is never static, it is continually evolving; and security products need to evolve in tandem if the business is to remain safe. Any ‘deploy once, update infrequently or never’ security solution is inherently flawed. Organisations routinely update anti-virus and anti-malware solutions, harden infrastructure and update policies – attitudes to SIP security should be the same. Routine SBC updates in response to new threats and technology change are essential.
- Does the SBC send alerts?
Given the number of breaches and attempted breaches being faced by organisations of every size, the SBC should be busy. But who knows? Does the SBC notify the business when something happens, when it has blocked a call and why? Real time alerts – via email, text or management alerting – should be essential components of the SBC product to ensure the company knows it has been attacked and also to raise any other remediation steps that may need to be taken to remain secure across the entire business.
- Does the SBC vendor routinely communicate?
An SBC provider should be sharing valuable insight into the changing threat landscape. Routine updates about newly identified threats should be backed up with information about the new features and functions that are being introduced to the SBC to counter these threats. Understanding how the software is being amended to protect the business – and when the updates will occur – is key to ensuring the SBC deployment remains up to date and the business secure.
- How often is the effectiveness of the SBC reviewed?
Every security product should be routinely evaluated to ensure it is still operating effectively and providing a strong, secure barrier. – Including the SBC in that review process is essential if the business is to remain protected against toll fraud, voicemail hacking, TDoS or other as yet unknown threats. Whether that review occurs weekly or monthly will depend on the business plan but without a routine assessment how can a company feel confident it is getting value for money? Or that the business is secure? Routine reports from the vendor about SBC activity and updates also help to prove the value of the on-going investment.
7. Does the SBC vendor share best practice guidelines?
The right deployment of a routinely updated SBC is key to securing the SIP environment. Yet perimeter technology alone is not enough. Best practice guidelines should also include advice about educating staff about how to spot new threats. Vishing attacks are a great example – ensuring staff are aware that criminals may call up to try and obtain credentials that can then be used to compromise other systems is just as important as any technology solution.
Collaborative Approach in the Cloud
So what are the options if the answer to any or all of the above questions reveals the inadequacy of the current SBC? If the truth is that the static SBC is not only failing to protect the business, but also failing to deliver the previously perceived value? The good news is that cloud based, continuously updated SBCs address all of these issues, not least by exploiting community led intelligence where all organisations are sharing information about threats and risk experiences. With this model, the combination of routine product updates with shared intelligence ensures an attack on a single organisation can be quickly transformed into a patch or update that protects every business from the new risk.
This speed of response and continual change is key to securing SIP trunking. Understanding the need for an SBC is a great step, but organisations simply cannot afford to rely on a one-off deployment. It is time to determine the true level of security and effectiveness being delivered by the SBC today.
Paul German, CEO at Certes Networks
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.