Community based threat detection and prevention has been a fundamental principle in Anti-Virus and Intrusion Detection Systems for years. Pooling the information and experience of multiple organisations to rapidly identify emerging threats, this collaborative approach enables security companies to quickly create a patch and disseminate it globally to minimise a hacker’s opportunity with that specific attack vector.
This model is now being extended to voice security in a bid to combat the escalating threats, including toll fraud, telephony denial of service and voice mail hacking attacks, leveraging the cloud based Session Border Controller (SBC) and community collaboration to deliver rapid protection against emerging global events.
Paul German, CEO, VoipSec, explains why community led threat detection and prevention is fast becoming a critical component of the VoIP security model.
Security is not static; and the concept of ‘working together we are stronger’ is well proven. The ability to pool information and experience has proved key in the fight against a continuously evolving threat landscape. The difference today is that the threat landscape increasingly includes voice. With the huge growth in companies adopting Voice over IP (VoIP) and Unified Communications (UC) to drive down costs and improve productivity, the inherent insecurity of standard deployments has driven an explosion in telephony denial of service attacks, voice mail hacking and toll fraud.
According to the Communications Fraud Control Association (CFCA) $4.4 billion has been lost due to PBX hacking, while the US Department of Homeland Security’s Cyber Security Division has recently announced it is funding two research projects designed to harden defenses following recent Telephony Denial of Service (TDoS) attacks on 911 emergency call centres, financial services companies and a host of other critical service providers and essential organisations.
It is becoming increasingly apparent that the frequency of this voice related activity will only increase all the while voice security models remain outdated and static. Given the growing complexity hackers face to break through multi-layered security systems to gain access to personal data, the contrasting ease with which a telephony denial of service attack can be launched on an unsecured or inadequately secured voice network is stark. It is no wonder these incidents are on the rise – and organisations are enduring the devastating consequences.
Cloud based SBCs
Traditional models for protecting the voice network were based on hardware devices – an ‘install once’ Session Border Controller (SBC) that simply could not protect an organisation against continually evolving threats. More recently, that model has shifted towards software based SBCs that can be upgraded in response to new security risks. It is, however, the evolution towards cloud based SBC deployments that now enables the adoption of this community led voice security model.
This cloud based SBC deployment facilitates the adoption of community led intelligence on two fronts. Firstly, working together a community of organisations sharing breach information radically extends the number of touch points into hacking events, transforming understanding and insight into the ways in which hackers are looking to compromise companies. Secondly, each hacking attempt to compromise a specific customer environment creates a fingerprint which can then be used by the security vendor to create a security patch or update that will actively immunise every other user of the cloud based SBC from being compromised with the same attack fingerprint.
This combination of routine product updates with shared intelligence ensures an attack on a single organisation can be quickly transformed into a patch or update that protects every business from the new risk.
This model is particularly effective against the typical security threats now affecting voice networks – telephony denial of service and voicemail hacking. When a hacker compromises a call centre and consumes all lines to prevent any in-bound or out-bound calls the implication on an organisation’s business is devastating. From the negative customer experience to the multi-million pound demands from hackers to unlock the lines, the business cost of one of these attacks can be very significant.
Each telephony denial of service attack will include specific attributes that will form the fingerprint. Taking a sample of that event – including what services the hacker is trying to access, the number called to or from, the digits being pressed when on the line – will enable the creation of a patch or update that can be shared with all users of the SBC, to ensure no other organisations are exposed to this specific breach attack.
A similar model applies to preventing wide exposure to voicemail hacking, a process that enables hackers to accept and make international collect calls – at huge cost to the compromised business. In addition to specific voicemail protection modules provided as part of a cloud based SBC to identify breach attempts, lock down the voice network and alert the organisation, the SBC will log rogue numbers identified across the cloud based network, rapidly creating a database of blacklisted numbers that can be deployed by all organisations to further protect against voicemail hacking attempts.
Prioritise and Evolve
This community model is particularly effective in highlighting and combatting global attacks. An organisation operating single site security policies could be unaware that attacks are being launched simultaneously against multiple locations. With a global, cloud based SBC approach, the company will be made immediately aware of the scale of the global attack and therefore able to enforce policies that protect the entire environment against breach.
The ability to prioritise activity is also key. Every threat will be profiled and organisations have the option as to how frequently updates are made. For example, most will opt to be immediately protected from critical risks, while high or medium risk updates could be made weekly, and low risks just once a month. In addition, the community model supports continual assessment of past threats by using validation techniques to track activity. If a specific fingerprint is not seen again, and the patch is no longer required, it can be removed from the SBC or replaced by a different approach, such as diverting any calls from a previously blocked number to a security desk.
It is this depth of security intelligence that is transformative. With growing consensus that the burden facing organisations attempting to fight security issues individually is simply too high, it is clear that joining a specific community of companies willing to work together is a far more effective approach to locking down a business against new threats affecting voice and UC.
Combining this community led collaboration with the ability to rapidly disseminate patches and update via a cloud based SBC will enable organisations to lock down the business against escalating VoIP security threats.
from Community Led Threat Prevention