Why the voice network is a blind spot for security professionals [Q&A]
We're familiar with threats to data and data networks, but there's another part of corporate communication that's often overlooked yet represents an equally valid attack vector and equally high risks.
We spoke to Mutare CTO Roger Northrop to find out more about the risks voice networks present and why organizations need to take them seriously.
BN: With voice network/VOIP systems as a potential social engineering target, why are organizations not sufficiently protecting these systems from infiltration?
RN: Most security tools focus on the data network for web and email protections, but voice networks are easily infiltrated through vishing, smishing or spear-phishing attacks. Hackers can use social engineering tactics against employees as the weakest link including spoofed numbers and slick stories to trick distracted employees. Most organizations employ intrusion detection and prevention systems to protect their data networks, but this causes many organizations to wrongly assume that their firewalls are enough, while relying on their carriers and cloud providers to safeguard their voice networks.
This problem comes down to a lack of general awareness. Threat capabilities, probabilities of action, and contact frequencies are constantly evolving, so protecting voice networks is like a game of whack-a-mole. As soon as one vulnerability is discovered and patched, a new threat arrives. Even as companies invest millions in firewalls, antivirus protections, penetration tests, training, and spam filters, their telephone networks remain largely open.
BN: What are the major vulnerabilities/weak spots for an organization's voice network?
RN: A recent report shows that voice phishing, or vishing attacks, were up over 500 percent in 2021. These attacks come in many forms, relying on the greatest weakness of human error to steal user credentials, data, and personal information, even identities.
Without proper filtering, firewalls, or phishing training, voice networks are open to threats like TDoS attacks, which make a telephone system unavailable by preventing incoming and/or outgoing calls to overwhelm the system, blocking legitimate calls for service. Also, when employees use their personal mobile devices in the workplace and click a malicious text link, ransomware can be transferred from their device to a networked system via corporate Wi-Fi.
Once criminals convince employees to share info over the phone, data/IP theft or a breach gives access to critical customer, employee, and stakeholder data, stolen company ideas, projects, inventions, and other intellectual property -- including trade secrets, patents, and proprietary software.
BN: As companies remain fully remote or have hybrid work forces, how can businesses protect their employees from making serious security mistakes from Vishing and other phone scams?
RN: Remote worker security involves locking down networks, devices, applications, and protecting workers. Employees working from home expect that business devices and applications are as frictionless to use as their personal tech, but this is not always the case. It is common for employees to give up on enterprise supplied items and just use their own. It happens all the time, but the moment you engage in communication on a personal device off a locked down VPN using an unsanctioned app, you enter a highly vulnerable landscape that improves the threat capabilities of bad actors targeting your enterprise.
Also the various 'collaboration' applications used for both internal and external communications create an issue. Your company may use one sanctioned platform internally for video conferencing (like Zoom), but then making an external call or receiving an external call via another platform expands the threat surface.
Likewise, distracted or busy employees can open a window of opportunity for mistakes that often result in security lapses, such as a critical database login being left unattended, or someone clicking on a malicious text message link.
BN: How are perceptions changing in terms of viewing voice network threats as more nefarious rather than just a productivity drain?
RN: Market awareness is growing to block nuisance calls for the sake of staff productivity, but perceptions are now changing to also recognize nefarious calls and stop them from reaching the voice network. Robocalls can be an annoying distraction, but beyond reducing workforce productivity, the profits from vishing, smishing, and other social engineering attacks have spawned dangerous global criminal enterprises.
A range of threats can be hidden within the voice traffic that moves through your organization 24/7 365. Initial access brokers, hackers, bad actors, cyber-thieves, and terrorists may be actively infiltrating your voice network with no fear of being stopped. This is because the bulk of cybersecurity measures are meant to protect hardware and software infrastructure from compromise. Yet the calls going in and out of voice networks are often completely unchecked.
The majority of enterprise voice traffic involves valid transactional calls that enable a business to function. Typically this traffic totals 82 percent to 90 percent of overall calls, depending on the industry. The problem comes with the remaining 10 percent to 18 percent of calls, where the real risk lies. Perceptions are starting to change, but many organizations remain unaware about real threats to their voice networks.
BN: How can organizations reduce the attack surface for voice networks?
RN: The most effective approach involves automated technical security controls that identify nefarious and nuisance callers and disconnect the calls without ever ringing the employee phone. The reduction in contact frequency by nefarious callers will greatly reduce the odds of a serious security breach. Companies must strike a balance between providing a great user experience and a secure user environment.
Training employees is also essential. The pressure on contact center agents and other customer service reps to deliver 'single call resolution' and meet call quotas creates a perfect opportunity for vishing scams. This setting gives bad actors the upper hand to manipulate employees into revealing information they might not otherwise provide in the absence of distractions and time constraints. Training and coaching by the company -- along with reasonable distraction controls and call quotas -- can go a long way toward helping employees identify a scam in process and foil it before it turns into a breach or loss event for the company.
Lastly, companies should include vishing in their security penetration testing practices, both for automated technical security controls and for their people, to find and plug vulnerabilities before loss events happen.
BN: What's the importance of policies in identifying and quarantining bad calls while still letting the right calls reach employees?
RN: Effective policies involve more than just using call block lists. Security practices should incorporate multiple layers of defense to create a robust security mesh that reduces the attack surface of the voice network. The most basic layer involves an analysis of call traffic patterns into the organization. Every organization has different traffic patterns, so that first layer is used to find unusual traffic. Another layer is used to match caller numbers against multiple databases that track suspicious calls from around the planet.
Another layer involves implementing a voice traffic filter to eliminate unwanted calls. Organizations can also set up their own custom rules for specific call numbers and geographies. In this way, they can decide which calls to let through and which ones to send to a block list.
Companies should train their employees when a bad call gets through so that red flags immediately go up, and to not give out any information and to just stop the call. Organizations need to allocate enough time and money to protect the voice side of the house and invest in training to help employees secure their company's voice networks.
Image credit: Gajus-Images/depositphotos.com