About SecureLogix

Communications SecurityReport to The Industry

Mark D. CollierChief Technology Officer/VP Engineering

Rod WallaceGlobal VP Services

SecureLogix Corporation

© Copyright 2009 SecureLogix Corporation. All Rights Reserved.

ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other

countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.

About SecureLogix

• SecureLogix

• UC security and management solution company

• Security solutions for UC and traditional voice networks

• Our applications are integrated into Cisco routers

• About us:

• Author of Hacking Exposed: VoIP – Working a revision

• Author of SANS VoIP security course

• Author of many SIP/RTP attack tools

• www.voipsecurityblog.com

• Experience pioneering enterprise SIP trunking

http://www.voipsecurityblog.com/




UC Security Introduction

• The biggest threats to UC systems are application level:

• Harassing callers, TDoS, Social engineering, and toll fraud

• These attacks are present with UC and TDM

• Incentive is financial and disruption

• The PSTN is getting more hostile – resembling the Internet

• Current UC systems are vulnerable:

• Platforms, network, and applications are vulnerable

• Many available VoIP attack tools

• But UC-specific attacks are still uncommon

• SIP trunking/UC/Internet may change the threat




Public Network Security

Internet

TDM/SIPTrunks

TDMPhones

Servers/PCs

Modem

Fax

UC Servers

CM

Gateway

DNS

CC Admin

TFTPDHCP

VM

DB

Voice VLAN

Data VLAN

Voice Firewall SBC (CUBE)

High ThreatHarassing Calls/TDoS

Social EngineeringToll FraudModems

Medium ThreatVoice SPAM

Voice Phishing

PublicVoice

Network

InternetConnection

IP Phones

UC Clients




Campus/Internal UC Security

Internet

TDM/SIPTrunks

TDMPhones

Servers/PCs

Modem

Fax

UC Servers

CM

Gateway

DNS

CC Admin

TFTPDHCP

VM

DB

Voice VLAN

Data VLAN




Medium ThreatVoice SPAM

Voice Phishing

PublicVoice

Network

InternetConnection

IP Phones

UC Clients

Low ThreatLAN Originated

Attacks




SIP Trunk Security

Internet

SIPTrunks

TDMPhones

Servers/PCs

Modem

Fax

UC Servers

CM

Gateway

DNS

CC Admin

TFTPDHCP

VM

DB

Voice VLAN

Data VLAN



Social EngineeringToll FraudModemsPublic

VoiceNetwork

InternetConnection

IP Phones

UC Clients

Low ThreatScanningFuzzing

Flood DoS




Hosted IP

Internet

IP PhoneTraffic

TDMPhones

Servers/PCs

Modem

Fax

Voice VLAN

Data VLAN

High ThreatTDoS/Harassing Calls


Medium ThreatVoice Phishing

Voice SPAM

PublicVoice

NetworkIP PBX

CM

Gateway

DNS

CC Admin

TFTPDHCP

VM

DB

InternetConnection

IP Phones

TDMHandsets

UC Clients

Medium ThreatClient Devicesand Software

Exposed




Harassing Callers

Automated transmission of:• Annoying/offensive calls• Bomb threats• Voice SPAM• Voice Phishing

Users

PublicVoice

Network

VoiceSystems

Social networking used tocoordinate an attack




Social Engineering

Attacker Targets IVRSpoofs Caller IDGuesses Accounts/PasswordsMay be Brute-Force or StealthOften Automated

Attacker Targets AgentsSpoofs Caller IDUses Personal Info From InternetTries to Gather Info from AgentsAlways Manual

Contact Center Agents

PublicVoice

Network

Voice TransactionResources

(IVRs)




TDoS Attack Through a Botnet

Voice TransactionResources

(IVRs)

Cust

omer

s

BotnetMaster

All Transactions

Lost

TDOS Call Volume

10,0

00+

Calls

BOT BOT BOT

BOTBOTBOT

Total Network failure

Contact Center/911/311 Agents




UC-Specific Vulnerabilities

• UC and collaboration are introducing new vulnerabilities

• Movement to the Internet is increasing the threat

• SIP is becoming a unifying protocol (for presence too)

• Video:

• Shares many issues with voice – lucrative due to bandwidth

• Video systems are being attacked for toll fraud/eavesdropping

• Instant Messaging:

• Vulnerabilities for file transfer, eavesdropping, malware

• Social networking:

• Where should we start?




Voice Security Threat Trending – 2011 vs 2010

0 2 4 6 8 10

Harassing Callers Social Engineering

ModemsSpecific PolicyISP Calling

Loss of Productivity

Toll Fraud

Automated TDoS

Social Networking TDoS

SIP Attacks

Relative Severity (1-10 scale)

Activ

ity In

crea

se




Modems – Hardly Declining

10-year Average 3-year Average0

5

10

15

20

25

30

35

Modem Daily Calls Trending

20102011

Calls

/spa

n/da

y

Modem use stubbornly high – 27 calls/trunk/day




ISP Calling – Persistent Threat

10-year Average 3-year Average0

10

20

30

40

50

60

70

ISP Call Duration in Working Days per Year

20102011

Wor

king

Day

s/sp

an/y

ear

Unprotected enterprises have firewall bypassed >50 days/trunk

Guess how your company confidential information leaks are happening?




Being a Harassing Caller – A Growth Industry

Jan-1

1

Feb-11

Mar-11

Apr-11

May-11

Jun-1

1Ju

l-11

Aug-11

Sep-11

Oct-11

Nov-11

Dec-11

010,00020,00030,00040,00050,00060,00070,000

2011 Single Enterprise Harassing Callers

Hara

ssin

g Ca

ll Co

unt

Unmaintained List Maintained List0

2000400060008000

100001200014000

Importance of Vigilant Harassing Caller Blocking

Effect of not managing a blocking list

Dete

cted

Har

assi

ng C

alls

3.6x increase January to December!

4.8x increase 2011 vs 2010

Like anti-virus, it is important to keep a current harassing caller list.




Being a Harassing Caller – A Growth Industry

55.3%

27.4%

10.5%

2.9% 2.3% 1.0% 0.3% 0.3%

Harassing Caller Types - End 2011

TelemarketerDebt CollectorScammerNon-profitSurveyPoliticalFax MachinePrank




Harassing Callers – High Volume Campaigns

Start T

ime -

By Minu

te

12:30

PM

12:26

PM

12:25

PM

12:24

PM

12:23

PM

12:22

PM

12:21

PM

12:20

PM

12:19

PM

12:18

PM

12:17

PM

12:16

PM

12:15

PM

12:14

PM

12:13

PM

12:12

PM

12:11

PM

12:10

PM

12:09

PM

12:08

PM

12:07

PM

12:06

PM

12:04

PM

1

10

100

1,000

79

21

238

109120

157

286

124

115

125

109115

174240

204321

469

797774

243

1

August Week 1 Harassing Caller Campaign

Approx. 4800 calls in 25 minutes




Social Engineering – Quantifying the Risk No Source3.45%

Number Presented96.55%

Proportion of Calls with No Caller ID

Authen-ticated79.3%

Internet VoIP3.4%

Spoofed4.9%

Non-Creden-tialized12.4%

Caller Authentication

Source: TrustIDSource: SecureLogix

1.5% – 7% inbound calls have no source number

5% of remaining calls verifiably spoofed




Social Engineering Targeting Contact Centers

Observing increased Social Engineering attacks on contact centers

Persistent Perpetrators – keep attempting to call after blocking policy enforced




High-Risk Calls and Social Engineering

Case Study - US Financial Institution: In 2 weeks, 88 calls to OFAC countries for 5 hours

Case Study - US Financial Institution: NSF check fraud perpetrated from Ghana in combination with US players

Case Study – US Financial Institution Detected multiple calls to Contact Center using Social Engineering to perform

organizational mapping: requesting locations and phone numbers etc.

• US sanctions stemming from engaging in financial transactions with OFAC countries/entities.

• Other high risk origin & destination countries: Common fraud launching points.




“Occupy the Phones”




Contact Center TDoS Flash-Mob Attack

0

200

400

600

800

1000

1200

1400

Monday – Tuesday Flash Mob AttackAttack Starts

Monday at 11 AM

Thursday Friday Monday Tuesday Wednesday

Contact Center was main target

Attack calls blocked

Typical daily call volume

Typical day at Contact

Center




Increase Call Center Effectiveness

•Busy/unanswered calls•Repeat Callers•Harassing callers•Warranty•Sales•Nuisance callers

•Outbound Unauthorized calling by employees

•Hung voice calls•Inbound Fax Spam

No Value Calls

(Constant Presence)

•Social Engineering •Hacktivism•Inbound Call Types• Modems(Scans)• Fax(Spam)• Modem Energy• Robo Dialers

•Dial Through Fraud•Call Pumping•Outbound Modem•Telephony Denial of Service

Negative Value Calls

(Variable Presence)

Contact Center




Call Metrics, Stats & Exception Notification




Effect of Negative Value Calls - Lost Revenue/CSAT

• Case Study: Commodity Retail Contact Center

• 3815 busy calls/month & 236,978 unanswered calls/month

• 25% of callers purchase, $35 average sale

$2.1 Million per month in lost sales




Best Practices for UC Security

• Collect real-time data about your UC services:

• measure what is expected and what is unexpected.

• Develop a UC security policy

• Implement UC application security on perimeter

• Implement good internal data network security

• Prioritize security during UC deployments

• Use encryption where possible for authentication, confidentiality, and integrity

• Implement SIP packet-level security on perimeter

Documents

About SecureLogix