Best practices for securing voice networks

Cybersecurity attacks have become so commonplace today that we are rarely surprised by widespread breaches. We have grown accustomed to reading daily headlines about bold hacks that hobble popular online platforms, hold large organizations hostage, or steal vast troves of valuable customer data and intellectual property.

This problem is so prevalent that board-level attention for security is now the norm, with a growing emphasis on safeguards for auditing and compliance. As a result, enterprise security has become a top priority for organizational resources. The average company dedicates 11% of its information security and risk management budget to protect data networks, according to the Gartner 2021 CIO Agenda Survey.

While many IT teams have focused their security efforts on protecting data networks for email and other applications, most have overlooked criminal intrusions through the unprotected pathways of their enterprise voice networks, or phone systems.

The enterprise network is the primary conduit for hackers and ransomware gangs, but for many organizations, half of the network remains unguarded. This is because when IT and security teams talk about networks, they usually mean the data network — but every network combines a data network and a voice network.

The Voice Network Creates a Gaping Hole for Enterprise Security

People who pick up the phone can become a biological router that bridges the information gap from voice networks over to data networks without even knowing it. For example, call center personnel typically have access to up to 15 separate information systems. Most customer service reps can log into systems for email, sales, human resources, digital imaging, and more.

Voice phishing phone calls and voice messages, also known as vishing attacks, can be a highly effective technique to trick unwitting employees in the call center and elsewhere. In this way, attackers can convince their targets to provide access to data networks, or even send the calls up the org chart to target influential financial leaders or C-level executives.

How Bad Actors Can Attack Your Voice Network

Consider a real-world case in which our security engineers assisted a clinical organization when a hacker’s phone call got through to a nurse. The nurse innocently gave the hacker immediate online access to take over her screen and all the systems she had logged into. Even worse, forensic analysis and data breach notifications were made extremely difficult because the nurse’s access was fully authorized.

From all this, we see how the voice network can serve as a nexus point for nuisance calls that reduce productivity, or even worse, for nefarious calls, leading to disastrous consequences. In fact, the hacking ecosystem has produced a new position for this strategy known as an initial access broker, or IAB. These IABs are attackers who specialize in breaching companies and then selling the access points to ransomware gangs.

The overarching goal is to gain the trust of people inside an organization to gain illicit access to private information, contacts, credentials, and more. If an IAB interacts with the same employee by phone over time to gain that person’s trust, the attacker may eventually gain access to the adjacent data network.

Best Practices for Securing the Voice Network

We know that cybersecurity incidents and data breaches are continuously evolving and increasing. For this reason, most data networks today are protected by broad intrusion detection systems (IDS) and intrusion prevention systems (IPS). These software layers constantly monitor data networks to identify potential incidents, stop them, and report any threats to security administrators.

However, voice networks have no such IDS or IPS systems in place. Nor do they have security protections to control the fallible humans who represent the ultimate endpoints of the voice network. Protecting the voice network requires security teams to implement a multilayered architecture or mesh security strategy while better preparing the staff to recognize potential threats on their phones.

Addressing this problem starts by gaining visibility into all the underlying vulnerabilities. A comprehensive voice traffic assessment provides a good starting point to handle the types and volumes of calls running over a voice network.

Security teams can then take steps to build in necessary security protections and hold staff trainings to promote greater awareness about the threats to voice networks from simple phone calls or text messages. Unfortunately, voice network security presents a serious threat that usually does not get adequate attention until too late. Taking preventative steps now can help offset this growing concern.

Roger Northrop is Chief Technology Officer at Mutare.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.