Security Manager's Journal: Slammed with a $100,000 phone bill
The way VoIP works, the company will have to pay for calls made by hackers, but it doesn't want that to happen again.
Computerworld - Last week, my company got a $100,000 phone bill. Turns out, some enterprising types have been bouncing their calls off our voice network. This allowed them to make numerous calls to a foreign country using our equipment. And it looks like we're stuck with the bill.
The problem is that our voice over IP (VoIP) network is set up to receive incoming call requests from the general public. This is the normal way these phone calls work. We use the SIP protocol, which is designed to accept voice connections from anywhere. This protocol is not particularly secure; it's designed to promote global communication rather than validate that those connections are legitimate or authorized. The default behavior is to accept connections from anywhere. The way it works is that a call request comes in to a gateway like ours with some information about who's calling and where they are calling to, and the gateway (not being a particularly smart device) happily routes the call. Unfortunately, the "from" and "to" information can be any numbers, and attackers can simply put in any numbers they want. There's no authentication or validation built into the protocol. Our attackers took advantage of this to bounce calls off our gateway, in a way that made it appear the calls were originating from within our company.
Because our device is actually making the phone calls, the liability for the cost is ours. There's no built-in liability protection or limitation in our phone infrastructure to protect customers like us. It's kind of like having your bank account number stolen -- if somebody uses it to steal money from your account, you're out of luck, unlike with credit cards, where there is a limit to how much you owe for fraudulent purchases. And there's no way to find out who made the calls, because the source information was fake, so we can't put the blame on someone else.
So there's nothing I can do to repair the damage that was already done. All I can do is figure out a way to prevent a recurrence of this situation in the future. I don't know much about VoIP security, so I'm doing some research and trying to learn fast. I know that SIP traffic comes through the Internet to get to our gateway, which then routes calls to the phone company's voice network. This is regular TCP/IP network traffic that can be protected by a firewall that only allows connections from known good addresses and blocks connections from known bad addresses. I'm not sure how I'm going to determine which IP addresses are good and bad, so I'll have to figure that out. In addition, the SIP gateway itself is a network device that I might be able to harden with configuration entries that are more discriminating than the default settings. This requires specialized knowledge, so I may have to bring in an expert to help.
It seems like every day brings a new security challenge to light at my company. This situation is something new for me, so I'm viewing it as a learning experience. I just wish it didn't have to be such an expensive lesson.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To join in the discussions about security, go to blogs.computerworld.com/security.
More by J.F. Rice
- Security Manager's Journal: Security flaw shakes faith in Apple mobile devices
- Security Manager's Journal: Cyberattacks just got personal
- Security Manager's Journal: Target breach unleashes fresh scams
- Security Manager's Journal: Giving thanks for SIEM
- Security Manager's Journal: Hashing out secure applications
- Security Manager's Journal: Why the shutdown is like the cloud
- Security Manager's Journal: Thinking about passwords
- Security Manager's Journal: Android panic
- Security Manager's Journal: Auto-forwarded emails could be a huge problem
- Security Manager's Journal: Our network infrastructure has fallen far out of date
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts