Security Manager's Journal: Slammed with a $100,000 phone bill
The way VoIP works, the company will have to pay for calls made by hackers, but it doesn't want that to happen again.
Computerworld - Last week, my company got a $100,000 phone bill. Turns out, some enterprising types have been bouncing their calls off our voice network. This allowed them to make numerous calls to a foreign country using our equipment. And it looks like we're stuck with the bill.
The problem is that our voice over IP (VoIP) network is set up to receive incoming call requests from the general public. This is the normal way these phone calls work. We use the SIP protocol, which is designed to accept voice connections from anywhere. This protocol is not particularly secure; it's designed to promote global communication rather than validate that those connections are legitimate or authorized. The default behavior is to accept connections from anywhere. The way it works is that a call request comes in to a gateway like ours with some information about who's calling and where they are calling to, and the gateway (not being a particularly smart device) happily routes the call. Unfortunately, the "from" and "to" information can be any numbers, and attackers can simply put in any numbers they want. There's no authentication or validation built into the protocol. Our attackers took advantage of this to bounce calls off our gateway, in a way that made it appear the calls were originating from within our company.
Because our device is actually making the phone calls, the liability for the cost is ours. There's no built-in liability protection or limitation in our phone infrastructure to protect customers like us. It's kind of like having your bank account number stolen -- if somebody uses it to steal money from your account, you're out of luck, unlike with credit cards, where there is a limit to how much you owe for fraudulent purchases. And there's no way to find out who made the calls, because the source information was fake, so we can't put the blame on someone else.
So there's nothing I can do to repair the damage that was already done. All I can do is figure out a way to prevent a recurrence of this situation in the future. I don't know much about VoIP security, so I'm doing some research and trying to learn fast. I know that SIP traffic comes through the Internet to get to our gateway, which then routes calls to the phone company's voice network. This is regular TCP/IP network traffic that can be protected by a firewall that only allows connections from known good addresses and blocks connections from known bad addresses. I'm not sure how I'm going to determine which IP addresses are good and bad, so I'll have to figure that out. In addition, the SIP gateway itself is a network device that I might be able to harden with configuration entries that are more discriminating than the default settings. This requires specialized knowledge, so I may have to bring in an expert to help.
It seems like every day brings a new security challenge to light at my company. This situation is something new for me, so I'm viewing it as a learning experience. I just wish it didn't have to be such an expensive lesson.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To join in the discussions about security, go to blogs.computerworld.com/security.
More by J.F. Rice
- Security Manager's Journal: Trapped: Building access controls go kablooey
- Security Manager's Journal: We manage our threats, but what about our vendors?
- Security Manager's Journal: With Heartbleed, suddenly the world is paying attention to security
- Security Manager's Journal: A rush to XP's end of life
- Security Manager's Journal: Security flaw shakes faith in Apple mobile devices
- Security Manager's Journal: Cyberattacks just got personal
- Security Manager's Journal: Target breach unleashes fresh scams
- Security Manager's Journal: Giving thanks for SIEM
- Security Manager's Journal: Hashing out secure applications
- Security Manager's Journal: Why the shutdown is like the cloud
Read more about Security in Computerworld's Security Topic Center.
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!