How to Assess Vulnerability for Voice Services


With the widespread popularity of IP-based solutions comes the new challenge of securing them. IT solution providers can offer ways of protecting customers from those numerous points of exposure. Following, the director of product management for test solutions at Empirix analyzes how VARs can best lock down their customers' voice networks.— Jennifer Bosavage, editor

IT solution providers are well versed in the benefits of IP-based contact center and unified communication (UC) solutions. They can deliver more services to more customers and provide a thoroughly rich, satisfying media experience like never before. However, those modern capabilities come with a new set of vulnerabilities, even to services previously deemed untouchable. IP networks now have many points of exposure from which malicious activity can originate. (Ed. note: IT solution providers might also be interested in how social nets can threaten the enterprise: SMBs Weigh Security Risks of Facebook, Social Networking.)

One area that may be overlooked is voice services. Groups attempting to steal identities can hack into contact centers and steal DTMF digits entered into telephone banking or other automated services. Hackers interested in reading email messages are growing increasingly more interested in listening in on an organization’s phone calls. Taking this one step further, they could gain access to listen to agent conversations for secondary validation information.

If the goal is to tarnish reputations or cause revenue loss, hackers can flood a company with fake traffic so customer calls go unanswered. Of course, there are always groups looking to hijack services and make free international calls at someone else’s expense. The truth is, in the IP world, voice systems are susceptible to the same vulnerabilities as data systems.

The best way to assess risk is to simulate an attack and see how the system responds. That means emulating harmful traffic – fake calls, malformed messages, spoofs – and hammering the system. It also provides an ideal opportunity to determine whether or not security policies are adhered to while undergoing an attack, such as did it trigger the alarms, were the correct people notified, and did they follow the proper procedures?

A comprehensive vulnerability test includes ensuring valid traffic is not impacted. That looks at, for example, whether or not customer calls can get through and if voice quality degrades. Without that type of testing, companies may not know the difference between an attack and interoperability issues or intermittent voice quality problems. A complete program to assess the vulnerability of voice systems should include the following tests:

• Invite flood
• Registration flood
• Invite spoof flood
• Response spoof flood
• Malformed messages
SIP Torture test
• Denial of Service flood

SIP calls are considered unaffected by attacks if they can be established with minimal latency and successfully exchange RTP media with little or no degradation. It is important to perform baseline testing prior to executing the plan to gain the benchmarks for comparison since these metrics help determine the impact on customers (call completion and success rates, voice quality, jitter, latency). The vulnerability tests should be performed under both load and oversubscribed conditions for maximum assurance.

Tremendous Value Add: Confidence
These days, an astounding number of security breaches are being reported across a wide range of organizations. To ensure it’s not your organization, consider SBC and edge device testing services as a vital piece of any network readiness assessment. For IP-based UC and contact center projects, organizations should take a methodical approach to pre-deployment testing and assess each technology layer successively (foundational elements, IVR, routing, CRM, presence, etc.). Once the solution’s performance and functionality have been validated, the solution provider can test for security threats. That approach not only follows best practice methodologies, but also lets companies leverage any script development work done to customize those test plans for specific IVR, routing or application interactions.

When designing a vulnerability assessment program, it is important to choose a flexible testing solution that can be customized to closely match the client’s call flow, network environment, UC solutions and/or contact center systems. Best practice methodologies recommend automated, repeatable test solutions to ensure any issues detected are fully corrected.

Vulnerability assessment is an important service VARs and other solution providers can offer their customers. The ROI on getting it right is incalculable, but the cost of a security breach can be extremely expensive to both the bottom line and customer goodwill. With IP networks constantly evolving, organization should consider a vulnerability assessment as a part of any new technology project or as an ongoing service. New patches, upgrades, servers and solutions are deployed almost daily. These changes can easily lead to unknown vulnerabilities. Constant testing of SBCs and edge devices is the best method for protecting a company against malicious intent.