Lorem Ipsm Dolor

The Final Information to VoIP Safety & Encryption (Up to date)

Is VoIP Safe? — That’s a query a number of IT leaders have been asking these days. And the latest compromise on 3CX’s VoIP by way of a provide chain assault isn’t serving to issues both [*]. 

For essentially the most half, the character of VoIP entails transmitting voice communications over the web fairly than by conventional phone traces. 

A sophisticated manner of taking a look at that is VoIP converts analog voice indicators into digital information packets, that are then transmitted over the web or different packet-switched networks. And the most effective half about VoIP is its price effectiveness, flexibility and integration capabilities. 

Nonetheless, the very nature of transmitting voice communications over the web opens up a number of vulnerabilities that may be exploited by cybercriminals. 

With this in thoughts, extra questions roll in — how do you safe your VoIP calls? Greatest practices? Mitigation techniques? All of this and extra can be answered on this information. 

However first — 

How Does VoIP Work?

Right here’s a fast run down of how the VoIP system works:

  • Voice sign conversion: While you communicate right into a VoIP-enabled gadget (like a smartphone, pc, or VoIP cellphone), it converts your voice into digital information. This conversion is finished by your gadget’s microphone and an analog-to-digital converter (ADC), remodeling the sound waves of your voice into digital packets of knowledge. 
  • Information compression: Subsequent, it compresses your digital voice information utilizing a codec (coder-decoder). 

💡Observe → This step is necessary for decreasing the dimensions of the information packets to allow them to be transmitted extra effectively over the Web. Totally different codecs provide a steadiness between voice high quality and the quantity of knowledge bandwidth used. 

  • Packetization: The compressed digital information is split into small packets. Every packet is wrapped with a header that incorporates info crucial for routing and reassembling the packets within the appropriate order as soon as they attain their vacation spot.
  • Transmission: The packets are despatched over the Web or some other IP community. To succeed in the vacation spot, they journey by varied routers and networks, which is decided by the routing info in every packet’s header. The Web’s construction permits these packets to take essentially the most environment friendly path accessible on the time of transmission.
  • Reassembly: As soon as the information packets arrive at their vacation spot, they’re reassembled into the unique sequence to precisely reproduce the spoken phrases. This reassembly takes into consideration any packets which will have arrived out of order or have been misplaced throughout transmission.
  • Decompression and Conversion: The digital information is then decompressed (if crucial) and transformed again into analog sound waves utilizing a digital-to-analog converter (DAC). 

💡Observe → This step is the reverse of what occurred on the sender’s finish.

  • Playback: Lastly, the analog sign is distributed to the speaker of the receiving gadget, permitting the recipient to listen to the sender’s voice as if it have been a standard cellphone name.

💡Beneficial → How Does VoIP Work? The Newbie’s Information To VoIP Cellphone Techniques 

Why VoIP safety issues

Safety is crucial to each enterprise. It doesn’t matter in case you have a big group or a small enterprise. A disruption to your cellphone system could be nothing in need of catastrophic.

Voice over Web Protocol (VoIP) isn’t any completely different. The decrease prices of VoIP entice a enterprise proprietor. An attacker would love to take advantage of your VoIP community once you’re not trying.

The excellent news is that VoIP is kind of safe at the moment. It has endured even after 20 years of penetration testing. Total, VoIP service suppliers are dependable and safe, whilst the character of safety threats continues to evolve.

Business Leader's Top Concerns - JP Morgan 2020 SurveyBusiness Leader's Top Concerns - JP Morgan 2020 Survey

JP Morgan surveyed enterprise leaders and found that 94% of firms had taken steps to harden their infrastructure. Malware, cost fraud, and information breaches topped their worries.

Not like different IT safety threats, Voice over IP presents new alternatives for attackers. High dangers embrace name interception, caller ID spoofing, vishing, and Denial of Service (DoS) assaults. We’ll get extra into these specifics later.

VoIP safety isn’t solely about name encryption. It’s in regards to the stage of belief that’s conveyed over a voice and textual content community. What you are promoting communication platform can perform extra assaults if it’s compromised.
The price of a breach continues to rise yearly. On common, a safety breach in america prices $9.4 million, based on reviews from Statista.

Attackers can perform assaults with the assistance of VoIP, comparable to:

  • Social engineering by way of cellphone calls.
  • Disclosing inner Wi-Fi community passwords.
  • Dialing costly cellphone numbers (toll fraud).
  • Intercepting multi-factor authentication textual content messages.
  • Gaining unauthorized entry below the false pretext to information networks.

For instance, Twitter confronted a number of coordinated assaults. The corporate isn’t any stranger to VoIP safety dangers, and former CEO Jack Dorsey was focused in a fraudulent quantity porting request final 12 months.

This safety concern doubtless had little to do with sturdy passwords. It was worse.

Social engineering may also help carry coordinated assaults towards identified VoIP customers. The Community Operations Heart (NOC) workers and customer support groups are at all times high targets. All it takes is granting unauthorized entry to your organization as soon as, and your intrusion detection system turns into nugatory.

Famed hacker safety advisor Kevin Mitnick compromised techniques not solely with technical abilities. He exploited his goal’s willingness to assist. One of the best protection right here is to teach your workers about the best way to spot social engineering.

The excellent news is there are efficient countermeasures to mitigate VoIP safety points. Skilled VoIP networks have turn out to be immune to abuse from identified and unknown actors.

Let’s look deeper on the safety threats plaguing enterprise cellphone techniques.

Associated: How Does VoIP Work? The Newbie’s Information To VoIP Cellphone Techniques

Conventional Cellphone Techniques vs. VoIP

Plain Old Telephone System - DiagramPlain Old Telephone System - Diagram

Folks positioned calls over the Public Switched Phone Community (PSTN) for over a century. This voice community is analog. It stays weak wherever bodily entry to wiring is feasible.
This legacy cellphone system is also called the Plain Previous Phone System (POTS). Calls are related utilizing audio indicators, which attackers can intercept with ease.
Within the diagram under, you possibly can see that calls move by analog terminals right into a Central Workplace. Cellphone firms at the moment have established safety measures and protocols to make sure safety between Central Places of work. However that safety doesn’t prolong to your inner cellphone system.

A complete subculture shaped across the vulnerabilities of enterprise phone techniques. Phreaking, a portmanteau of cellphone + hacking, is a follow of exploring weak cellphone techniques. Within the Seventies, it was attainable to get free calling over the PSTN. Within the late 90s, phreakers pivoted towards Non-public Department Alternate (PBX) gear. That’s, they’ll springboard assaults from insecure company cellphone techniques. Head to your native Barnes & Noble to choose up 2600 and browse in regards to the vulnerabilities of an previous Lucent or Avaya cellphone system.

Phone networks at the moment separate voice visitors from the signaling to ascertain calls utilizing SS7 protocol. Regardless of this, many PBX techniques stay weak, and attackers will discover them.

Voice over Web Protocol is completely different.

Diagram of a Hosted VoIP Infrastructure (2019)Diagram of a Hosted VoIP Infrastructure (2019)

Calls are established utilizing the SIP protocol. Session Initiation Protocol (SIP) acts as a signaling protocol for dependable web telephony. A SIP server compresses voice visitors into media streams and sends them over an web connection.
It’s clear why massive firms and small companies flocked to make calls over the web. It saves on IT and communication bills and gives customers with a ton of flexibility to do business from home.
VoIP cellphone techniques use the identical information community to ascertain cellphone calls. The VoIP supplier solely handles all VoIP visitors. IT workers solely want to keep up a safe community for his or her workers.
Within the diagram under, a secure community connection is required for VoIP cellphone service. You don’t have to construct or preserve the VoIP infrastructure.

The most important distinction right here is that telephones and identities exist nearly. This implies customers can take their VoIP telephones with them and work from wherever. Moreover, it means folks can use SIP calling apps, also called a softphone, for calling.
VoIP cellphone companies provide many safety benefits over conventional cellphone techniques. High advantages embrace:

  • Actual-time monitoring of calling plan utilization.
  • Strict enforcement of toll-free calls.
  • Name encryption to stop eavesdropping.
  • Sturdy voicemail options with e-mail supply.

So, what about when VoIP calls attain the PSTN?
Respected VoIP suppliers preserve military-grade safety. They use Session Border Controllers (SBCs) for optimum safety and efficiency. An SBC acts as a firewall that maintains efficiency and logical name routing. Operators preserve excessive requirements to patch for safety vulnerabilities and producer’s firmware updates.
Name logs for an old-school cellphone system are sometimes very restricted. This makes monitoring down stolen enterprise information almost not possible. Extra PSTN dangers fall below gaps in enterprise continuity.
For example, many PBX cellphone techniques aren’t effectively supported, alternative elements are costly, and discovering certified technicians is difficult. An outage may knock out your enterprise communication for weeks.
The underside line is that VoIP cellphone techniques provide higher privateness, safety, and reliability for companies.

High VoIP safety threats

You’re most likely curious in regards to the sorts of VoIP safety points which are on the market. Right here’s a rundown of what you’ll have to fend towards.

  • Denial of Service (DoS) – This assault starves the community of assets to interrupt cellphone service and drop cellphone calls. This will degrade name high quality, latency, and uptime for a name heart.
  • Battle dialing – The sort of assault entails controlling your PBX to “scan” different phone networks. It really works by dialing numbers to connect with modems or different attention-grabbing extensions.
  • Toll fraud – Like struggle dialing, this requires entry to name an out of doors line out of your cellphone system. Attackers can dial costly worldwide numbers that rack up costly toll expenses.
  • Phishing – This VoIP hack preys on unsuspecting customers who belief their caller ID. Victims disclose particulars in regards to the inner IP community, passwords, or different delicate information.
  • Name interception – Attackers use unsecured networks to intercept unencrypted SIP visitors. To make issues worse, this will embrace video as effectively.
  • Spam – It ought to come as no shock the voicemail field is a typical goal for robocalls and different cellphone scams. Many use restricted or “Non-public” caller ID.
  • Malware – Attackers use completely different malicious software program to cellphone or e-mail credentials. This will open up extra alternatives to infiltrate your community and exfiltrate delicate enterprise information.

These threats are most alarming in the event you’ve arrange a DIY cellphone system. As the corporate has expanded, it’s now not the correct match. For example, a self-hosted Asterisk PBX may suffice for some, but it surely’s a sexy goal for hackers. VoIP assaults may be silent and undetected for months.

So, what do you have to search for in a VoIP service supplier? It’s tempting to look solely at cellphone system prices, however there’s extra to think about in the case of safety.

Associated: Healthcare Name Heart Greatest Practices for Higher Affected person Care

Selecting a safe VoIP supplier

The safety of your cellphone system comes all the way down to implementation and compliance with safety protocols.
As with all cloud PBX, make certain the supplier meets safety necessities. These fluctuate relying in your trade and particular wants. One of the simplest ways to start this investigation is by asking your supplier:

  • What accreditations do you may have?
  • Do you utilize third-party instruments or software program?
  • How do you practice and retrain workers?
  • How do you reply to safety incidents?
  • Do you provide TLS and SRTP name encryption?


When you’ve answered these questions, dive deeper into your personal VoIP necessities. Listed under are the highest certifications to remember:

  • HIPAA Compliance – Well being Insurance coverage Portability and Accountability Act (HIPAA) mandates that healthcare service suppliers safe affected person information. These guidelines additionally apply to their cellphone techniques, comparable to voicemail and name recordings. VoIP servers have to be configured to guard affected person privateness.
  • ISO/IEC 20071 – This international customary establishes that organizations assess and reply to safety threats. It signifies that the group has applied rigorous info safety controls.
  • PCI Compliance – Cost Card Business (PCI) compliance mandates that you will need to safe your infrastructure in the event you settle for bank cards. It mandates working system updates and secured VLANs. It additionally requires penetration testing towards your group’s IP addresses. Securing cost information is desk stakes for e-commerce. You danger increased transaction charges and penalties in case your VoIP answer isn’t PCI-compliant.
  • SOC 2 Compliance – Service Group Management (SOC) compliance consists of practices to make sure shopper belief. Not like different requirements, there’s flexibility throughout 5 areas: privateness, safety, availability, and information integrity. Many respected SaaS firms and cloud-based companies meet SOC 2 compliance.

It’s straightforward to see how these certifications may give you larger peace of thoughts. It may be difficult to certify your on-premises PBX or home-grown cellphone system operating on Amazon or Google Cloud. You don’t need to take probabilities in the case of VoIP safety.
Ask your VoIP supplier for certifications and evaluate them to your wants. Should you’d like a summarized model of all of the above info, take a look at our fast three-minute video on VoIP safety under:

Associated: A 5-Step VoIP Implementation Information (+Easy methods to Do it Your self)

Buyer communications

One other issue to think about is how effectively the corporate communicates with clients. How are you going to inform? Search for its standing web page, which is also called a belief web page. The instance proven under is the Nextiva Standing web page.

Example of a Trust Page - Screenshot of Nextiva StatusExample of a Trust Page - Screenshot of Nextiva Status

Standing pages element updates in regards to the VoIP system and incidents affecting voice service. Are they particular? Are they useful? Are updates timestamped?
Affirm if there was any widespread downtime or outages. Search for 99.999% uptime, that means there are solely six minutes of downtime yearly. Moreover, search for deliberate upkeep to use updates to the VoIP community. These usually embrace important working system updates.
The truth of IP telephony is that some interruptions may happen, but it surely issues how your VoIP vendor communicates with you about it.

Name encryption

Moreover certifications and easy buyer communication, you need name encryption in 2020. Name encryption makes use of Transport Layer Safety (TLS) and Safe Actual-time Transport Protocol (SRTP). These VoIP protocols work collectively to ascertain high-grade safety in each name.
Unencrypted networks are liable to snooping. In contrast, information that’s encrypted is of no use to anybody who manages to report the information transmission. Encryption that runs from the cellphone to the service supplier is necessary. Information ought to be encrypted on each attainable layer.
For the best interoperability, SIP isn’t encrypted. Since IP telephony makes use of the IP stack, encryption is managed by the transport layer. When enabled, the VoIP name session and the accompanying name information isn’t accessible to information thieves.
Ask your VoIP supplier about name encryption to make sure your SIP units can use TLS and SRTP.

VoIP safety for healthcare suppliers

If your organization manages affected person information or in any other case must observe HIPAA, hold studying.
Medical workplaces should shield affected person privateness by configuring their communications techniques. This contains your VoIP cellphone service. Healthcare suppliers are high targets as a result of affected person info is steadily used to hold out identification theft.
Voice over IP networks meets HIPAA necessities after they put in place correct safety measures. Guarantee your VoIP supplier has agreements with enterprise associates to keep up compliance.

VoIP concerns to fulfill HIPAA

VoIP HIPAA compliance featuresVoIP HIPAA compliance features

Some VoIP customers are unaware that they’re required to disable sure companies to remain compliant. Voicemail transcription, voicemail-to-email attachments, and visible voicemail aren’t allowed.

With Nextiva, you possibly can make certain that your VoIP answer is HIPAA-compliant. Tell us, and we are able to provision your account on our safe VoIP servers.

VoIP safety greatest practices

Safety isn’t as obscure as some may suppose. We’ve simplified the most effective practices to make sure optimum safety on your group.
Right here is how one can shield your VoIP community from threats.

  • Implement a powerful password coverage. Robust passwords are important to securing your cellphone system. Use a mixture of letters, numbers, and non-alphanumerics. Be certain that staff don’t retailer passwords in textual content recordsdata or Submit-It notes on their computer systems.
  • Apply working system updates usually. Making use of working system updates is a given for many techniques directors. Encourage your customers to just accept OS updates for his or her iPhone or Android. These updates can guard towards malicious software program and exploits.
  • Arrange a Digital Non-public Community (VPN) for distant workers. VPNs can encrypt all visitors no matter the place the worker works. It’s supreme for do business from home workers. Think about a business-grade VPN from Cisco, Sophos, or Cloudflare. Current educational analysis has proven VPNs don’t degrade name high quality.
  • Require Wi-Fi encryption. Activate WPA2 in your firm’s wi-fi networks. Instruct staff additionally use this encryption for his or her Wi-Fi community. As a greatest follow, replace your Wi-Fi password yearly.
  • Evaluation your name logs. Look at your organization’s name logs to establish any uncommon calling traits or conduct. Arrange a useful dashboard utilizing a name analytics characteristic to observe name quantity on a weekly and month-to-month foundation.
  • Limit your calling and block non-public calls. Except your organization does enterprise abroad, you don’t have to dial worldwide numbers. Higher but, solely grant entry to worldwide calling to those that name overseas. Affirm your VoIP service blocks 1-900 numbers to stop toll fraud. Allow name blocking to display restricted/non-public calls with a message instructing them to allow their caller ID.
  • Deactivate inactive accounts. When staff depart the corporate, don’t overlook to inform your IT workers. By disabling worker accounts promptly, you possibly can reduce office disruptions. From a technical standpoint, you don’t need VoIP accounts to stay practical with out a actual person assigned to it.
  • Encourage your workers to report unusual conduct. Ask your workforce to report lacking voicemails and ghost calls. A ghost name is when your cellphone rings with out a caller. Moreover, advocate they don’t retailer voicemail messages longer than wanted.
  • Implement distant gadget administration. On an enterprise stage, being able to wipe a tool remotely is crucial. Concern laptops with distant administration so you possibly can observe and wipe a tool within the occasion of theft or compromise.
  • Educate customers on safety practices. Remind customers that you just gained’t ever want their password. Practice them to identify phishing and social engineering scams. Conduct common safety assessments to find rising vulnerabilities. Final however not least, make certain they know who to contact within the occasion of a safety breach.

Whereas quite a lot of these greatest practices overlap with community safety, take a look at them by the lens of an attacker.
Executives rely upon you to maintain them protected from the ever-changing safety panorama. By following these, you’ll reduce the affect of a safety incident.

The way forward for securing cellphone techniques

VoIP has matured from a private service to an important enterprise communications platform.
The grass is at all times greener the place you water it. VoIP has been put by its paces to show beneficial for organizations. Safe SIP-based calling is now the usual.
Sustaining an on-premises PBX and different telephony gear is a giant duty. The cellphone system isn’t any completely different as organizations offload their e-mail techniques and hosting to the cloud.
A cloud cellphone system like Nextiva permits IT workers to sort out greater tasks. As an alternative of tinkering with previous gear, they’ll equip the corporate with a distant workforce.

Remaining ideas on VoIP safety

Cybersecurity Threats Top CEO Concerns - 2020 U.S. CEO Survey - PwCCybersecurity Threats Top CEO Concerns - 2020 U.S. CEO Survey - PwC

Organizations that safe voice visitors are extra resilient than those who sit idle. If there’s something 2020 taught us, it’s that you just have to be ready for each contingency.
In accordance with findings from the 2020 U.S. CEO survey from PwC, 53% of CEOs have been “extraordinarily involved” about cybersecurity. That is astounding, on condition that cyber threats outweighed coverage, commerce, authorities regulation, and geopolitical uncertainty.

A lot of the safety duty rests with sustaining operational safety. You’ll be able to higher mitigate threats by accepting VoIP telephones as highly effective community home equipment.
Regardless of all this, safe VoIP suppliers can solely achieve this a lot. You need to fortify your inner community defenses and educate customers first.
A good enterprise cellphone service might be the reassurance it’s good to preserve a safe calling setting. Test their certifications and analysis their reliability, safety measures, and name encryption capabilities.

The Cellphone System IT Loves

Enterprise safety. Uncompromising options. See Why IT Groups Belief Nextiva for Their Firm’s Cellphone Service.

Leave a Comment

Refund Reason