Enterprise telephony management system (ETM)
Download
Report
Transcript Enterprise telephony management system (ETM)
Communications Security
Report to The Industry
Mark D. Collier
Chief Technology Officer/VP Engineering
Rod Wallace
Global VP Services
SecureLogix Corporation
About SecureLogix
• SecureLogix
• UC security and management solution company
• Security solutions for UC and traditional voice networks
• Our applications are integrated into Cisco routers
• About us:
• Author of Hacking Exposed: VoIP – Working a revision
• Author of SANS VoIP security course
• Author of many SIP/RTP attack tools
• www.voipsecurityblog.com
• Experience pioneering enterprise SIP trunking
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
UC Security Introduction
• The biggest threats to UC systems are application level:
• Harassing callers, TDoS, Social engineering, and toll fraud
• These attacks are present with UC and TDM
• Incentive is financial and disruption
• The PSTN is getting more hostile – resembling the Internet
• Current UC systems are vulnerable:
• Platforms, network, and applications are vulnerable
• Many available VoIP attack tools
• But UC-specific attacks are still uncommon
• SIP trunking/UC/Internet may change the threat
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Public Network Security
High Threat
Public
Voice
Network
TDM/SIP
Trunks
Harassing Calls/TDoS
Social Engineering
Toll Fraud
Modems
UC Servers
TDM
Phones
CM
VM
CC
Admin
Modem
Voice Firewall
SBC (CUBE)
Medium Threat
Voice SPAM
Voice Phishing
Gate
way
DB
TFTP
DHCP
DNS
Fax
Voice VLAN
IP Phones
Internet
Internet
Connection
Data VLAN
Servers/PCs
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
UC Clients
Campus/Internal UC Security
High Threat
Public
Voice
Network
TDM/SIP
Trunks
Harassing Calls/TDoS
Social Engineering
Toll Fraud
Modems
UC Servers
TDM
Phones
CM
CC
Admin
Modem
Voice Firewall
SBC (CUBE)
Gate
way
Medium Threat
Voice SPAM
Voice Phishing
Internet
VM
Internet
Connection
Low Threat
LAN Originated
Attacks
DB
TFTP
DHCP
DNS
Fax
Voice VLAN
IP Phones
Data VLAN
Servers/PCs
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
UC Clients
SIP Trunk Security
High Threat
Public
Voice
Network
SIP
Trunks
Harassing Calls/TDoS
Social Engineering
Toll Fraud
Modems
TDM
Phones
CM
VM
CC
Admin
Modem
Voice Firewall
SBC (CUBE)
Internet
UC Servers
Internet
Connection
Gate
way
DB
TFTP
DHCP
DNS
Low Threat
Voice VLAN
Scanning
Fuzzing
Flood DoS
IP Phones
Data VLAN
Servers/PCs
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Fax
UC Clients
Hosted IP
Public
Voice
Network
IP PBX
TDM
Handsets
IP Phone
Traffic
CM VM CC Admin
Gate DB TFTP DNS
way
DHCP
High Threat
Medium Threat
TDoS/Harassing Calls
Social Engineering
Toll Fraud
Modems
Voice Phishing
Voice SPAM
TDM
Phones
Modem
Medium Threat
Fax
Client Devices
and Software
Exposed
Voice VLAN
IP Phones
Internet
Internet
Connection
Data VLAN
Servers/PCs
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
UC Clients
Harassing Callers
Users
Automated transmission of:
• Annoying/offensive calls
• Bomb threats
• Voice SPAM
• Voice Phishing
Social networking used to
coordinate an attack
Public
Voice
Network
Voice
Systems
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Social Engineering
Contact Center Agents
Attacker Targets Agents
Spoofs Caller ID
Uses Personal Info From Internet
Tries to Gather Info from Agents
Always Manual
Attacker Targets IVR
Spoofs Caller ID
Guesses Accounts/Passwords
May be Brute-Force or Stealth
Often Automated
Public
Voice
Network
Voice Transaction
Resources
(IVRs)
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
TDoS Attack Through a Botnet
Total
Network
failure
TDOS Call Volume
10,000+ Calls
Customers
Contact Center/911/311 Agents
All
Transactions
Lost
Voice Transaction
Resources
(IVRs)
Botnet
Master
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
UC-Specific Vulnerabilities
• UC and collaboration are introducing new vulnerabilities
• Movement to the Internet is increasing the threat
• SIP is becoming a unifying protocol (for presence too)
• Video:
• Shares many issues with voice – lucrative due to bandwidth
• Video systems are being attacked for toll fraud/eavesdropping
• Instant Messaging:
• Vulnerabilities for file transfer, eavesdropping, malware
• Social networking:
• Where should we start?
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Voice Security Threat Trending – 2011 vs 2010
Social Networking
TDoS
Activity Increase
Harassing Callers
Social Engineering
Automated TDoS
Toll Fraud
ISP Calling
Loss of Productivity
Specific Policy Modems
SIP Attacks
0
2
4
6
8
Relative Severity (1-10 scale)
10
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Modems – Hardly Declining
Modem Daily Calls Trending
35
30
Calls/span/day
25
20
2010
2011
15
10
5
0
10-year Average
3-year Average
Modem use stubbornly high – 27 calls/trunk/day
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
ISP Calling – Persistent Threat
ISP Call Duration in Working Days per Year
Working Days/span/year
70
60
50
40
2010
30
2011
20
10
0
10-year Average
3-year Average
Unprotected enterprises have firewall bypassed >50 days/trunk
Guess how your company confidential information leaks
are happening?
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Being a Harassing Caller – A Growth Industry
2011 Single Enterprise Harassing
Callers
60,000
50,000
40,000
30,000
20,000
10,000
0
Effect of not managing a blocking list
Detected Harassing Calls
Harassing Call Count
70,000
Importance of Vigilant Harassing Caller
Blocking
14000
12000
10000
8000
6000
4000
2000
0
Unmaintained List
Maintained List
3.6x increase January to December!
4.8x increase 2011 vs 2010
Like anti-virus, it is important to keep a current harassing caller list.
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Being a Harassing Caller – A Growth Industry
Harassing Caller Types - End 2011
2.9%
2.3% 1.0%
0.3%
0.3%
Telemarketer
10.5%
Debt Collector
Scammer
55.3%
27.4%
Non-profit
Survey
Political
Fax Machine
Prank
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Harassing Callers – High Volume Campaigns
August Week 1 Harassing Caller Campaign
774
1,000
797
469
321
243
286
240
204
174
125
115
109
124
115
238
157
120
100
109
21
10
9
7
1
1
Approx. 4800 calls in 25 minutes
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Social Engineering – Quantifying the Risk
Proportion of Calls with No
Caller ID
No Source
3.45%
Caller Authentication
Internet VoIP
3.4%
Spoofed
4.9%
NonCredentialized
12.4%
Number
Presented
96.55%
Authenticated
79.3%
Source: SecureLogix
Source: TrustID
1.5% – 7% inbound calls have no source number
5% of remaining calls verifiably spoofed
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Social Engineering Targeting Contact Centers
Observing increased Social Engineering attacks on contact centers
Persistent Perpetrators – keep attempting to call after blocking policy enforced
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
High-Risk Calls and Social Engineering
• US sanctions stemming from engaging in financial
transactions with OFAC countries/entities.
• Other high risk origin & destination countries: Common
fraud launching points.
Case Study - US Financial Institution:
In 2 weeks, 88 calls to OFAC countries for 5 hours
Case Study - US Financial Institution:
NSF check fraud perpetrated from Ghana in combination with US players
Case Study – US Financial Institution
Detected multiple calls to Contact Center using Social Engineering to perform
organizational mapping: requesting locations and phone numbers etc.
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
“Occupy the Phones”
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Contact Center TDoS Flash-Mob Attack
Monday – Tuesday Flash Mob Attack
1400
Typical daily
call volume
1200
Attack Starts
Monday at 11 AM
Contact Center
was main target
1000
Attack calls
blocked
800
600
Typical day
at Contact
Center
400
200
0
Thursday
Friday
Monday
Tuesday
Wednesday
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Increase Call Center Effectiveness
No Value
Calls
(Constant
Presence)
Negative
Value Calls
(Variable
Presence)
•Busy/unanswered calls
•Repeat Callers
•Harassing callers
•Warranty
•Sales
•Nuisance callers
•Outbound Unauthorized calling
by employees
•Hung voice calls
•Inbound Fax Spam
Contact Center
•Social Engineering
•Hacktivism
•Inbound Call Types
• Modems(Scans)
• Fax(Spam)
• Modem Energy
• Robo Dialers
•Dial Through Fraud
•Call Pumping
•Outbound Modem
•Telephony Denial of Service
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Call Metrics, Stats & Exception Notification
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Effect of Negative Value Calls - Lost Revenue/CSAT
• Case Study: Commodity Retail Contact Center
• 3815 busy calls/month & 236,978 unanswered calls/month
• 25% of callers purchase, $35 average sale
$2.1 Million per month in lost sales
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Best Practices for UC Security
• Collect real-time data about your UC services:
• measure what is expected and what is unexpected.
• Develop a UC security policy
• Implement UC application security on perimeter
• Implement good internal data network security
• Prioritize security during UC deployments
• Use encryption where possible for authentication, confidentiality,
and integrity
• Implement SIP packet-level security on perimeter
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.