Good Cyber Hygiene & Best Practices
Table of Contents
Scope
Intended Audience: All End Users
This document is intended to help customers practice good cyber hygiene and prevent fraud attacks.
Good Cyber Hygiene
In today’s telecom environment, the same servers and computing hardware used for websites and databases are also used for IP-PBXs, voicemail systems, call-center platforms and Interactive Voice Response (IVR). These servers typically operate with Windows and/or Linux (CentOS, RHEL) operating systems, which continue to be exploited by hackers and fraudsters everyday. For this reason, it’s extremely important to exercise good cyber hygiene (i.e., good cybersecurity best practices,) in order to protect your systems from being hacked, breached, or exploited for fraudulent phone calling all over the world.
Customer Premise Equipment (CPE)
The following suggested best practices are drawn from industry-wide sanctioned practices, as well as approved actions that can help secure your communications systems.
Often referred to as Customer Premise Equipment (CPE), servers and their connection to IP networks and the internet represent your single most vulnerable point of fraudulent entry. It’s critical for you to take all necessary and practical measures to secure these customer-owned systems, so you can reduce your attack surface and slow/prevent the perpetration of telecom fraud.
It’s important to keep in mind that there are no guarantees to preventing all telecom fraud. The criminals who perpetrate telecommunications fraud, in its numerous forms, are always working to circumvent countermeasures and security features that enterprises may deploy.
Implementing some and/or all of the listed suggested best practices to secure your CPE can dramatically reduce your exposure to several types of telecom fraud.
Best Practices for Securing Your CPE
Since most local VoIP systems (PBX, IP PBX, Call Managers), voicemail systems, and enterprise grade Session Border Controllers (SBCs) are built on off-the-shelf computing platforms (i.e., Linux servers), we recommend that you exercise Linux and IP network cybersecurity best practices. Implement a company-wide security plan that includes instituting policies on call restrictions, leveraging call blocking, creating processes around closing customer accounts or unused services, utilizing password best practices, actively managing voicemails, and reporting anomalies. Educate all of your employees on the established security plans.
Here are the best practices you and your employees can follow to secure your CPE:
- Back-up your systems fully and often. In the event a system is compromised, you can restore it from a known “clean” backup. Although you may lose some amount of data, you’ll be able to restore your critical systems.
- Review and utilize traffic data. By collecting and graphing call logs and Call Detail Records (CDRs) from your VoIP platform, you can see incoming and outgoing calls, and determine if any of the “graphed” traffic behaviors match or conflict with your business model and service offerings. Monitor and review your LD usage on a regular schedule, or as often as practical.
- If using SIP trunks or on premise PBXs
- Secure your Voicemail (VM) Systems. Implement strong PIN and VM password policies. Disconnect/disable outbound calling or call-through functionality within the voicemail system.
- Never allow call forwarding or return call features within a voicemail system. Hackers often exploit voicemail platforms to program fraudulent outbound calling.
- Keep IP-PBX and voice platform operating systems up-to-date. Be sure your systems are updated with the latest releases and security patches. Hackers often exploit outdated and unpatched operating systems. Please remain vigilant about maintaining and enhancing your security.
- Consider adding time of day/day of week call handling. Turn off/disable outdial features (allow inbound calls and 911 only) during non-business hours. At a minimum, restrict international dialing to core business hours only
- Set-up a SIP-based firewall.
- A SIP-based firewall can inspect voice and data packets as they pass through your network, and only allow what’s authorized between your platform and your service provider. Firewalls can also alert you when various thresholds or unauthorized access attempts occur.
Monitor SIP traffic and automatically block suspicious IP addresses that are SIP scanning the equipment for access.
Monitor and alert on all registration events into your PBX, IP PBX, and Call Manager, including failed attempts. Blacklist foreign IPs you don’t recognize/do business with.
Utilize strong Access Control Lists designed to allow for secure communications while preventing unauthorized access.
Consider two-factor authentication for any remote access and/or administrative users
Disable ALL IP ports not currently in use. Hackers look for unused IP ports that can be exploited to gain unauthorized access. Pay special attention to IP ports 5060 and 5080 on IP-PBXs, like Asterisk, Mitel, Polycom, Cisco, and Avaya.
User Management Tips for Securing Your Users (UAs, Handsets, Remote Users)
- Improve security through rate limiting login attempts. Never allow unlimited login attempts. Enable system lock-out functionality systems that only allow a finite number of attempts, typically three, to enter a password before being locked out.
- Consider using multi-factor authentication for enhanced security.
- Monitor for and block account scanners
Look for unauthorized user agents (UAs) like “User-Agent: friendly-scanner” or UAs that are free and/or don’t match your authorized user’s systems. In a VoIP network environment, numerous unauthorized registration/attempts should be a significant red flag that your network and systems are being probed/scanned for vulnerabilities.
Block/filter traffic from suspicious IP addresses. You should filter, block or blacklist suspicious IP addresses (especially in high-risk countries), as they’re identified, so no traffic is allowed to enter your network from them.
Monitor for and disable or remove fake accounts and account sign-ups. Look for random email addresses (i.e., slijcg@emaildomain.com) or addresses and ZIP codes that don’t align. It’s not recommended to solely rely on third-party platforms or application stores to validate your new account sign-ups.
Most security products can flag and reduce the rate of incorrect authentication attempts. They can check for login and VoIP/SIP registration errors and stop brute force attacks against root passwords, injections of malicious traffic, and registration attempts of unauthorized peers with suspicious credentials.
General Best Practices for Working with Us
- Develop a Fraud-Contact distribution email address list. This will allow us to contact more than one person at your company about fraudulent events or behaviors. You’ll need to manage the distro list, as your staff changes.
- Update all “fraud” contacts every 6 months within your account and reach out to your Support Team to alert them that you made edits/changes.
- Any/All Fraud-Contact distribution lists provided to us should reach people that are authorized to make network decisions, such as blocking fraudulent traffic, disabling fraudulent international calling, and/or accepting “Fraud” charges, as spelled out in your Master Service Agreement - Contract.