Securing Voice over IP -- Campus Technology

Cybersecurity

Securing Voice over IP

Sure, voice over IP can save your schools money; but don't neglect the security aspects in your rush to get it running.

By Dian Schaffhauser
06/20/12

Although a 2011 Educause survey reported that only seven percent of faculty and staff use a voice over IP service, the allure of VoIP is hard for IT organizations in colleges and universities to ignore. The benefits are many. By consolidating voice and data communications, schools can also consolidate their maintenance efforts under IT, reduce phone charges dramatically, and add functionality such as "follow me" or emailed voice messages to enable more efficient communications among faculty, staff, and others.

What some schools don't realize, however, is that VoIP adds new security risks to the network that don't always get the same attention as other areas, such as anti-virus, firewalls, or network access.

According to security expert Paul Henry, just having a VoIP server within the data center makes the institution a much more valuable target for hackers. Henry is a long-time instructor for SANS, a research and education organization that conducts security training and certifies IT professionals in security topics.

What are hackers looking for? One thing they're looking to steal is VoIP minutes. As Henry explained, hackers will break into the SIP server that hosts the VoIP system, sell discounted minutes to their clients worldwide, and then place those calls through the compromised server. SIP, or Session Initiation Protocol, is the text-based protocol that controls the communication sessions over the Internet. The SIP server is the primary vehicle for running VoIP.

Henry pointed to the case of Edwin Pena, who pleaded guilty in 2010 to federal charges of computer hacking and wire fraud. According to the FBI, Pena sold discounted service plans to multiple customers, but would route those calls through the computer networks of unsuspecting VoIP service providers. In less than a year, he stole $1.4 million in calling minutes.

We rarely hear about those cases, Henry added. The organizations involved "don't report it because they don't want to look stupid."

The Bigger Potential Problem Area for Universities
When Henry is called in to consult during security events, one of the first actions he does is to perform a penetration test to see if he can record the organization's internal phone calls and play them back for the client. It's not hard, he said. All it takes is the use of a basic network sniffer, such as the open source packet analyzer, Wireshark, which can record the call and save it as a playable WAV file. "They're sharing the same wire with their network communications as they are with their VoIP calls. It's trivial to access that wire. Once I [do that], I can very easily record their phone calls."

If somebody can access phone calls that haven't been encrypted and a student's personal details are being discussed in those calls, the school could be in violation of the Family Educational Rights and Privacy Act (FERPA) Act. For a university dealing with health records, it could result in a Health Insurance Portability and Accountability Act (HIPAA) compliance violation. Institutions that process credit cards over the phone could be committing a Payment Card Industry (PCI) violation. In other words, in a VoIP scenario, data breaches can encompass voice data too.

The break-in can occur at multiple points--through the SIP server, via a "soft client," the software program on a computer that lets the user make and receive phone calls, and even through the VoIP phone devices. "Anything that's got software in it is potentially vulnerable," Henry said.

Just as alarming, he added, when someone compromises a single PC within the network, he or she can potentially use that to navigate to other parts of the environment.

Common Security Blunders
Henry said he consistently sees network administrators make some common mistakes when they set up VoIP systems: "They're not using strong passwords. They're not using signed digital certificates. They're not using encryption."

The first activity he advises clients to perform is a complete penetration test "to understand where your weaknesses lie." From there, he recommends some typical steps for remediation.

Change out weak passwords, perhaps the most frequent source of vulnerabilities.
Properly segment the network using VLAN technology. By using a virtual LAN, the organization can share the data connection but run two communication streams, one for data and the other for voice. "If a hacker's able to compromise the data connection, he would not be able to see your VoIP traffic," Henry explained. "Even though you're running on the same wire, [the hacker] would be connected literally to a lane outside of your VoIP communications."
Enable encryption wherever possible. Most VoIP phones today fully support encryption, Henry said. So the voice packets are encrypted as they go over the wire, and then unencrypted on the other end.
Harden the actual server that's running the VoIP application.

If the school is working with a third-party to implement the VoIP system, Henry recommends listening closely to the vendors under evaluation. "If the vendor's primary push is how they're going to save you money, usually security comes up last. It's an afterthought. In any environment today security has to be your first consideration. You want a vendor that's going to talk about the security issues first."

Because Henry performs incident response and forensics work, he prefers to keep the projects he's been involved with under non-disclosure. But he will admit to knowing about security break-ins at universities involving the VoIP network. Unless the break-in exposed personal data about students, staff, donors, or others, "It's not a regulatory requirement to report when you've been breached via VoIP," he noted. In other cases, it was a weakness in the VoIP system that allowed the break-in to occur in the first place, leading to the compromise of other machines in the network.

The bottom line is that while institutions of higher ed can enjoy a significant savings operating VoIP, Henry observed, "You have to consider the additional risk it exposes you to. Just by having VoIP within your environment, you're a much more attractive target to the bad guys."

Henry will be teaching the six-day SANS course, VoIP Security, at SANSFIRE 2012 in Washington, D.C. starting on July 6 and at Network Security 2012 in Las Vegas starting on September 16.

E-Mail this page

Printable Format

Featured

Snowflake Launches Program to Upskill 100,000 People in Data and AI

Cloud data platform Snowflake is embarking on an effort to train and certify more than 100,000 users on its AI Data Cloud by 2027. The One Million Minds + One Platform program will provide Snowflake-delivered courses, training materials, and free access to Snowflake software, at no cost to learners.
Microsoft Introduces Copilot Chat Agents for Education

Microsoft recently announced Microsoft 365 Copilot Chat, a new pay-as-you-go offering that adds AI agents to its existing free chat tool for Microsoft 365 education customers.
Registration Now Open for Tech Tactics in Education: Thriving in the Age of AI

Tech Tactics in Education has officially opened registration for its May 7 virtual conference on "Thriving in the Age of AI." The annual event, brought to you by the producers of Campus Technology and THE Journal, offers hands-on learning and interactive discussions on the most critical technology issues and practices across K–12 and higher education.
A Sense of Scale

Gardner Campbell explores the notion of scale in education and shares some of his own experience "playing with scale" — scaling up and/or scaling down — in an English course at VCU.