Vishing – Another Form of Social Engineering

Recently, a customer reached out to me and asked me to comment on the current state of Vishing, or Voice Phishing, as it applies to today’s communications environments. Since it is one of my pet peeves, I gladly provided them with a brief write-up on the topic of Caller ID spoofing and the net effect on overall network security. Writing about such things is like walking a very thin line. While you don’t want to educate potential “bad actors” with information on how to perpetrate an event, you need to increase awareness so that others can easily recognize potential threats that fit, or do not fit, a specific pattern or profile.

As communications technology migrates away from traditional carrier network architectures, confidence in Caller ID is dwindling. In a legacy network, Caller ID is typically associated with a specific pair of wires connected to the telephone company end office. The subscriber information for each call is associated with the call event by the central office, and the originating endpoint, in most cases, has no ability to generate or modify this information. Based on this, the information received at the terminating side (Caller ID) was trusted and assumed to be verified.

While this is true for analog endpoints, or POTS lines, the same is not true for VoIP. This new technology brings a twist to the trust factor of Caller ID, as now the origination endpoint (being IP-based) has the ability to define and transmit the Caller ID and name of each individual call session.

VoIP carriers rarely provide any validation of this information, letting it proceed into the PSTN unfettered. This enables the creation of several new scenarios that, before now, were not even possible without complex equipment or access at a deep level in the telephone network. If sent by the originating endpoint, Caller Name (CNAM) information can be transported to the receiving endpoint. Typically it is applied at the terminating Central Office which does a CNAM lookup based on the ANI or Caller ID received. Unfortunately, this can enable a spoofed Caller ID at the terminating endpoint.

Telephone hackers, or “phone phreakers,” can use this loophole to add a level of credibility to their efforts. Using a number of methods, they can easily control whatever Caller ID and CNAM appear, ultimately masking their true identity and adding an incredible amount of credibility to their phishing schemes.

It is a well-known fact that hackers look for and exploit tiny, seemingly irrelevant bits of information and then use that information to build credibility.

Imagine receiving a simple call from a representative of your company’s IT support team that displays a valid, recognizable caller ID.

This new technology makes that hack possible. It creates a veil of confidence that allows the phreaker to extract sensitive information such as usernames or passwords.

Scared? Good, you should be.

What’s even scarier is the fact that there is currently no way to authenticate or expose this tactic, so we must remain alert and diligent. We need to train our employees to immediately recognize and then report social engineering attacks.

There is a lesson in this story. While the hack is simple caller ID spoofing, it in itself is not the sole threat. This is an enabler of an even graver threat: social engineering… and that is difficult or impossible to prevent.

Related Articles:

How to Explain Cloud Projects to a CFO

As tensions continue to increase in cloud-related discussions at the executive level, so has the importance of effective communication. Much of the debate on cloud investments revolves around one topic: OpEx. It’s understandable why many financial experts seek to avoid OpEx, but the value of investing in cloud services lies beyond this range.

An effective method to bridge this gap is to build a strategic plan, so that you are prepared to let the facts speak for themselves. This method allows for pure business value to be presented, while also giving equal consideration to the weaknesses and challenges faced. Common ground may also be easier to establish when both parties enter the discussion with a clear understanding of the advantages and disadvantages. It’s too easy to let tensions and emotions direct the conversation, so instead present a case grounded in research and thoughtful consideration. The following five tips will assist you in establishing a tested, well-developed plan for cloud implementation.

  1. Gather Research and Data (Know Your Numbers)

    Start by researching case studies that contain TCO (total cost of ownership) and the cost of production for comparable applications. Also consider watching demonstrations to learn how functionality works and how workflows can be implemented—this is pure empirical evidence that companies can try to replicate or expand upon.

    To further pique the interest of your CFO, share data that enumerates how your company will gain a high ROI—this will have the greatest impact on the direction of your conversation.

  2. Consider Feasibility

    Gauge the necessity of the cloud products/services under consideration by analyzing the scale of the project. Develop your own internal criteria based on the particular delivery timeframes, budget, global accessibility, etc. Then compare how your research matches specific project requirements and identify any challenges upfront. Standard guidelines also help to objectively compare applications and ultimately identify the greatest potential benefits. An additional area of consideration is security. There are a number of controls in the area of access, encryption and legal compliance issues, both global and domestic that must be addressed. Although this may seem like a no-brainer, it is often forgotten in the complicated world of cloud considerations.

    In everyday life it’s easier to see the folly in taking on a big endeavor without a coordinated plan. Imagine preparing for a dinner party without knowing how many guests will attend, when they are coming, if they have any dietary restrictions or allergies, and then attempting to cook this meal without a recipe—failure and chaos are expected, if not unavoidable. Luckily, through careful preparation all these mistakes can be easily avoided and the same is true for cloud implementation.

  3. Adopt Standards
    Creating standards is an absolute prerequisite for implementing cloud services, especially when using an agile process. You won’t get the full benefit of cloud if you don’t have standards. Self-service capabilities can be dramatically expanded through the use of standards at all tiers of the infrastructure and application development landscape.

    Examples of these standards include operating systems, middleware, communication protocols, storage access, development tools, development processes, development coding standards, monitoring, alert plans, scaling practices, and even server hardening practices. Additionally, security controls and individual corporate business models are also standards that should be considered. If you are planning a private cloud, ideally you would already have standards in place for the server infrastructure, storage, and networking—in addition to the items listed above. The goal of standardization across an environment is to create simplicity and consistency, which drives automation—the foundation of cloud in an SP-based or private cloud environment.

  4. Create a Prototype Environment
    This experimental approach provides the opportunity to try before you buy and is certain to impress your CFO. A prototype environment serves as proof of concept, which tests if the service is technically and operationally feasible. There are two main considerations within this.

    First is your ability to create and leverage the basic infrastructure as a service, IaaS, offered in your own cloud or that of a service provider. It’s the best way to obtain computing infrastructure without the capital investment. You will be paying for usage on a monthly basis, but ensure it is properly managed so budgets are not exceeded. Again, preparation is key! Get ready to tackle this concern head on and create a plan for how you will manage any issues. IaaS can be a great way to start a development process or even set up a production application deployment.

    Next, determine how it will impact your development process. Two important metrics to track include increased development speed and improvement in the overall cycle of development and testing. This can be achieved by leveraging the standards you have adopted and deployed in your cloud environment, which can be further enhanced by adoption of a DevOps model within your development teams and process.

  5. Think Scalable
    Managing cloud operations is different from rolling out a large capital-intensive project. Cloud services and features can be added and removed dynamically. With proper configuration and standards this can be truly elastic. However, you need to manage within an allocation to ensure you do not overconsume resources and create a negative budget impact. The benefit of it is to spend at the level you need to consume. But you would need to monitor the usage on an on-going basis to ensure that growing the allocation is a premeditated decision with proper budget consideration. Cloud itself cannot be a set-and-forget environment.

    Over time, the benefits of cloud investments compound as infrastructure and labor cost savings are realized through automation, workflow, self-service, etc. So, it’s important to fully seize the opportunity to communicate this tremendous value by directing the conversation to the facts. If you have given thoughtful consideration to the strengths and weakness of these topics, then you are in a better position to objectively analyze the full potential of cloud implementation. This knowledge will let you minimize the emotion of the conversation and develop a strong, well-informed position. With these tips in mind, you are fully prepared to put nebulous cloud conversations in the past.

Mobility: It's More Than Just Apps!

Avaya’s mobility solutions are intended to increase the availability and responsiveness of employees, by allowing them to communicate and collaborate from anywhere independent of location, network, device, or device ownership–while reducing communication expense.

When planning for mobility, consider a strategy that addresses a broad range of use cases:

  • Teleworker: A knowledge worker, task worker or contact center agent who works from home either on a regular or casual basis.
  • Road Warrior: An employee who needs to communicate while in transit, work from a public place or hotel, or operate from a customer or partner location.
  • Enterprise Roamer: An individual working in and around an enterprise facility while not at an assigned desk. This may include individuals moving from a desk to a conference room, a nurse, doctor, hotel- or retail associate that does not use a desk, or a knowledge worker who uses “hoteling” to occupy a temporary office, workspace, or cubicle.
  • Desk Worker: Workers who are not mobile per se, but who benefit from mobility capabilities that allow them to remain in contact with associates who are remote and mobile, and to complement their work with mobile devices while at their desk.
  • Customers: Customers who wish to interact with the contact center through their mobile devices.

Avaya’s strength comes from the ability to support a multitude of use cases.

While some people may fit only one of the personas above, Avaya anticipates that many mobile workers operate across multiple personas. It is critical that the user can shift easily between devices and networks, and that services are available in a consistent manner and contextually-relevant to the device, network and location.

Further, the user experience should be simple, so the technology or communications task flow does not detract from the real workflow at hand.

Stay tuned to this blog for solution ideas to address each of these use cases.

Being READY for Disaster with Communications Solutions


Being ready for disaster includes keeping a business operating even when employees may be forced to work remotely. The Avaya SCOPIA solution offers real time ‘meet-me communications’ from anywhere on any device to enable the smooth flow of interaction and collaboration by employees and customers. Fletch sits down with Rob Romano to discuss Scopia and it’s unique ability to solve this communications challenge faced by businesses today.

Fletch: September has been the National Preparedness Month. We at Avaya have been talking about how to be prepared. In addition, the citizens’ businesses can also be seriously impacted, and while resources can be made available online, communications can significantly be impacted.

Now, Avaya offers several solutions that can provide core communications. One of these is Scopia. Joining me today is Bob Romano, who’s in charge of marketing activities over at Scopia. Welcome, Bob. What exactly is the Scopia Solution?

Bob: The Scopia Solution is a conferencing solution with great capability to have video included in it. It was born really in the video conferencing marketplace. In the sense, it’s growing up to include not only video, obviously audio, but good rich data collaboration, moderation capabilities. Really probably one of its biggest strengths is the fact that it has the capability to be able to join Scopia call from virtually any device that you have and whatever network that device is on.

Fletch: I’ve been using Scopia quite a bit internally in Avaya. I’m having more Scopia calls now than I’m having regular phone calls. How exactly does a customer deploy Scopia? Are we talking about hardware, software. What’s this look like?

Bob: There are several options. Many of our customers will purchase a Scopia system, and then includes servers that are delivered from Avaya. They get installed in their network. That could be a distributed network where they can put those servers around geographically dispersed. Then from that, the rest is all software that allows them to be able to connect in with desktop or mobile devices.

We also have conference room video conferencing systems that we’ll go into a conference room to provide extremely high-quality video conferencing in the conference room environment.

Fletch: One of the biggest things that I find that’s annoying with the various different conferencing utilities that are out there, I’ve always got to go somewhere. I’ve got to make sure I’ve got the software updated. Sometimes that works. Sometimes it’s a pain. How does Scopia handle the client side of the software?

Bob: That’s one of the beauties of Scopia. In fact, if you look at video conferencing’s history, it really focused on conference rooms, room video conferencing where people went to the video. It wasn’t because they necessarily needed to meet in the conference room. It’s because that’s where the device was.

One of the things that Avaya really pioneered was they extension of that video conferencing paradigm out to desktop and mobile users. We have developed technology. This all came from Avaya’s acquisition of Radvision. Radvision was an early pioneer in desktop and mobile capability. What we do is we allow you on a desktop device or a mobile device to be able to simply click on a link that you’ve been invited into a conference.

It will automatically push whatever components are needed on that device, and automatically join you into the conference. It’s the simplicity of it and the reach of it that really has made this such a valuable tool.

Fletch: In general Bob, what would you say are the requirements for the remote users that are going to dial in from a device perspective? Are there any limitations there?

Bob: Well, that’s the beauty of it. There really aren’t. We have clients for PCs both whether they’re Windows based or whether they’re IOS Apple based. We cover Mac and PCs. We have clients that are supported on the Apple devices. That’s iPads, iPhones. Then we have clients for Android devices. That’s a wide variety of different manufactures that provides tablets and phones and mobile devices on the android platform.

That covers a very wide percentage of the users out there that are using either their desktop, their laptop, or their mobile device. The client as I mentioned is 100% free and freely distributable. There is no licensing with it, so the simplicity of that model works very well.

We really tailored it after the web conferencing model, where you get invited into a conference and you click and join. The host is the one that is hosting forward and supports the conference, but guests can come in from anywhere for free. That’s what we adopted to the video conferencing model. It’s worked very well.

Fletch: A couple of weeks ago, I was out in some customer meetings on Long Island, and I had to be over in Connecticut. I took the ferry, the Bridgeport ferry over in the morning. I just happen to have an internal conference call scheduled that came up while I was on the ferry. Without even thinking about it, I just picked up my phone, and I clicked the link to join the bridge because we used Scopia for that. Immediately, everybody was like, “Where are you?”

All they see is me out in the water somewhere taking a ferry across the Long Island sound, but because of the LTE connection that I had, it was just like I’m in my office, which really was interesting.

Bob: Exactly, and really that’s the beauty of it. The idea is that you can use whatever devices available to you. Sometimes I use my PC when I’m home. I work out at my home office. That’s the majority of the time, but quite often if I’m travelling or doing whatever else, I can join with my phone or my tablet.

The beauty by the way of joining on those devices is not just participating in the audio-video component, but fully participating in the data that’s being presented and also being able to moderate it. If I have my staff meeting and I’m on the road, from my mobile device, I can see all the participants in the participants list. I can mute everybody. I can invite new participants. I can lock the conference. I can record it. I have full moderation capability.

The richness of that experience from any device that you’re on is a very important component of our solution.

Fletch: Yeah, and I think one of the benefits that I’ve experienced, because I was one of the initial users on Scopia after the Radvision acquisition, so I’ve been using it internally since day one. The thing that I’ve noticed is that when new features, when new functionalities are being deployed out, you always got that because it’s a click link, right, on your desktop. You’re always being refreshed. You don’t have to manage the clients.

Bob: That’s very important for the IT organizations that are supporting an application like this. For them, the nightmare of having to ensure that all of the users are updated … Remember, we mentioned that it’s not just internal users, but it’s external users that you invite into the call. Anytime somebody clicks the link to join the call, it will automatically test whether the latest software is deployed. If not, it will push the updates and join you in the call.

When you mentioned the Avaya deployment, that’s actually something I’m very proud of. I came with the acquisition of Radvision. In June of 2012 when we were acquired, we decided to deploy Scopia to a select group of sales people so that they could experience, and quite frankly reach out to their customers and use it as a tool.

That started with the deployment of about 4,000 sales people. It has since grown now to almost 10,000 people within Avaya that have virtual rooms, Scopia virtual rooms. Last month in the month of August, and I’m looking at the report now that we pull every month, there were 53,453 meetings with an average of about 3.75 people per meeting across all of it. The maximum number of attendees in a single meeting was 296 by the way with an average of about four participants.

That was over 200,000 participants in the month of August. Those are participants internal to Avaya, that are internal Avaya people using it, but also external. We use it with partners. We use it with analysts. We use it with customers. It’s really been amazing, the adoption of this. That really only happens when a technology is invisible, when the value and the utility of the solution and the simplicity of using it is such that people just adopt it naturally.

Fletch: Well, in addition to eating our own dog food so to speak, I think we really learned about that deployment. When they first started expanding this out, we very quickly saw where we needed to tweak out network, where we needed to tweak our policies. We learned quite a bit from our own deployment, which is ultimately going to make the customer deployments go nice and smooth.

Bob: Exactly right, and we have many customers that have very large deployments like this. We can look at that. We look at our own deployment. We can tell them all kinds of statistics about how we think their usage will be in, how they need to deploy their network. As an example, we know that of these meetings, typically about 84% of them are desktop and mobile users attending the meetings. About 7% are room video conferencing systems join in the call. Multiple people in the room of course, but the device is about 7% of them are room systems.

About 7% are just pure telephone calls that come in and join just the audio only. We have that understanding of the usage of the solution. We do all that by the way through our simple management tool that pulls all that data. We can help customers when they are deploying and looking at this by using our own usage patterns and help them with theirs.

Fletch: That was one of the first things that I appreciated as a user early on in the beta program is when we first started, there were two separate audio conferencing instances so to speak, one that you would use on day to day basis that we had deployed, and then the Scopia one. Then very early in the beta, that all emerged together to where you’ve now got one common audio bridge.

Quite often, I’ll open up Scopia, and it will be all audio participants in there because it’s mostly external people. We weren’t really setting up an audio bridge, but I’m just dialing in through my Scopia, so it’s kind of all there. It really brought there all together in one interface for me. I’m using Scopia as my normal means of communications.

I mean, you don’t normally make phone calls on it, but I’m finding myself when we want to discuss something, instead of calling somebody or setting up a bridge, I’m setting up a Scopia event, which is really interesting to see how it’s changing my way of communicating.

Bob: It’s a meet me here. We call it a virtual conference room. It’s a virtual conference room in the cloud. Everyone in Avaya, there’s 10,000 people that have their own virtual conference room, has this unique ID. We have a plug-in that goes into outlook, which we use for scheduling. When I schedule a meeting in outlook, I just click that little button that says “Scopia meeting”. It automatically populates the invite with all the information for somebody to join the call regardless of what they’re on.

It says, “If you’re on a desktop or mobile, click here.” Again, that pushes that client. If you just want to make a telephone call in, click “dial this number”. If you’re on a room video conferencing system of any vendor by the way, we’re fully standards and fully an operable, dial this way. With that, then it allows people to be able to join from wide variety of devices and again from whatever network those devices are on.

That’s really the utility of it. In our work, we were talking about the National Preparedness Month. It is interesting when Hurricane Sandy came through the East Coast. There was a lot of disruption in terms of Avaya and many other companies obviously, but Avaya employee is able to do business. Our New Jersey office was closed for several days. People were impacted at their homes with their ability to get around.

We utilized Scopia extensively during that period. Those employees to be able to continue to have meetings, and many of them were in coffee shops trying to get a wireless connection. They would come in with their iPads. We had one employee that was stuck and couldn’t get back into the New Jersey area, and stayed in Chicago on a business trip, but just had all of her meetings on Scopia, and really never missed a beat. It was quite amazing.

Fletch: I set up in my local coffee shop as well. I would just go in every morning, and just set up office, and would literally work out of there because they had power. They had food. They had something to drink and bathrooms and WIFI. That’s all I needed.

Bob: The interesting thing about it is that we use technologies on all of our endpoint devices. Specifically, we use a high profile codec. What that does is it compresses the video much more efficiently than normal codecs. It uses about 30 to 50% less bandwidth at any given resolutions. That dramatically improves the ability to be able to have high quality video over all of the networks.

As the network gets faster, that just becomes better, but still bandwidth management and bandwidth utilization is very important. We use other technologies that correct for air packet loss in the network, which is very typical. When you’re on the open internet or you’re on a cellular data network, there will be packet loss. We use technologies like scalable video coding that allows it to be able to not be as impacted by packet loss.

Particularly the video, we’re used to get blotchiness. Now, we have a very smooth video even if there is packet loss in the network. There is a lot of things technologies in the background that significantly improve the quality of the experience. At the end of the day, users don’t care about that. They just know that when they get on, they have a great experience no matter where they are.

Fletch: What did we do at Avaya over the last couple of months? There was a significant change in the quality of the video. It was like we turned on HD one day or something.

Bob: That’s exactly what we did as a matter of fact, Fletch. When we first deployed it, we set it up so that mobile users, desktop, and mobile device users when they came into a call would come in at about half HD resolution, DVD quality. It is what it was. We did that because when we’re deploying it to 10,000 users and we have an over 200,000 participants in a call at any time, we wanted to make sure that we were efficient with our bandwidth usage.

What we found was with the new high profile codecs that we now have across all of our device, our mobile clients have it. Our desktop clients have it. Our room system clients have it. It’s fully supported in the servers. Then we decided, “We can go to HD now with very little impact to the overall bandwidth utilization,” and so we upgraded all of these services to support HD across all of the devices that join. That’s why we’re seeing what was very good quality before, now looks like it’s stunning HD quality.

Fletch: I know. That’s what it is. It is stunning. The day it happened, I looked in my screen. I’m like, “Oh my God! What happened? There’s a big difference here.” Then it was amazing. The cool thing is we didn’t have to go out and touch 10,000 endpoints to do that upgrade either.

Bob: Not at all. There was actually no change to the endpoints at all. It was just a service change internally that we turned on, and because we upgraded our servers with the new high profile capability, then that allowed us to do that.

Fletch: There is going to be a lot of interesting use cases around that. I’m certainly going to want to sit down and talk to you about that in upcoming podcasts. For today, I really appreciate you taking the time to sit down with us. This has really been interesting to see some of the backend to the Scopia product that’s out there.

Bob: Well, I’m happy to do it. I’m always happy to talk about Scopia. It’s a phenomenal product. I’m just really happy that so many people around the world are using it. Certainly within Avaya ourselves, but the deployments now are amazing. Some of the use cases of what people are doing with it are really interesting and a lot of fun. We can talk about those in future podcasts. I’d be happy to do that.

Fletch: I’m absolutely be looking forward to it. Where can someone go to find out more on Scopia and how they can add that functionality into the enterprise environment?

Bob: Go to of course. Then underneath there, you’ll find the Scopia product pages, and full descriptions of those. We certainly invite you to go there and take a look.

Fletch: We’ve been talking with Bob Romano, who brought the good technology with him from Radvision. Thanks for sitting down and talking to us.

Bob: You are welcome, Fletch. Thank you.