Q&A: How to Prevent Hackers, Malware from Disrupting your Unified Communications System

Business telecommunication systems are the new focus of hacker attacks, according to last week’s New York Times and its piece, “Swindlers Use Telephones, with Internet’s Tactics.” At Avaya, we’ve been tracking – and helping prevent – these threats for many years. I talked to Richard English, Director of Strategic Consulting for Avaya Professional Services, and Gil Stevens, Director of Avaya’s Session Border Controller product R&D team and the VIPER (VoIP Exploit Research) Lab, to find out more.

Contributor Richard English headshot

Richard English, Director of Strategic Consulting for Avaya Professional Services

 gilman stevens viper lab

Gilman Stevens, Avaya’s Director of Session Border Controller R&D and VIPER Lab 

What exactly are these malware and financial swindles that the New York Times says are being increasingly sent over Internet telephone lines, aka Voice-over-IP?

English: There are several basic threats. The first is a Telephone Denial of Service (TDoS) attack where the attacker “loads” all the incoming circuits serving a business or organization with incoming calls and basically creates an “all circuits busy” condition. This prevents any legitimate caller from contacting that organization and the caller would only receive a busy signal when calling. This is bad for regular businesses, but catastrophic for organizations that rely heavily on their contact centers, especially 911 dispatch centers, hospitals, and other public safety organizations.

There are also attackers using inexpensive IP-based phone services and automatic dialing software. These range from spammers who use this method to send recorded advertisements in bulk to hundreds of thousands of recipients, aka voicemail spam, to more dangerous fraudsters who try to trick victims into releasing their personal data. This is called Vishing, as it is a variant of the e-mail-based Phishing.

Stevens: Possibly the biggest threat is toll fraud. What they’ll do is scan your corporate network for the voice ports, figure out what handsets and telephone numbers are mapped to the network, and then crack the passwords. The hackers typically then sell that information to someone who will repeatedly call toll 1-900 numbers or make long distance calls on your corporate IP PBX, usually outside of the U.S., to rack up thousands of dollars per month to these numbers. These turn into charges on your company’s phone bill. For instance, the real estate company, Remax, faced a $600,000 bill from toll fraud. According to experts, toll fraud is a $2 billion problem.

The New York Times called these threats “new.” However, I remember reporting on things like SPIT (Spam over IP Telephony) almost a decade ago when I was a journalist. So how new are these threats, really?

English: The threats are not necessarily new, but the technology utilized to create this condition is more readily available and therefore, utilized by more attackers than ever before.

Stevens: The first wave of attacks started in the late 1990s, and surged in the early 2000s as more tools became available. Then really-powerful open-source tools emerged starting in 2004. By 2007, we were seeing million-dollar attacks, and now, experts are estimating that overall across many corporations there are billions of dollars of exploits.

English: Also, the cost of making long distance calls over the Internet has become very inexpensive – therefore more appealing to the schemers.  It’s another form of cyber-terrorism.

So how come toll fraud, SPIT, Vishing and TDOS attacks haven’t gotten as much press as Spam or regular Internet hacks until now? Is it on the rise, as the New York Times says?

English: Yes, it is on the rise. The National Cybersecurity & Communications Integration Center of the Department of Homeland Security has identified numerous and increasing threats to public safety agencies for TDoS. The implications of these cyber-terrorism attacks haven’t received as much press in the past since there was not as great an individual financial impact as stealing ones credit card and making unauthorized charges. However, the operational stability of telecommunications for public safety is paramount and the financial impact to businesses is significant. Basically an organization can be crippled when all incoming voice circuits are busy and can lead to significant loss of business and revenue. Although public safety agencies utilize different types of trunk circuits, the threat is still relevant and must be mitigated.

As an end user, am I at more risk to these threats if I am a Vonage user at home or an employee at a company that uses VoIP?

English: Depends on what you define as risk. Providing personal information to any unauthorized caller is a risk to our personal welfare and financial stability. TDoS at home is more of an inconvenience rather than a risk. Many of us have multiple communications alternatives, such as mobile phones. Denial of Service at a company can cause catastrophic financial results and at a public safety agency – can result in loss of life.

Stevens: For the consumer, you ned to watch out for Caller ID spoofing.  If you get a call from someone saying they are from your credit card company, the bank, or a government entity, please take down the number shown on Caller ID and politely tell the person that you need to call them back.  If the caller demands that you stay on the call, there’s a good chance they are spoofing (faking) the Caller ID in order to steal your financial information or other personal details. Instead, hang up, check the official phone number of your bank, credit card company etc. and call it yourself. And when you get an operator, let them know that someone was trying to impersonate the company.

There is a growing increase in Caller ID spoofing targeting those working to get their Immigration Green Cards. The malicious individuals use Caller ID to aid in pretending to be immigration authorities or police. They then demand that wire transfer them money, usually overseas, both of which are indicators of fraud.  Here is information from the US Government on the subject:  http://www.us-immigration.com/blog/beware-of-caller-id-spoofing-new-immigration-services-scam

What are the best ways for companies to prevent and protect against incoming SPIT, Vishing, and/or VoIP-based DOS?

Stevens: For enterprises using the SIP (Session Internet Protocol) trunks popular with VoIP, the best thing is for them to have a Session Border Controller. This is basically a firewall built specifically to handle voice traffic. Unlike regular firewalls, which typically just turn VoIP ports off, SBCs can filter and do deep packet inspection of voice traffic to make sure it’s safe.

If your company is successfully attacked, how can you recover from this?

Stevens: If you are in the United States, I would call my regional FBI office or visit the Internet Crime Complaint Center (IC3). I would also work my security professionals to make sure I’m following best security procedures, and contact my carriers to set thresholds on long-distance services or block calls to/from certain countries.

What are services that Avaya offers that can prevent and minimize the effects of these VoIP-based attacks?

English: Avaya Professional Services provides Security Assurance consulting to assist our clients in their efforts to achieve effective, practical communications security objectives in a realistic time frame. We help our clients find ways to uphold those objectives over time even as their organization’s needs evolve. Available worldwide as an annual subscription with quarterly engagements, this Security Assurance Service is focused on keeping your security policies up-to-date and effective against the constantly changing landscape of business vulnerability and threats. The end result is peace of mind knowing that your company’s security policies and mechanisms are where they need to be to help keep your business safe and secure. Avaya Security Assurance Services are available for Avaya  collaborative communications and contact center solutions, and they encompass several initiatives including; fraud, platform hardening and vulnerability management.


Related Articles:

Q&A: The Value of Avaya Consulting in an ROI Age

Ajay Kapoor is the Vice President of Professional Services Consulting, Strategy, and Offer Development for Avaya (as well as an Avaya Connected blogger). Avaya today announced a set of new consulting services for enterprises: Cloud Transformation Services and Continuous Performance Services (see coverage by ZDNet’s Rachel King and Talkin’ Cloud’s Chris Talbot). A 15-year veteran of Avaya and its predecessor firm, Lucent Technologies, Kapoor talked about Avaya’s consulting organization and what its new consulting offers mean for businesses.

ajay kapoor smaller.jpg
Avaya VP for Professional Services Consulting, Ajay Kapoor

Give me an overview of Avaya’s consulting team. 
Avaya Consulting is a subset of Avaya Professional Services. We provide the business-side expertise for clients that are thinking about their current issues and future plans with that business hat on. Our consultants typically either come from the customer side where they have run enterprise infrastructure, or they are recognized domain and industry experts. They link up with our technical architects to help build and optimize customer environments with both business and technology goals in mind.
How big is the team?
Avaya Professional Services includes 1,500 specialists and experts in many industries, fields and countries. Out of that, our core group of business and technical consultants numbers about 80. This team has actually been around for more than half a decade. When we started out, we were used more tactically, in specific projects. But the CIO’s role is changing. Today, he or she cares more about business results versus traditional IT results than ever before. As a result, we are seeing a lot of demand for our expertise. Customers are asking us to take a front and center role.
In what way?
For instance, there is a Fortune 500 insurance firm for whom we provided a multi-year strategic roadmap. This was a contact center maturity model that helped guide them to where they want to be, which is a customer service model based heavily on self-service. We also recently finished a project for a large Middle Eastern transportation authority which also wanted to move to a self-service customer engagement model. For a leading business hotel chain, we helped them identify what the cost of transforming their network to SIP would be, so that they could understand the financial benefits of the upgrade, as well as the technical ones. 
When we can come in every quarter or year, this lets us give up-to-date advice on how organizations can improve their contact centers or unified communications systems. The vast majority of projects have multi-year roadmaps. But six months after deploying Phase I, the network may have already changed. Or the customer has changed. They need to tweak and optimize their plan, which we can help with. This is why we are launching our Continuous Performance Services offering. It’s something we are very experienced with – besides the insurance firm I mentioned earlier, we’re doing similar work for the admissions office of a very large west coast university. Our experience with these customers allowed us to create this template of services that we are now offering broadly now.
But do enterprises really need this sort of handholding from us? 
I think so, and I’ll explain why. When I bought my Roku media player for my house, I set up two channels on the first day. I still watch only those two channels. I’ve only taken advantage of 10% or less of the Roku’s channels and features. 
Similarly, after a company does a Phase I deployment of a new Interactive Voice Response (IVR) system, it is usually only taking advantage about 10% of the system’s capabilities. We help companies close the gap between technology potential and actual consumption. Because whenever you deploy technology on an enterprise scale and timeframe, your business needs and goals change over time. You have to constantly optimize because when your technology stays static, the value to the business usually declines. So we come in either monthly, quarterly or annually, and audit how companies are using technology and compare that with their business needs. These audits enable us to optimize their environment, enable the right capabilities, so that their technology investment increases in business value over time.
Why should IT care about business results?
The era of IT basically only be measured and held accountable for executing projects is over. The expectation these days is that IT and the CIO are also accountable for business results. This is a major change that has been taking place the last two years.
How is Avaya Consulting similar or different from large consulting firms, or our competitors that also have consulting divisions?
While there are similarities at the superficial level, I’d say there are two big differences. First, all of the financial modeling and business advice we will offer you is very much grounded in actual data. So if we are going to give you advice on the ROI of transforming your network, we will roll up our sleeves to extract and measure your data. We will get down to the actual penny what you are paying for your telecom circuits per month, or what your agent performance is and how that affects you financially. Only then will we supplement with data from leading industry benchmarks.  
The second difference is that our professional services organization, including Avaya Consulting, is all about maximizing client value. We’re not about selling you Avaya products. We are very focused and aligned around our client needs. We take pride in making sure that our new consulting offers are not just abstract Statements of Work or standard consulting contracts where we try and boil the ocean for you and then get to your actual problems. Our consultants are not measured on change requests – they are measured by how many actual problems of yours we actually solve. 
About four-fifths of Avaya’s revenue today comes in from our 30,000+ partner channel ecosystem. Does Avaya Consulting compete with them?
In fact, Avaya partners call upon our consultants quite a bit. Our average consultant has been working for more than 20 years. Nearly all of them have worked on the client side. It’s difficult to build the years of experience and industry and domain knowledge that we have. Partners, meanwhile, tend to have a lot of breadth but not as much depth. As a result, we have partners that love to leverage us, with some partners in Europe and the U.S. that call upon our consultants by name, all because it helps them solve their clients’ business problems better.