Everywhere in the world, small and big enterprises spend a considerable part of their budget on Antiviruses, Firewalls, and other appliances to protect their network and data. The typical network hacker usually targets the larger enterprises which are potentially a better mark with deeper pockets and lucrative secrets to keep. The PBX hacker though does not care about your enterprise size, because you can be as lucrative as any other company one hundred times bigger than you. When telephony shifted to IP, it brought many advantages, but it also exposed the voice to the same threats as the network. Being able to access your extension and use it outside the office via internet is great for both you and the hacker. It opens a potential door that the older PSTN PBX’s had not. Interestingly enough, most of the time, IT administrators are concerned about the Wi-Fi, router, email, and other services authentication processes but end up neglecting the PBX. Maybe the new mindset hasn’t settled in yet and the PBX is not being given the same importance as the company’s firewall or router as a defense point of the enterprise network.
Not long ago, I witnessed a situation at a small enterprise that got a two hundred thousand US dollar phone bill. The cause was simple: a default password had not been changed on the PBX which was connected to the Internet. This resulted in thousands of calls fraudulently made to exotic locations such as Sierra Leone and Moldavia. With typical network hacking methods, such as Ransomware or others, the victim has the choice to pay the hacker or not. The only consequence of the decision of not paying the hacker will be the data not being recovered. On the other hand, you cannot exactly tell your service provider you are not paying the phone bill because you were hacked…The severity of this issue is not to be ignored and can bring even a decent sized company to its knees. Yes, VoIP brought tremendous advantages but it also introduced several deadly traps. Luckily, protecting the enterprise voice service has evolved and it does not depend exclusively on the IT administrator using complex passwords or firewall rules.
The evolution of Unified Communications (UC) and subsequently Unified Communications as a Service (UCaaS) has hardened the defensive mechanisms of enterprise communications. The fact that the systems can run on a typical COTS server with increased compute power allows running complex defense mechanisms when compared to the ability of old hybrid PBXs. One of these mechanisms involves Machine Learning (ML). The typical voice protection systems are based on rules, which in my view can either be too permissive and still allow some dubious behaviors to occur, or too strict and have the IT administrator waste more time acknowledging false positives and adding certain numbers or routes to the whitelist. When it comes to enterprise voice, one cannot assume that the premise “one size fits all” applies. Each enterprise has different call behaviors. Just because a country is likely to be connected to call fraud, does not mean every single call to that country is fraudulent. This is where ML is extremely effective. It can analyze your typical trends and behaviors and flag only what is unusual. Rules are static and a hacker can get around them simply by testing the waters until he finds the weak spot. ML is dynamic and the alarm threshold changes based on the current call flows when compared with the historical behavior.
When choosing a UC or UCaaS system, do not overlook the type of protection it offers. Chose a system that offers real-time detection and dynamically changes the permissions based on your company’s profile. The previously mentioned small enterprise that got hacked could have benefited from this since an ML-enabled system could have flagged and blocked those calls. If not for the unusual destination, it would definitely have spotted the sheer unusual number of calls. The typical excuse for not getting proper protection for the voice system is that the enterprise is too small and doesn’t need to spend that amount in “just” protecting the voice system. Well, that voice system can be “just” the cause of the enterprise’s demise. So, when it comes to PBX hacking, no victim is too small.