Moving from telephony to the cloud brings with it a whole heap of benefits, both financial and operational.
There’s the scalability of setting up new employee phones, along with an ability to communicate around the world in a cheap way.
The modern cloud phone system has the option for both voice and video, but also messaging, as it unifies all comms into a single platform.
It would drive efficiency 10 years ago, but today, it’s actually necessary to accommodate remote workers.
Moving towards new ways of communicating and internet protocols does bring with it some new threats.
Securing these systems is no longer just about protecting a physical private branch exchange, but actually defending an internet-facing environment that’s constantly changing and has pretty sophisticated cyber threats.
The very accessibility that makes these systems powerful is actually what makes it a prime target, because it has a lot of data centralized in one place.
So, a new security posture is needed, and this article looks at the new threats and how to deal with them.
The threats that target cloud phone systems are very specialized. They look to exploit the space in between telecommunications and IP-based vulnerabilities.
So, understanding these threats will help build up our defenses.
Voice phishing (often nicknamed “vishing”) has become a lot worse. It went from being a nuisance to now being a highly effective attack tactic.
According to a very recent CrowdStrike report, vishing incidents increased by 442% in the second half of 2024.
Attackers use AI-powered voice cloning and deepfake technologies to impersonate trusted individuals, and this is very difficult to deal with.
It tricks employees into executing financial transfers or divulging certain credentials over the phone. This is also combined with general information gathering from other data breaches to create convincing pretexts.
This attack is all about hijacking a company’s phone system and placing a ton of calls to premium-rate or international numbers owned by the attacker.
A single incident alone can result in staggering financial losses, because the rates are very high and it’s done in a large volume.
Unlike the data-centric DoS attacks, VoIP-specific attacks gun for signaling protocols like SIP.
An attacker can flood a SIP server with malformed or an overwhelming number of INVITE or REGISTER requests, and this consumes its resources and renders the phone
system inoperable for legitimate users. The goal is to disrupt business operations and serve as a smokescreen for other attacks.
While it’s not the only defense to all the above attacks, you can’t go wrong with preventing unauthorized access it’s an important way to prevent sensitive data from reaching bad actors.
Attackers’ methods may well be sophisticated, but most breaches still hinge on compromising credentials and mistakes that were avoidable.
• Passwords: Using simple, easily memorable passwords is now a thing of the past. Firms ought to enforce very strict password policies that align with modern security standards (e.g., NIST recommendations).
This means having a certain minimum length, a mix of character types, and, of course, ruling out common or previously breached passwords.
Regular and forced rotation is actually less critical than ensuring complexity, but it’s still often good practice.
• Multi-Factor Authentication: MFA is arguably the most effective control to prevent unauthorized access. It’s a way of having another (or a third) layer of verification.
So, a time-based code from an authenticator app or a physical security key.
MFA does a great job of neutralizing the threat of stolen passwords. So, for good security, phishing-resistant methods like FIDO2/WebAuthn could be used.
Protecting voice data is also seemingly important since the rise of deep fakes and clones. This means more focus is needed on encryption and network-level security so that communication remains confidential.
Voice communications have two key components that require protection: the signaling (call setup, teardown) and the media stream (the actual voice data).
SIP over TLS should be forced to encrypt the signaling traffic as this does a superb job of preventing eavesdroppers from harvesting metadata about said calls.
For the media itself though, the Secure Real-time Transport Protocol, known as SRTP, is the standard.
SRTP encrypts the voice packets themselves, and this makes the conversation unintelligible to anyone who might otherwise intercept it. Both are necessary.
Firewalls should also be carefully configured to support VoIP without unnecessarily exposing the system.
Instead of just opening SIP port 5060, you can instead implement session border controllers or next-generation firewalls. Both of these can help perform deep packet inspection on SIP traffic.
For remote workers, which are increasingly common (and a common cause of threats), all access to the cloud phone system should be routed through a corporate VPN.
This creates a secure and encrypted tunnel that shields the traffic from potential interception on the commonly used networks like public Wi-Fi.
The most sophisticated technological defenses can still often be rendered ineffective by a single, yet very well-targeted social engineering attack.
In the end, people remain to be the most important aspect of cybersecurity, both as a threat and a solution. Standard security awareness training is no longer going to cut the mustard.
To combat the likes of AI-powered vishing, training needs to be incredibly frequent and ongoing because the technology and competence behind these attacks are iterative.
In fact, regular, unannounced vishing simulations that mimic real-world attack techniques should be used to keep employees razor-sharp.
Research shows that these simulations are effective and help employees recognize the subtle cues of a fraudulent call (e.g., a manufactured urgency or unusual request).
Building up this muscle memory is hugely important.
Moving to cloud phone systems does bring its own security benefits too, as a lot of threat protection is provided by the service provider.
But, like with any migration, the employees and security frameworks need to adapt.
Simulation, training, and encryption are the key ways to go about this, as well as having a responsible password culture throughout the company.
APT24, a sophisticated cyber espionage group linked to China's People's Republic, has launched a relentless…
The Cl0p ransomware group has claimed responsibility for infiltrating Broadcom's internal systems as part of…
Grafana Labs has disclosed a critical security vulnerability affecting Grafana Enterprise that could allow attackers…
A critical security vulnerability has been discovered in ASUSTOR backup and synchronization software, allowing attackers…
Microsoft has introduced a practical new feature in Windows 11 designed specifically for public-facing monitors…
SonicWall has disclosed a critical stack-based buffer overflow vulnerability in its SonicOS SSLVPN service. That…