VoIP Security – Guidelines to Secure an IP PBX System

Just like any other internet-connected devices, VoIP phones have continuously been targeted by hackers. And according to Europol’s European Cybercrime Centre and Trend Micro, Telecom fraud costs US$32.7 billion annually. This, together with other cybercrime attacks that could cause service disruption, calls for the need to ensure business phone system security.

Image Source: Unsplash

Top Cloud PBX providers such as Soluno.se take care of much of the security requirements using various techniques such as call encryption. However, there’s still so much you need to do to ensure that attackers do not exploit any vulnerabilities in your enterprise. Further, if you use an on-premises solution, the responsibility of ensuring that the system is not vulnerable to outside attacks and audio signals are not intercepted lies on you. You can use the following guidelines to keep your business phone systems secure.

Secure user credentials with a strong password and two-factor authentication

Most modern IP PBX servers can be configured through a web interface. This may be convenient, but the entire system’s security will depend on how you secure the interface. Some PBX systems will come with a default password, but ensure you change it to a secure password immediately. If your provider offers two-factor authentication, enable it to prevent brute-force attacks.

IP phones also come with default passwords, and some PBX servers will allow you to operate with the default one or with no password at all. However, you should change all IP phone passwords and use strong ones. Further, avoid making the classic mistake of using the same password as the extension name.

Implement security right from the design stage

The best type of security is one that has been considered a priority right from the start. This means that you need to plan your network security early on to make VoIP secure just an additional measure.

There are many ways to secure your office network, but a basic guideline, ensure that you use a firewall. A firewall will sit at the border of your network and the internet, limiting what attackers and outside parties can “see” inside your network. It will also control traffic and provide reports and statistics that you can review. On top of that, you can set up a business Virtual Private Network (VPN) for remote staff.

Monitor network usage & review call logs

This isn’t as technical as one would expect of most security tips, but it is an essential guideline for VoIP security. By checking your network usage, you can detect network-based attacks. There are open-source tools that display network usage using graphs, and they can help you identify unusual network activity.

As for the phone system, use the dashboard to review average call durations, hold time, total incoming/ outgoing call, total duration per user, and total calls/ missed calls. Keep these reports and compare them over a certain period to identify any abnormal call durations, times, destinations, and sources. The security team should investigate any suspicious activities further.

Disable international calling or enable geo-fencing

VoIP systems are often targeted by bad actors to artificially generate a high volume of international calls on expensive routes, an attack known as International revenue sharing fraud (IRSF), or simply toll fraud.

One way of preventing such attacks from racking up your charges in case of an attack is by disabling international calling or enabling geo-fencing. If your company doesn’t make any international calls, disable the capability altogether. If you must make international calls, you should enable geo-fencing. This way, you can block unwanted calls to/ from countries, area codes, or phone numbers associated with toll fraud.

Update all systems regularly

Updates help guard against malicious software and exploits by providing security patches. Enabling automatic updates should be made mandatory for all devices and operating systems. This includes all computers, mobile devices, and software. If you use Cloud PBX, the service provider will deliver all updates automatically. However, you will need to ensure that all firmware updates are installed from time to time for on-premise solutions.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top