I will be exploring the methods of securing a VoIP (Voice over Internet Protocol) system. VoIP phone systems offer many improvements to the outdated, traditional landline services that most of us have known enough to hate. By connecting directly to the Internet, as opposed to a local phone company, organizations can save a lot of money, increase functionality, and provide unparalleled analytics and scalability. Portability, something that many businesses seek (especially those who have traveling employees), is a fundamental part of VoIP systems. With a VoIP system, you can get access anywhere you are in the world; this allows customer service employees to work from home, quickly change infrastructure, and have the phone system scale as fast as a company grows. VoIP also supports a wide range of features such as incoming call holds, call transfers, hunts, conference calls, and auto-attendant phone menus, as well as be able to take work calls on your desk phone, web browser, or even your mobile device.
For this post, I will share the procedures I followed while increasing the security of 8×8’s VCC (Virtual Contact Center) and VO (Virtual Office), the two products we use in conjunction with our Polycom hardware, consisting of VVX 250’s, IP 6000’s, and IP 5000’s.
Training Your Employees
Possibly the most significant factor in the security of your VoIP system is merely training your employees on how to effectively (and safely) use it. Just like any sector of technology-based business practices, the misuse of data can trigger disastrous consequences. Ensure you devote enough time to teach your employees how to properly use the system, as well as provide how-to documents for future self-help.
In my case, I created multiple documents on our shared Google Drive at work, including an 8×8 Cheat Sheet (which lists several (*) commands, login procedures, etc.) as well as a document that offers employees an environment to register their concerns/suggestions (separate from our ticketing system). High-level security goes hand-in-hand with seamless and effective communication.
Creating a VoIP Directory/Inventory List
While employees can access the company’s phone directory from the 8×8 app itself, it is an excellent idea to create an external document containing the phone numbers, MAC IDs, serial numbers, and extensions assigned to each person/piece of hardware. In my case, I thought a Google Doc would be the optimal choice, as I have been adding all of the IT documentation I have created since I started working here in a shared Google Drive folder.
By creating a phone directory/phone hardware list, such as the one seen below, adding VoIP equipment into your complete IT inventory list is as simple as a quick copy and paste. However, as nobody wants to spend a full day searching through your enormous IT inventory list for the VoIP equipment (would probably take a month with mine), having a separate file for your VoIP equipment is highly recommended. The creation of a VoIP Directory/Inventory list also allows you to increase the security and accountability of the system by offering a list of what devices are assigned to who, which devices need updating/fixing, the number of backup devices you have, as well as ensure that if the VoIP system went down, you still have a list of all employee’s phone numbers and extensions.
Create a Changelog
Unfortunately, neither VCC or VO has a changelog or audit abilities within its software. So, keeping track of who made changes to the system and at what time they performed the actions can be difficult. I ended up creating my own changelog for each VCC and VO; while not everyone remembers to use it (surprising, I know), as I am the main admin for both, I have a rather large collection of every step I took in both creating and maintaining 8×8’s products. In the future, if an error or cybersecurity incident occurred, I can then quickly pinpoint what caused the problem and, more importantly, how to fix it.
Virtual Office (VO) Security
I will now share the methods to increase 8×8’s VO security via the Configuration Manager.
In the Users tab, you will find the ability to add, edit, or remove VO users: there are some vital steps involved in ensuring that your users have the access they need and limiting them from what they don’t require. First, when setting their username, I find that ‘first name.last name’ is sufficient, as long as you have them arrange a complex password; to make this simple, you can enable SSO (Single Sign-On) via Google. While not required, filling out the job title and department of the user in question allows for simple troubleshooting and allocating access to those who require it. In Services and Permissions, you can select which VO or VCC license the user will have, thus granting them access to either program, as well as the more advanced features of the (X4, X6, etc.) licensees. Be sure only to give those who need access to VO (in our case, customer service) a VO license. For all other employees, I have them set to VO only. Under Voice Basic Settings, you will find the ability to assign phone numbers, extensions, and devices to users. To assign a phone to a user, I find that merely copy-pasting the MAC ID from your abovementioned VoIP Inventory list is the easiest method to activate a device; alternatively, you can do this using the actual desk phone (if you are using one). Next, you will see the setting, Enable Secure Real-Time Protocol (SRTP); this uses the Advanced Encryption Standard (AES) to protect the privacy of VoIP calls. You will want to turn on SRTP whenever possible, but I found that for some users, this created problems with their desk phones becoming unverified over and over; to fix this, adding the user’s IP address to your system’s whitelist and building them a static IP seemed to do the trick. In Voicemail Settings, you will be able to set the user’s PIN or have them create one (this is also where you will come to reset it for them when they forget it). While it may seem like a good idea to keep a document of all of your user’s PINs, this isn’t recommended due to the potential of having that document fall into the wrong hands. Instead, just reset the password and create a new one if you or the user run into any issues.
On this page, you will see all desk phones that are assigned/actively used. By selecting Device Report, on one of the models, you will see a list of each phone’s MAC address, device admin password, extension, status, activation code, site, and the assigned user. Using the Device page can help identify and diagnose any potential problems you run into with VoIP security.
In this section, you can see information regarding your sites and PBXs. Also, you will find the ability to add or remove company administrators; admins have the highest privileges, so ensure that only those who absolutely need permission to have admin access. Conducting a periodic review of who is set as a company admin is an excellent protective measure.
In this tab, you will find VO’s login settings. Depending on your system and users, you may want to enable only 8×8 (username/password) or SSO (Google, Okta, other SAML SSO); in my case, I allowed users to use either one of the login settings due to ease-of-access. Restricting users to only using SSO will enable you to use Google’s rather abundant security measures.
VCC (Virtual Contact Center) Security
VCC (Virtual Contact Center) offers more sophisticated features than with VO; due to this, we have our customer service agents using the software. Most of the settings for both VO and VCC are located in VO’s configuration manager. VCC’s configuration manager merely adds more in-depth ‘customer service’ oriented options.
In VCC Configuration Manager, you will find tons more settings that enable greater control of the security of the VoIP system.
Under Home > Profile, you should start by creating a password for Secure File Transfer Protocol (FTPES), as well as enter a secure email address for both service and maintenance notifications; this will allow you to ensure the protection of VoIP data, as well as remain informed of any changes to the system. Further down the Profile page, you can edit spam settings and create blacklists/whitelists and toggle user’s ability to change their names, enable SSL, and turn on phone call recording (a must to ensure both the level of service your agents provide, as well as ensure no unnecessary sensitive data is being shared).
In the Security tab, the framework of the entire cybersecurity of the VoIP system is shown. For the Roles section, you will want to create and edit the permissions of the Super User role, as well as any other roles you think you will require. Personally, I have our administrators as Super Users, however, I edit exactly what each of them can do in VCC. Basically, you can control what each user can do in every area of the VCC configuration manager. I find only granting certain individuals full-access to be the best protection, as it can be difficult to keep track of changes on a daily basis (there is no VCC changelog). In the Security section, you can also create an allowed IP range list, thus only enabling select IP addresses (such as those in your company) to access VCC.
In the Users tab, you can view and edit users from VO that you have permitted to use VCC. From here, you can turn on/off the ability to delete emails, change settings in queues, as well as reject interactions. Under Phone, you can prevent users from changing their phone or SIP URL and alter recording controls. In the Supervisor tab of each user, ensure that only those who manage or are responsible for each queue is granted Supervisor access, as you do not want someone without VCC knowledge to mess with the inner workings of the queue system.
While there are some things you can do to prevent security incidents when creating scripts, like enabling overload settings, altering voicemail options, and allowing only complete phone numbers to receive queued callbacks, I won’t get too in-depth with how to accomplish everything (honestly, some of my scripts are over seventy pages long, I don’t even want to think about them again after the war that went into creating them!)
A well-built VoIP system can offer a magnitude of useful features for any size of business, as well as provide customers with new channels of communication in regards to purchasing or troubleshooting goods and services. However, if the system is not designed with security in mind, the sensitive information that is shared via phone calls can be intercepted and disrupted. It is up to every cybersecurity professional to ensure that every system in their possession meets the same criteria of secure asset protection.