How to interrogate the security of your Session Border Controller (SBC)

All security products will become vulnerable over time as the threat landscape evolves. Any ‘deploy once, update infrequently or never’ security solution is inherently flawed. So, whilst positive that organisations are increasingly recognising the need to secure their SIP Trunking solutions by implementing a Session Border Controller (SBC), the fact that many SBCs are considered not only one-off investments, but also one-off deployments, is leaving businesses vulnerable. In a security landscape where no company would fail to update their anti-virus software, why would they assume their SBC can protect against changing threats without routine update?

The simple truth is that in their current guise, most SBCs have lulled organisations into a false sense of security. Here I outline how to interrogate the effectiveness of the SBC.

Understanding risks

Attacks on VoIP servers represented 67 per cent of all attacks recorded against UK-based services, according to Nettitude. Furthermore, according to NEC, 84 per cent of UK businesses are considered to be unsafe from hacking. The implications of this are significant and extend far beyond the obvious financial costs of phone bills, or the increasingly common Telephone Denial of Service threats. From eavesdropping sensitive communications with malicious intent such as harassment or extortion, to misrepresenting identity, authority, rights and content – such as modifying billing records – or gaining access to private company and customer contacts, hackers are cashing in on the widespread adoption of VoIP, with potentially disastrous consequences.

Whilst many companies have recognised the risk and implemented an SBC in a bid to improve security, many SBCs are left unmanaged and become out of date. This fundamentally undermines the value of that initial investment.

To determine how secure the current SIP trunking deployment may be, companies need to consider the following questions:

1. Was the SBC easy to deploy?

An SBC that is complex to deploy creates a number of problems. Expensive external expertise handling the configuration may break the VoIP business case in the process. On the other hand, any attempt to manage the process in house will be constrained by the complexity. This leaves the only option of implementing simple rules, leaving the organisation open to breach. The SBC will be in place but it will not be delivering the required – or perceived - level of security. A bit like having a firewall with a 'permit any' rule.

2. Who manages the SBC?

Out of sight should never be out of mind if a third party is involved. Regular reports should be provided about the performance of the SBC, the evolving risk landscape and the way the product is being updated to counter the threats. If this is not the case, then the SBC may not be secure.

3. How often is the SBC updated?

If the answer to this question is ‘infrequently or never’, the SBC will be open to breach. Attitudes to SIP security should be exactly the same as anti-virus and anti-malware solutions, harden infrastructure and update policies. The threat landscape is evolving all the time, so routine SBC updates in response to new threats and technology change are essential.

4. Does the SBC send alerts?

Given the number of breaches and attempted breaches being faced by organisations of every size, the SBC should be busy. But who knows? Does the SBC notify the business when something happens, when it has blocked a call and why? Real time alerts – via email, text or management alerting – should be essential components of the SBC product to ensure the company knows it has been attacked and also to raise any other remediation steps that may need to be taken to remain secure across the entire business.

5. Does the SBC vendor routinely communicate?

An SBC provider should be sharing valuable insight into the changing threat landscape. Routine updates about newly identified threats should be backed up with information about the new features and functions that are being introduced to the SBC to counter these threats. Understanding how the software is being amended to protect the business – and when the updates will occur – is key to ensuring the SBC deployment remains up to date and the business secure.

6. How often is the effectiveness of the SBC reviewed?

Every security product should be routinely evaluated to ensure it is still operating effectively and providing a strong, secure barrier. Including the SBC in that review process is essential if the business is to remain protected against both current known and as yet unknown threats. Whether that review occurs weekly or monthly will depend on the business plan but routine assessments and regular reports from the vendor about SBC activity are key to proving the value of the on-going investment.

7. Does the SBC vendor share best practice guidelines?

The right deployment of a routinely updated SBC is key to securing the SIP environment. Yet perimeter technology alone is not enough. Best practice guidelines should also include advice about educating staff about how to spot new threats. Vishing attacks are a great example - ensuring staff are aware that criminals may call up to try and obtain credentials that can then be used to compromise other systems is just as important as any technology solution.

Collaborative approach in the cloud

So what are the options if the answer to any or all of the above questions reveals the inadequacy of the current SBC?

The good news is that cloud based, continuously updated SBCs address all of these issues, not least by exploiting community led intelligence where all organisations are sharing information about threats and risk experiences. Routine product updates combined with shared intelligence ensures an attack on a single organisation can be quickly transformed into a patch or update that protects every business from the new risk.

This speed of response and continual change is key to securing SIP trunking. Understanding the need for an SBC is a great step, but organisations simply cannot afford to rely on a one-off deployment. It is time to determine the true level of security and effectiveness being delivered by the SBC today.

Paul German, CEO, VoipSec

Image source: Shutterstock/Sergey Nivens