It runs as follows: Gullible users receive an e-mail (or a phone call), are told that his credit card information is being stolen, and then let him quickly dial a phone number. This phone will have computer-made voice prompts, let him enter credit card number and other authentication information and so on.
Security Policy for VoIP
Have you ever heard of the latest VoIP fishing trick-vishing's notoriety?
It runs as follows: Gullible users receive an e-mail (or a phone call), are told that his credit card information is being stolen, and then let him quickly dial a phone number. This phone will have computer-made voice prompts, let him enter credit card number and other authentication information and so on.
This phone number is part of the phishing scam that is related to VoIP. Unlike traditional phones, it allows fraudsters to call at the same time with approximately 800 local phone numbers, and can start collecting credit card information automatically once the system is set up. With traditional telephones, telephone companies generally need to verify that a business is legitimate and then assign a local number to a company that has a real workplace in a particular area.
Vishing is the latest VoIP security terror threat. "Network World" has recently reported that all types of VoIP systems, including the well-known open source system asterisk have such a vulnerability to distributed Dos attacks, this attack can completely destroy the enterprise's telephone system.
There is now a fairly famous case of IP crime (FOIP), in which two of the suspects have hacked into a network of businesses and service providers and "rolled away" for about 10 million minutes, while the injured companies have paid a 300,000 dollar connection fee per person. Such cases are gaining momentum.
So how do companies guard against this kind of new security threats or vulnerabilities that are triggered by VoIP systems? For the enterprise, need to have a person responsible for VoIP security. It sounds clear and simple, but you don't know how many people in your organization think VoIP security is supposed to be the responsibility of the security team, but the security teams actually fight each other. If even the one who is responsible for such a small matter is not clear, then the safety of how to talk about?
Next, assess the vulnerability risk of the system. Enterprise-Class VoIP threats typically have 4 primary sources: availability, privacy, service theft, and access to sensitive information. Availability involves vulnerability to distributed DOS or other attacks, resulting in the VoIP system dropping. Privacy involves the disclosure of VoIP calls. The nature of service theft refers to whether the system is susceptible to abuse by others, such as the Foip case mentioned above. And the last one needs to consider the intrusion characteristics of vishing to the enterprise: for example, hackers may intercept a VoIP call, modify its ID to "IT department", and then dial it to the president's secretariat, creating scenes that require the president's secretary to provide the President's system password or other confidential information. The Secretary would think she was talking to the IT department and could easily divulge confidential information to the hacker.
Finally, specific solutions are needed for each threat. For example, to ensure availability, it is necessary to ensure that the general distributed DOS prevention must be accurate. To ensure privacy, you can take advantage of appropriate encryption techniques. To prevent the risk of service theft or sensitive information leakage, you need to train personnel, with accurate call monitoring functions.