Keeping your IPBX services secure is as much a responsibility of hosting platform managers as it is of the individual administrators and users. Hackers commonly target weak SIP, web, DISA and voicemail passwords amongst other things to commit fraud and compromise confidential data.
Please take time to ensure you have secured these items, IT IS YOUR RESPONSIBILITY!!!
SIP Device Credentials
SIP Device Credentials are the #1 way fraud occurs. Weak SIP passwords like “test” or “password” are very common, unfortunately, and are easy to guess or hack. This problem is exacerbated when the SIP username represents the extension of the device (100, 101, etc.) making guessing SIP credentials significantly easier. Ensure your SIP Device credentials are all unique, significantly long, and as random as possible. If your device will be auto-provisioned you will never have to use the SIP credentials so the longer and more random, the better.
Regularly changing your SIP credentials is another excellent way keep yourself secure. When the devices are auto provisioned it only takes one click to update a device with new, random, usernames and passwords. Many VoIP deployments have devices using the same password that it was originally setup with several years ago.
During the life of your service, you will undoubtedly create SIP devices that are never used or only used temporarily. Having extra unused devices exposes your account to greater risk. If you no longer need test credentials or a device is pulled out of service, don’t forget to delete the corresponding device.
Keep your User Interface credentials under lock and key and change them often. When you change your passwords make sure that you don’t use an insecure password or one that you have recently used before. Never give your credentials to anybody for any reason, and if you suspect that someone has obtained your credentials change them immediately. Remove any unnecessary users as soon as they are no longer required.
When you log into the web interface, be sure that you do so in a secure environment. On your browser make sure you are using HTTPS and not HTTP.
Avoid signing in over insecure networks such as coffee shop Wi-Fi and never sign in using a public computer such as those in a library. Also, don’t forget to log out when you are finished as it will remain logged in even if you close your web browser and anybody else using your computer would not have to know you password to make changes.
Voicemail is an easy target for hackers because people commonly choose poor passwords for their mailbox. Please do not allow users to use:
- Repeated digits (1111, 2222, etc.)
- Simple combinations of numbers (1234 or 5678)
- Their extension number or the last three or four digits of their phone number
- Passwords less than two digits
Don’t forget about voicemail to email either. If you are not using this feature ensure nobody else has entered their email as the recipient, this is something you can check just by clicking settings on your user portal. When setting your email address, keep your company’s privacy in mind, it might be more convenient to send it your personal email but that service probably doesn’t provide the same security as your corporate email. When you receive a voicemail to email remember that it has the message as an attachment as well as sensitive data, so be sure you want to share that information before forwarding the email (for instance in response to a support ticket). Also, keep in mind that when you delete a voicemail to email message, the voicemail box still retains that voicemail. These messages will accumulate until you delete them, or enable the feature to do so after emailing automatically, greatly increasing the information exposed if your voicemail is compromised.
DISA (Direct Inward System Access) allows you to access the system remotely from an outside phone (cell phone, home phone) as if you were using the system at the office. DISA is a nice feature but can become risky if the access number and PIN code are not renewed on a regular basis.