Are You Vulnerable to IP Telephony Fraud and Cyber Threats?

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.
2

Are You Vulnerable to IP Telephony
Fraud and Cyber Threats?
Enterprise Communications Academy Webcast Series
Carl Blume
Product Marketing
Oracle Communications
November 17, 2016

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 4
Crime
Hactivism
Espionage
War
Richard Clarke

•
Hackers Target Pro-Clinton Phone Banks – But Hit Trump’s Too
Mass. Businessman Fights AT&T Over $1M Phone Bill
$7.6B Global Fraud Loss in 2015 Due to PBX/IP-PBX Hacking
Pakistani Citizen Admits Laundering Millions From Massive
Computer Hacking And Telecommunications Fraud Scheme
United States
Dept. of Justice
TDOS: Telecommunication Denial of ServiceFBI

Attack Vectors
6
Telephony Fraud Telephony Denial of Service
Objective • Service theft
• Financial payments through
deception
• Block service (hactivism)
• Ransom
Methods Hacking into a user account in
a PBX, UC or voicemail system
Flooding a network element with
bogus traffic that prevents it
from responding to valid service
requests

Revenue Sharing Fraud
Foreign
country carrier
FraudsterAttacker
Subscribers
PBX systems
Revenue
based on call
volume
Make calls
Injects calls
Scans
networks
Sells account information
Entice to make calls
Subscribers pay bill to phone operator Operator pays fraudster
Money flow:
Revenue-
share number
Fraudster operates revenue-share number(s)
 Minimal technical overhead
 International number for higher revenue
 Foreign country improves security
Revenue based on call volume
 Make calls on third party’s behalf
- Hack PBX and route calls through it
 Motivate third parties to make calls
- Missed calls, lottery/banking scams, etc.
Revenue paid daily/weekly
 Subscriber billing cycle: monthly
 Fraudster is long gone before investigations start
7

Three Phases of Malicious TDoS and Fraud
• Reconnaissance – determination of potential targets
• Enumeration – target evaluation (TDoS may start here)
• Attack – targeted system compromise for theft, fraud or DoS
EnumerationReconnaissance
Information Gathering
Port Scanning, OS
Fingerprinting, Service Detection
Active Attack (Cleanup)
Phase 1 Phase 2 Phase 3
Attack
Maintain
Access
Attack
Cover
Tracks
Gain
Access
Deployment Attack

PBX/UC Hacking
• Attacker scans networks for VoIP
equipment
• Brute force password guessing
– Lack of password policies
– Easily guessable passwords
• Misconfiguration
– Inbound calls allowed without
authentication
Voicemail Hacking
• Attacker hacks into user mailbox
and abuses call-through feature to
originate revenue sharing or service
theft calls
• Attacker hacks into user mailbox
and uses Call-back feature to place
revenue sharing calls
– Leaves voicemail with spoofed revenue
sharing number
9
Hacking for Fraud

Private Network
TDoS Can Take Many Forms
• ScriptsAutomated
• Bots
Coordinated
and distributed
• American Idol
phenomenon
Non-malicious
• A restart after power
failure can appear as DoS
Internal or
external origin
10
Signaling Flood
Compliant Signaling
Campus Branch
Enterprise Data Center
Internet
A A
A A

Oracle Solution Stops Fraud and TDoS
11

Oracle Fraud and Compliance Solution
IP Voice,
Toll Free
Hosted
Services
SIP Trunks
ENTERPRISE
Enterprise Session Border Controller (E-SBC)
• Perimeter security and DoS/DDoS protection
• Black/whitelisting and session redirect
Enterprise Operations Monitor (EOM)
• Real time monitoring and anomaly alerting
Enterprise Communications Broker (ECB)
• Core session management
• Enforces user policies and applies CAC limits
Interactive Session Recorder (ISR)
• Records sessions for security, compliance or other
requirements
Converged Application Server (OCCAS)
• Enterprise policy and application integration

Oracle Fraud and Compliance Solution
IP Voice,
Toll Free
Hosted
Services
SIP Trunks
ENTERPRISE
Enterprise Session Border Controller (E-SBC)
• Perimeter security and DoS protection
• Black/whitelisting and session redirect
Enterprise Operations Monitor (EOM)
• Real time monitoring and anomaly alerting
Enterprise Communications Broker (ECB)
• Core session management
• Enforces user policies and applies CAC limits
TDoS and Fraud
Prevention
Edge
Protection
Core
Protection
Monitoring &
investigation

Layered Protection Against Active TDoS Attacks
E-SBC (Edge)
• Dynamic call admission
control ensures service
even during overloads
• Detects, rejects non-
compliant SIP messages
• Statefully controls
legitimate registrations
• Priority for emergency
service calls
ECB (Core)
• Dynamic call admission
control protects against
internal overloads and
attacks
• CAC thresholds per
element tailors
protection for each
session agent
EOM (Monitor)
• Detects anomalous
behavior in real time
and issues alerts
• Configurable thresholds
per element and traffic
type
14

Layered Protection Against Active Fraud Attacks
E-SBC (Edge)
• Blacklisting blocks
known fraudulent
destination ranges
• Whitelisting enables
exceptions
• Rate limiting minimizes
fraud losses
• Session redirect
provides routing for
blocked calls
ECB (Core)
• Fine grain user policies
complement E-SBC
black/white listing
• Control calls by From/To
address and time of day
• User authentication via
Active Directory
interface
• Enforce call recording
requirements
EOM (Monitor)
• Detects anomalous
behavior in real time
and issues alerts
• Configurable thresholds
per element and traffic
type
• Drill-down analysis,
troubleshooting and
investigation
15

Protect Against Reconnaissance and Enumeration
• Deploy an E-SBC to hide network
topology
– Segment traffic at border router so Web
DoS won’t impact SIP services
• Deploy Acme Packet SIPshield
– Drops messages containing the
identifying characteristics of known
malicious tools (e.g. SIPVicious)
• Disable FTP, Telnet and ICMP on
external E-SBC links
16
Data
Applications
Real Time
Communications
Service Provider
Network
ENTERPRISE

Other Steps to Prevent Fraud and Mitigate TDoS
 Know your network baselines
 Use EOM to detect traffic pattern changes
 Traffic spikes to or from specific destinations
 Identify service provider security contact (who to call when under attack)
 Use strong passwords in SIP endpoints and UC clients
 Deploy software patches for all communications systems
 Regularly review call detail records for patterns of service theft
17

Use EOM to Monitor Traffic in Real Time
Secure the Network Perimeter with an E-SBC
Be vigilant and prepared!
18
Protect Your Communications Network from Threats
Control the Network Core with ECB

Communications Security: A Blueprint for
Enterprise Session Border Controller
Deployments (whitepaper)
Oracle Communications Fraud and
Compliance Solution (solution brief)
UC Security: What You Don’t Know Can
Hurt You, by Nemertes Research
Resources
Enterprise Communications
Academy Webcast Series
How Open Architectures and APIs are
Modernizing Call Recording
Wednesday, November 30, 2016
11:00 am PST / 2:00 pm EST

Are You Vulnerable to IP Telephony Fraud and Cyber Threats?

Are You Vulnerable to IP Telephony Fraud and Cyber Threats?

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (16)

Similar to Are You Vulnerable to IP Telephony Fraud and Cyber Threats?

Similar to Are You Vulnerable to IP Telephony Fraud and Cyber Threats? (20)

Recently uploaded

Recently uploaded (20)

Are You Vulnerable to IP Telephony Fraud and Cyber Threats?