What is VoIP Penetration Testing?
Voice and data has been combined in a way that creates a single network but it has also created a new way for hackers to penetrate computer systems. The integration of voice and data has led to new risks to security that must be addressed with equally new approaches to protecting data. Called VoIP, the voice over internet protocol can be a new management tool for business success or it can be a big open window into your system that’s easy to enter.
VoIP penetration testing is designed to find that open window into the system and close it. Rigorous testing is done on the transmission technologies to determine where it is possible for the system to be breached. One of the mistakes companies make is believing the IP phones and related software have enough security controls built in to them already and they do not need additional enhancements.
How can the VoIP system be compromised or how does it allow unethical and criminal intent be carried out? There are lots of ways and one of them is as old as the telephone itself – eavesdropping. Inadequate security controls can also lead to attackers accessing the server data through the transmission technology, hackers stealing phone calls, service interruptions, and the use of sniffing tools.
When Manipulation is the Goal
VoIP penetration testing is a process whereby an attempt is made to purposely manipulate the VoIP system. All entry points into the WAN and/or LAN are tested and an attempt is made to gain access into the VoIP infrastructure. In other words, security experts try to penetrate both the VoIP system and then use it to see how deep a hacker can get into the computer system itself.
VoIP testing can be standalone testing or it can be one step in a larger security testing program. For example, password weaknesses can be tested for the component VoIP system or for the larger company-wide system. Naturally the broader the testing the more secure the system will be after implementing recommended controls.
With penetration testing, ethical hackers will attempt an authorised penetration of the computer system.
* Test ability to remotely access data network using VoIP technologies
* Look for vulnerabilities in system configuration enabling unauthorised access into system
* Test protection controls at each network layer
* Test remote IP phone locations
* Test ability to add IP address on the VoIP system through remote access
* Attempt to enter the main servers
* Look for ways for hackers to manipulate system at any point including Ethernet and cabling connections
* Look for vulnerability allowing sniffer software able to collect protocols
* Test traffic switching
* Determine if the ability exists to collect VoIP data
* Firewall testing between voice and data including potential for Tunnelling Attacks
* Wireless network security
* Testing of intrusion detection evasion capabilities
Vulnerabilities On All Levels
VoIP technology is relatively new and design of security controls has not kept up with the state-of-the-art technology in many ways. Yet any vulnerability in the voice and data network represents a point of vulnerability on the primary server. The only reason security for VoIP technology has not been a priority is because hackers are just now beginning to turn their attention to this new way to access company data.
Testing modern infrastructures and applications is a complex process. Finding the open window can be difficult because of the complexity of today’s systems and the ingenuity of hackers. It is amazing how often hackers are ahead of IT departments that have large budgets and highly qualified staff and are often able to breach million dollar networks from their garages.
VoIP penetration testing includes testing technical aspects of the system, analysing employee security protocols, completing IT operational assessments, interpreting testing results and making recommendations for security improvements. In other words, it is about mitigating security risks to prevent data loss at any stage.
0 Visitor Reactions & Comments: