The following is an expert of a Q&A with our CTO Roger Northrop that was first published on cybernews.com.
The full article can be viewed HERE
It’s pretty obvious, that while the two parties are communicating the third one is not welcome. For that to be achieved, communication must be done in a secure way.
When speaking about privacy, downloading a VPN provider’s app of your preference is a task you should never overlook, but most of the time it’s not enough. Practice shows, that the best way to reduce the attack surface of the voice network and enhance the communication experience is by building multi-layer protection against undesirable traffic.
But what better way to truly understand it all, than by learning it from the experts. For this reason, we reached out to Roger Northrop, COT of Mutare, to discover more about how secure communication can be achieved and what makes us vulnerable to vishing attacks.
How did Mutare originate? What has your journey been like throughout the years?
Mutare started in 1989 as a small boutique software shop that wrote custom IVR software. Over the years we grew into the Unified Communications space, then specifically into the broader Messaging space, and now are focusing on the Voice Security space.
Can you introduce us to your Mutare Voice Traffic Filter? What technology do you use to secure communications?
Security practices should incorporate multiple layers of defense to create a robust security mesh that reduces the risk surface of the voice network. The most basic layer involves an analysis of call traffic patterns in an organization to provide visibility and insight into the voice network infrastructure. Every organization has different traffic patterns, so the first layer is used to find unusual traffic. Another layer is used to match caller numbers against multiple databases that track suspicious calls from around the planet.
A voice traffic filter builds upon these layers to eliminate unwanted calls. Organizations can also set up their own custom rules for specific call numbers and geographies. In this way, they can decide which calls to let through and which ones to send to a block list. The Mutare Voice Traffic Filter addresses the growing threat of both nefarious and nuisance phone traffic, protecting the open door of vulnerable collaboration platforms and enterprise voice networks.
The three key benefits of using the Mutare Voice Traffic Filter include reducing contact frequency, reducing threat event frequency, and reducing primary losses. In addition, the filer stops bad actors from making first contact with employees, removes calls that distract employees, and lifts workforce productivity.
What practices can make a company especially vulnerable to vishing attacks?
More phone calls are being transmitted by digital protocols today, rather than over physical analog lines, due to the prevalence of online VOIP communications and session initiation protocols (SIPs). However, this evolution has provided hackers with new pathways to infiltrate organizations through their voice networks and pull off vishing attacks.
Nefarious voice traffic vishing attacks are up by over 500% since last year, but most security and IT pros still don’t protect voice infrastructure as a critical attack surface. Security tools are primarily focused on the data network for web and email, but the voice network is easily infiltrated through vishing, smishing, or spear-phishing attacks that exploit social engineering tactics against employees as the weakest link.
Many business leaders, IT executives, and security professionals are unaware of the risks stemming from unwanted voice traffic, but every call into an organization is either wanted or unwanted. The goal should be to protect against unwanted robocalls and voice phishing scams that trick employees into giving away private information or network access over the phone. Market awareness is growing to block nuisance calls for the sake of staff productivity, but attention is now also turning to stopping nefarious fraud calls from ever reaching the voice network.
How did the recent global events affect your field of work? Were there any new challenges you had to adapt to?
The pandemic has upended office routines based on the trend of working from home and the resulting remote workforce. To help bring employees together, most organizations have adopted collaboration platforms such as Microsoft Teams, Google Meet, Cisco WebEx, and Zoom.
These new collaboration tools have changed how hybrid workforces come together and interact on digital channels including chat, video, document sharing, video conferencing, and voice calls. This shift has greatly increased employee productivity, but it has also introduced unintended threats to the security of voice networks that support the various collaboration platforms.
This problem is magnified by the many different types of collaboration apps now in use for both internal and external communications. The explosion of telephony-based collaboration platforms is creating a new pain point when people reroute phone calls through Teams and the like.
For example, a company that relies on Microsoft Teams for its internal video conferencing may have the system completely protected, but that sense of security disappears whenever an employee makes or receives an external call. The threat surface to the company’s voice network expands each time someone holds a meeting on a customer’s external Zoom line, or when they receive direct business calls on their personal cell phones.
What types of threats do you find the most concerning nowadays?
We have identified five main types of threats that are most concerning for voice network security, including:
TDoS Attacks – These attacks attempt to make a telephone system unavailable to the intended users by preventing incoming and/or outgoing calls. The objective is to keep the distraction calls active for as long as possible to overwhelm the victim’s telephone system, which may delay or block legitimate calls for service, including emergency response and call centers.
Ransomware Attacks – The increase of ransomware on mobile devices is particularly disturbing for organizations that allow employees to use their personal mobile devices in the workplace (BYOD). Security experts have found examples of ransomware being transferred from a mobile device to a networked system via corporate Wi-Fi, which can happen by employees clicking on a malicious text message link.
Data Theft/Breach – As the industry saw with the Robinhood data breach originating from a vishing attack, once criminals convince employees to share critical information over the phone, they can gain unwanted access to critical customers, employees, and stakeholder data.
IP Theft – IP theft can quickly occur via human error to steal company ideas, projects, inventions, and other intellectual property—which can include trade secrets, patents, and proprietary software.
Identity Theft – Spear-phishing attacks that use social engineering vishing/smishing and automated robocalls can be an easy way to impersonate a company executive to gain access to key files or data.
In your opinion, what are some of the most important practices every modern company should adopt to protect their networks?
One thing we have always emphasized is that all calls are either wanted or unwanted. The goal is to block the unwanted calls and receive the wanted calls. To do so, new CAPTCHA technologies are being applied across voice networks to effectively identify bad callers and block those calls until more data can be gathered.
Much like website CAPTCHAs that require us to click on an image or answer a question to prove we are not robots, security teams can send questionable phone calls to a CAPTCHA that will literally quarantine the call and analyze whether it is human or a bot. When the CAPTCHA confirms a call is coming from a bad number, the organization can just drop it. That one step of sending calls to a CAPTCHA eliminates 75% of nefarious calls while allowing users to mitigate the risk of false positives. To supplement the CAPTCHA defense strategy, organizations can build in software dials and knobs to further customize their voice security rules.
Companies also need to implement comprehensive security awareness training to protect against bad calls that actually get through to employees. In such cases, red flags should immediately go up to warn users not to give out any info, and to just stop the call.
What are cybercriminals usually trying to gain by sending malicious voice messages? What were the most interesting cases you’ve encountered?
In one recent instance, a global pharmaceutical company with 48,000 employees and annual revenue of $56.2 billion was pilot testing the integration of voice functionality into their existing Microsoft Teams collaboration hub when they uncovered a significant problem. Prior to installing Teams, incoming phone calls rang on standard desk phones, and unwanted calls were sent to voicemail, making them a non-issue. But with Teams, every incoming call simultaneously rang on each user’s connected devices – all of them at once, not just on the phone.
The test users were unable to control the chaos as each incoming call rang their laptop and desktop computers, tablets, desk phones, and cell phones. It quickly became clear that the collaboration platform had expanded the threat surface of the company’s voice network and introduced unintended new security vulnerabilities.
By deploying a smart voice traffic filter, the drugmaker was able to optimize its investment in the Microsoft Teams collaboration platform while removing unwanted inbound traffic from nuisance callers and dangerous nefarious callers. The pharma company’s call traffic over the course of one month showed that 13.7% of inbound calls were coming from spammers and robocallers.
By blocking so many unwanted calls from ever hitting the voice network, the pharma company calculated a 239% return on its Teams investment and annual cost savings of $407,000 due to increased productivity. The pharmaceutical industry is not alone in facing this unexpected new concern during the pandemic. Our analysis of the data extrapolated from all vertical industries reveals that 8.7% of all calls to large organizations are unwanted, meaning that such voice traffic comes from either nuisance calls or nefarious calls.
Let’s say a malicious message did slip through the cracks. Could you give us a few tips on how to identify a vishing attempt?
A common VOIP security technology is known as a session border controller or SBC which serves as a voice network firewall for most organizations. Many security leaders who use SBCs overlook the need for voice traffic filters, but an SBC firewall does not examine the behavior of incoming calls or compare each call with other calls to determine the level of risk exposure.
In addition, most organizations employ intrusion detection systems (IDS) and intrusion prevention systems (IPS) to protect their data networks. But many organizations wrongly assume that these firewall protections are enough, while also relying on their carriers or cloud providers to further safeguard their voice networks. Yet no type of IDS or IPS exists to protect phone calls and employees from vishing attacks.
In many vishing attacks, the threat actor is looking to steal everything by targeting some low-level person in customer service. The call may be spoofed to appear as their own company’s IT department calling on the caller ID. They don’t know who it is from the IT dept.
The attacker may falsely claim the company is under attack and it is coming from the employee’s line in the contact center. Under such pressure, the attacker may demand and receive the user’s name and password and need it right now. That is a nefarious vishing attack looking to get your credentials to penetrate a low-level system to get to more valuable assets. That is what a vishing attack can look like. There are many ways to fish, but all are socially engineered attacks based on false info to make users think they are conversing with a trusted employee.
Would you like to share what’s next for Mutare?
We will continue to be the premier solution for securing voice traffic across both Enterprise and Voice Providers. We are taking our full Voice Traffic Filter system to a full API, which will open the way for savvy developers in large enterprise companies and voice providers to accelerate the way they need to secure their voice networks for their voice users with greater flexibility than their customers and users demand.
Read the Full Article HERE
About Roger Northrop
Roger Northrop has a passion for emerging technology and developing new ways to help business communicate better. He infuses his role with the same kind creativity that fueled his “early days” work as a musician, actor, photographer, 3D animator and designer. That was before he met the president of Mutare, struck up a conversation that revealed his inner nerd, and was recruited to join the other brains on Mutare’s development team.
Roger examines how emerging technology affects today’s business world and how Mutare can best equip their enterprise customers with solutions that solve their most complex challenges. In his role as CTO, Roger is responsible for driving those innovation through R&D activities in Mutare Labs, monitoring industry trends and leveraging leading-edge and emerging technologies to bring the newest innovations to customers.
Aligning his entrepreneurial attitude with Mutare’s “start-up” culture, Roger assumes the role of Mutare’s technology ambassador and expert resource for customers and partners, but always with the goal of ensuring that the voice of the customer is incorporated into every stage of Mutare’s product development, continuous improvement and quality control processes.