Thesis
Protecting the Voice Channel
Overview
In a world where cybersecurity has become a critical business priority, and organizations in every industry across the globe have directed significant investment into the people, policies and technology infrastructure charged to protect and defend against a broad spectrum of threat vectors, it is beyond belief that one of the main doorways between business and the public has been left open and unguarded…
in essence, there is a gaping hole in most organizations’ Cyber Defense Strategy.
TABLE OF CONTENTS
a quick note about our use of the FAIR model
We refer to and incorporate the principles and concepts of the FAIR Institute’s FAIR model as we discuss the potential risks and impacts of unwanted and nefarious voice traffic (phone calls).
Throughout this article, when we use the FAIR model, we will use this symbol: 
Originally created by Jack Jones, the FAIR model provides a standard taxonomy and ontology for information and operational risk.
FAIR, short for “Factor Analysis of Information Risk,” is the only international standard quantitative model for information security and operational risk.
Each and every organization or enterprise is inherently at risk on a number of levels. FAIR is a methodology used to quantify and manage these varying levels of risk.
For more information on the FAIR Model, Click Here
The entire scenario is daunting; let’s review some numbers
Worldwide cybercrime costs will hit $6 trillion annually by 2021.
– Cybersecurity Ventures
40 percent of IT leaders say cybersecurity jobs are the most difficult to fill.
– CSO Online
The United States experiences the highest data breach costs in the world, at $8.64 million on average.
– IBM
68% of business leaders feel their cybersecurity risks are increasing.
– Accenture
The most expensive component of a cyber attack is information loss at $5.9 million.
– Accenture
50% of large enterprises (> 10,000 employees) are spending $1 million or more annually on security, with 43% spending $250,000 to $999,999, and just 7% spending under $250,000.
– Cisco
More than 70 percent of security executives believe that their budgets for fiscal year 2021 will shrink.
– McKinsey
The average cost per lost or stolen record per individual is $146.
– IBM
Do you remember when you didn’t have to go through Security at the airport?
Years ago, when we traveled by plane, there was no such thing as TSA. We would arrive at the airport, check our bags and sit and wait to board our plane for our destination with excitement and anticipation. And then the World shifted. The bad guys figured out that they could inflict damage and pain by exploiting an unguarded, unmonitored doorway.
RESISTANCE STRENGTH
this is an example of very low Resistance Strength
CONTACT FREQUENCY
as our Resistance Strength has increased, our Contact Frequency has been reduced
Today, we all have our gripes about TSA, but the security checkpoint at the airport is now expected and normal…and since its inception, we have seen very few incidents in the friendly skies.
CONTACT FREQUENCY
as our Resistance Strength has increased, our Contact Frequency has been reduced
The Gaping Hole
Similar to our airport security example, there is an obvious, open doorway in every organization, of every size and in every location, and no one is guarding it, or monitoring it…and the bad guys know it. In fact, the bad guys have grown exponentially, and they are creating more and more problems. The cost impact is scary.
PRIMARY LOSS
another example of very low Resistance Strength
RISK
the probable frequency and probable magnitude of future loss is significant
But let’s level-set. The Gaping Hole is your Phone Network, otherwise known as your Voice Network. But here’s the rub; it’s not about the technical infrastructure itself. There are effective solutions to protect the hardware and software. The issue at hand is the calls, or traffic that is going across the Voice Network (both in and out).
RISK
the probable frequency and probable magnitude of future loss is significant
Within the traffic that the goes in and out of your organization 24 x 7 x 365 are a host of threats. Hackers, bad actors, cyber thieves and vishers are actively infiltrating your voice network with no fear of being stopped, because the huge majority of cybersecurity measures, in relation to your telephony infrastructure, are protecting that infrastructure (hardware and software) from being compromised technically. The calls going in and out are almost completely unchecked!
But let’s be clear, the bad actors who are calling into your organization have three key directives:
- Get a human to answer the phone
- Get a human to engage
- Acquire information from that human
Here are a couple more facts to be aware of:
CONTACT FREQUENCY
tactics and bad actors are rapidly increasing
%
of cybersecurity breaches are caused by human error.
– Cybint
11 million
average number of files employees have access to.
– Varonis
%
of all sensitive files are accessible to all employees.
– Varonis
$137,000
average increase in the cost of a data breach due to remote work.
– IBM
%
of organizations have experienced a breach due to remote workers.
– Malwarebytes
This Issue is More than Robocalls
One of the widely used tactics the bad guys employ is the robocall. But there are many other tactics at their disposal, including Call Spoofing, Spam Storms, Vishing and Scam Calls.
CONTACT FREQUENCY
Unwanted Callers have the possibility of posing a threat to your people and organization
THREAT EVENT FREQUENCY
the bad actors are more efficient, more targeted and striking at an increased volume
Do not be fooled by thinking that these nefarious calls are done by some form of automation. In fact, the most sophisticated and effective tactics are executed by real people calling into your organization. These bad actors are professional and well spoken, and their job is to make contact, gain their target’s confidence and get the information they need to enable their nefarious goals.
THREAT EVENT FREQUENCY
the bad actors are more efficient, more targeted and striking at an increased volume
Information gained by making contact with one of your employees is how a breach begins. Whether a direct attack, vishing scam, phishing scam, smishing scam, TDoS attack, ransomware attack or other attack, all of these are initiated with human contact.
VULNERABILITY
armed with your information, Vulnerability skyrockets along with your potential for loss
So, stop answering the phone
All of us have seen the warning signs of this problem. In our personal lives, many of us have simply stopped answering our phones when we receive a call from a number that we don’t know. By letting these calls go to voicemail, we can screen or filter our calls quite effectively.
In fact, according to Neustar, consumers have stopped answering their phones at a staggering rate and this is negatively impacting businesses who are trying to connect with consumers:
Close to 90% of calls from businesses to consumers go unanswered
CONTACT FREQUENCY
unwanted and nefarious calls are increasing, creating more opportunity for breach
“That’s largely due to robocalls, call spoofing, and fraud. In 2020, there were 45.9 billion robocalls in the U.S., and 45 percent of those were scams. In fact, the Federal Trade Commission (FTC) received more than 2.2 million reports about fraud in 2020, with losses nearing $3.3 billion.”
CONTACT FREQUENCY
unwanted and nefarious calls are increasing, creating more opportunity for breach
But corporations, government offices, healthcare providers, legal firms, financial services firms, school districts, higher education, retailers, non-profits and other professional organizations have no choice, they must answer the phone. And the bad guys know it…and are counting on it.
RISK
bad actors are counting on you answering the phone and being focused on responding to callers
CONTACT FREQUENCY
Robocalls, Spoof Calls, Vishing, Smishing and Spam Calls are growing nefarious tactics
More About the Gaping Hole
The bad guys are using your voice network for a variety of damaging activities. Robocalls, Spoof Calls, Vishing (Voice Phishing), Smishing (SMS Phishing) and Spam Calls put a name to many of the base tactics, but the real issue is what the bad actors are gaining from these efforts.
CONTACT FREQUENCY
Robocalls, Spoof Calls, Vishing, Smishing and Spam Calls are growing nefarious tactics
They are gaining information about your people and your intellectual property (IP). As part of a methodical, professionally managed and coordinated attack plan, the bad guys discover the information they need to breach your organization, bit by bit, human-by-human. This information is then used in an attack or sold on the dark web to other bad guys who will then work to attack your organization.
VULNERABILITY
through the phone, the bad actors gain access to the data and information that fuel security incidents
THREAT EVENT FREQUENCY
security incidents are getting worse, coming in multiple forms, including TDoS, Ransomware and Fraud
Again, the bad guys are using multiple tactics to use a phone call to do harm to your organization. Whether it is a Direct Attack, Vishing, Smishing, Social Engineering, TDoS, Ransomware or any number of nefarious acts, the impact is the loss of significant time, money, brand credibility, IP and more.
THREAT EVENT FREQUENCY
security incidents are getting worse, coming in multiple forms, including TDoS, Ransomware and Fraud
The Risks are Real, and CISO’s have their hands full
In Proofpoint’s 2021 Voice of the CISO these findings were presented:
%
of CISOs feel their organization is at risk of suffering a material cyber attack in the next 12 months. At a 20% rate, this risk is high.
%
of CISOs do not believe that their organization is prepared to cope with an attack.
%
of successful cyber attacks require some level of human interaction. Meaning the degree of risk posed by users is significantly underestimated.
%
of CISOs have seen more targeted attacks since enabling widespread remote working.
“It’s not unusual for cybersecurity to feel like a high stakes game of whack-a-mole. But it’s much harder to play when you’re also tasked with security across hastily deployed remote environments and employees ill-prepared to work there.”
Is Your Organization Covered?
Do you check the traffic going across your voice networks?
Are you monitoring or filtering your voice traffic in order to stop the bad guys?
If you are thinking about your “no call” list, you are not even scratching the surface. And no, STIR/SHAKEN is not the solution, as carriers simply flag a call record. Each individual organization has the responsibility to determine what to do about these flagged calls.
Let’s Review Some of the Real Risks
Remember, Robocalls, Spoof Calls, Vishing (voice phishing) and Spam Calls are the tactics. Let’s look at some of the impacts that are enabled by these unwanted and often nefarious calls:
88% of organizations worldwide experienced spear phishing attempts in 2019.
– Proofpoint
22% of breaches involved phishing.
– Verizon
The average cost of a ransomware attack on businesses is $133,000.
– SafeAtLast
The GDPR fines totaled $63 million in its first year.
– GDPR.eu
Data breaches exposed 36 billion records in the first half of 2020.
– RiskBased
Personal data was involved in 58% of breaches in 2020.
– Verizon
Ransomware detections have been more dominant in countries with higher numbers of internet-connected populations, and the U.S. ranks highest with 18.2% of all ransomware attacks.
– Symantec
Damage related to cybercrime is projected to hit $10.5 trillion annually by 2025.
– Cybersecurity Ventures
86% of breaches were financially motivated and 10% were motivated by espionage.
– Verizon
The average ransomware payment rose 33% in 2020 over 2019, to $111,605.
– Fintech News
Phishing attacks account for more than 80% of reported security incidents.
– CSO Online
Ransomware damage costs will rise to $20 billion by 2021 and a business will fall victim to a ransomware attack every 11 seconds at that time.
– Cybersecurity Ventures
There is
a Solution
We know how many of the bad guys there are. We have a database of these folks, and our database is growing every day.
We have a Voice Traffic Filter that monitors both calls coming in and calls going out, bounces those calls against our database of bad guys, and then passes the good calls through while eliminating the bad calls.
To continue the Airport Security analogy, the Filter can be likened to a TSA checkpoint, where multiple tools and processes are used to inspect both travelers and their luggage.
By eliminating calls from the bad guys, we are immediately and significantly reducing the risk of attack, the risk of breach and the risk of compromise.
One more important point: Each organization that uses the Voice Traffic Filter has complete control over the phone numbers that are excluded or allowed through a state-of-the-art, simple to use client interface.
The bottom line is that the Voice Traffic Filter slams the Gaping Hole shut. The Filter serves to guard, monitor and protect your Voice Network.
Do you know the size of the problem in your organization?
From the Mutare Index of Unwanted Voice Traffic, our proprietary database of unwanted calls, we have summarized the Average Percentage of Bad Traffic:
ALL Industries:
%
Higher Education:
%
Legal:
%
Healthcare:
%
Government:
%
Manufacturing:
%
Financial Services:
%
Technology & Innovation:
%
Retail:
%
Utilities & Energy:
%
Other:
%
Last Updated December 12th, 2022
Through this free assessment you will be able to identify and quantify your current risk within the FAIR framework.
This assessment brings together qualitative insights and information, and quantitative data and metrics which have been sourced from reputable industry institutions, Mutare’s proprietary research, Mutare’s proprietary dynamic database of unwanted voice traffic, and from you, our client.
We have done our best to assemble and consolidate meaningful, relevant information to help you and your organization understand unwanted voice traffic:
First, to provide visibility & insight into your voice infrastructure.
Specifically, through this assessment you will get the facts about the traffic traversing your voice network. We begin with the highest level of segmentation of Wanted Calls (good traffic) and Unwanted Calls (bad traffic).
First, to provide visibility & insight into your voice infrastructure.
Specifically, through this assessment you will get the facts about the traffic traversing your voice network. We begin with the highest level of segmentation of Wanted Calls (good traffic) and Unwanted Calls (bad traffic).
Second, to provide clarity & perspective on the impact of Unwanted Calls.
As we delve into understanding voice traffic, we believe in a pragmatic, business-centric approach. Our intent is to present you with the facts and then help you view those facts from multiple perspectives, or lenses.
Second, to provide clarity & perspective on the impact of Unwanted Calls.
As we delve into understanding voice traffic, we believe in a pragmatic, business-centric approach. Our intent is to present you with the facts and then help you view those facts from multiple perspectives, or lenses.
APPENDIX
FAIR Model & Definitions
What Is the FAIR Institute?
The FAIR™ (Factor Analysis of Information Risk) cyber risk framework has emerged as the premier Value at Risk (VaR) framework for cybersecurity and operational risk. The FAIR™ Institute is a non-profit professional organization dedicated to advancing the discipline of measuring and managing information risk.
It provides information risk, cybersecurity and business executives with the standards and best practices to help organizations measure, manage and report on information risk from the business perspective. The FAIR™ Institute and its community focus on innovation, education and sharing of best practices to advance the FAIR™ cyber risk framework and the information risk management profession.
The FAIR Model
Originally created by Jack Jones, the FAIR model provides a standard taxonomy and ontology for information and operational risk.
What is FAIR?
If you’re new to the Institute, you may be wondering what this term means. FAIR, short for “Factor Analysis of Information Risk,” is the only international standard quantitative model for information security and operational risk.
Why would my organization want to use FAIR?
Each and every organization or enterprise is inherently at risk on a number of levels. FAIR is a methodology used to quantify and manage these varying levels of risk.
RISK
The probable frequency and probable magnitude of future loss
LOSS EVENT FREQUENCY
The frequency, within a given timeframe, that loss is expected to occur
THREAT EVENT FREQUENCY
The frequency, within a given timeframe, that threat agents are expected to act in a manner that could result in loss
VULNERABILITY
The probability that a threat event will become a loss event
THREAT CAPABILITY
A measure of how capable threat agents are to compromise your systems and the level of force they are able to apply
RESISTANCE STRENGTH
A measure of how difficult it is for a threat actor to inflict harm (a.k.a. difficulty)
SECONDARY LOSS EVENT FREQUENCY
The percentage of time that secondary stakeholders are likely to react negatively to an event
CONTACT FREQUENCY
A measure of how often threat actors come in contact with your organization
Probability of Action
A measure of the probability of a threat actor exploiting a vulnerability
PRODUCTIVITY LOSS
Loss that results from an operational inability to deliver products or services
RESPONSE COSTS
Loss associated with the costs of managing an event
REPLACEMENT COSTS
Loss that results from an organization having to replace capital assets
COMPETITIVE ADVANTAGE LOSS
Losses resulting from intellectual property or other key competitive differentiators that are compromised or damaged
FINES AND JUDGMENTS
Fines or judgments levied against the organization through civil, criminal, or contractual actions
REPUTATION DAMAGE
Loss resulting from an external stakeholder perspective that an organization’s value has decreased and/or that its liability has increased