In the 1970s, phone phreaking was all the rage—just find the right frequency and you could manipulate a pay phone to call anywhere in the world for free. It wasn’t until the 1990s, when digital switching and multiband signaling were implemented, that phreaking fell out of popularity. But being able to manipulate communications channels never went out of style, and today, with a multitude of interconnected networks, breaking into your customer-service operation may be easier than you think.

We all know how important security is. Not only for our networks, but for the interconnected devices, data, Web servers, communication ports, etc. that run on the network. Aside from damage to data, a security breach can have an enormous impact on a company, damaging credibility, reputation, sales and profitability.

Customer-service providers have unique security risks, simply due to the amount of daily processes that are completed electronically. Any threat to the network or system has an immediate impact on the company’s ability to offer consistent and high-quality customer care. And when you can’t provide the only service you offer, it can have devastating results.

One of the most common ways to access a company’s traditional phone environment and internal data network is through an unsecured enterprise voice network. While companies spend a lot of time and effort securing data networks, voice networks often have vulnerabilities that provide access to the data network through a “back door” approach. As traditional voice environments migrate to voice over Internet Protocol (VoIP) or IP telephony, existing voice security threats are extended to include VoIP vulnerabilities as well.

The front end of most customer-service operations, such as telephone banking or travel ticket booking, has security vulnerabilities of its own. Systems like public branch exchanges (PBXs), interactive voice response (IVR) systems, and automatic call distributors (ACDs) can act as access points to the network if not secured. For example, a “spoofer” can use dual-tone multifrequency (DTMF) signaling to detect passwords to commit theft of services or access private information. Organizations can employ technologies for caller identification and authentication to deter spoofing, but even these can be manipulated; spoofers are now able to place calls quickly and easily via new Web-based interfaces. 

To truly secure a networked enterprise infrastructure, a company’s entire voice platform should be evaluated. But for those implementing a new voice platform, it’s easiest just to compare your options against the ideal. 

Evaluating the Right Security Solution

Following the same security practices across your entire enterprise will go a long way in keeping a network safe. So the first step in evaluating a voice platform is to determine if it can leverage the same security systems already in place on the network level. Determine if the security systems in place provide for:

1. Protection of stored data: The protection of personal and financial customer information should be the most important goal of any customer-service security plan. Leverage known storage systems, such as enterprise databases from Oracle or Microsoft, that can be configured to provide a high degree of secure data storage, which decreases the need to secure your storage and reporting databases separately.

It’s also important to understand how configuration data and administrative access to the voice network is managed. For example, a database that uses Lightweight Directory Access Protocol (LDAP) for secure access will be more secure than one without. Also consider access to Web-based back-end systems that allow you to leverage the security functionalities already in place.

2. Restricting unwanted access to servers and systems: Clearly, unauthorized people cannot be allowed to gain access to server functions. But securing this is easier than you think. With the right voice platform, you can limit server access through the capabilities provided to the servers from the operating system and existing network security tools. Then, simply utilize the login functionality provided by the operating system.

Again, access from unauthorized users is the biggest threat to your communications systems. Isolate servers and use firewalls to limit access to minimize the risk of unwanted access.

Also, encrypt information that is being communicated. Look for a voice platform that fully supports HTTPS for all communications between the system and the server.

3. Controlling administrative access to servers: Security issues can be minimized by using a voice platform that provides access control appropriate to each task that is to be performed. An LDAP-based hierarchal login function provides multilevel access to administrative and reporting functions.

4. Preventing denial-of-service attacks: Although denial-of-service attacks rarely result in theft of information, they can bring a voice system down, or severely restrict its usability. Look for a voice platform that can decrease the risk of denial-of-service attacks by exiting the application if:

• a certain amount of prompts play without asking for caller input;
  
• a sub call-flow is deeper than a certain level;
  
• an application runs JavaScript with a certain amount of seconds without asking for caller input; or
  
• an application fetches a certain amount of pages without any prompt playing.

As network managers, it can be difficult, if not impossible, to keep up with security requirements across a multitude of platforms and applications. A voice platform that leverages existing security systems play a big part in decreasing the time and effort needed to maintain effective security. For customer-service providers, having the peace of mind that comes with decreased vulnerability is beneficial on many levels. It also builds trust among customers who are more comfortable doing business with a company that truly protects its customer data.

A well-designed voice infrastructure should address platform-level security, configuration-level security, and voice application security. Although these systems must be protected, it should not come at the cost of customer convenience. It is imperative that organizations implement a comprehensively secure voice infrastructure that leverages the customer-centric benefits of the latest voice technologies while still ensuring the maximum protection.

Mayur Anadkat is senior product marketing manager at Genesys Telecommunications Laboratiories. Prior to joining Genesys, he held a variety of roles in field and product marketing at Avaya, Hyperion, and Visa.