VoIP hacks are often not considered
Nick Galea says appliance-based black-box PBXes are outdated and should be replaced
VoIP security can be costly if not addressed properly. PBX and VoIP hacking, taken together, can lose companies a large amount of money.
Security is not a one-time fix but a continuing battle, so companies and resellers must remain vigilant. This means ensuring they have secured their PBXes and applied updates to the OS as well as the PBX software itself.
The best way is to use a mainstream OS – be it Windows or Linux – that administrators know how to manage, and a PBX vendor that is committed to security and releases the security updates as needed.
Keeping up with security bulletins and applying security updates can be time consuming with one OS, let alone two. If Windows is the organisation platform, choose a Windows PBX to keep things streamlined; if Linux, a Linux-based PBX.
If running on Linux, choose a properly supported distribution such as Red Hat or Ubuntu.
A custom distro bundled with appliance-based PBXes can be extremely dangerous as they are often not updated as new security vulnerabilities are discovered.
Since the idea is that the customer does not need to know what goes on inside, they can lull users into a false sense of security. These can makes things doubly complicated; while they might start off OK, the moment users touch the system, things deteriorate.
Attacks might not affect only the PBX itself, but be used to launch network attacks.
Config changes, particularly if using non-standard Linux, make them less secure.
So beware of choosing a "black box" PBX – too many organisations deploy them and simply forget about them, creating a serious security hole.
These are the ones that are then hacked and the customer is left with the problem. Resellers can help identify these out-of-date appliances and offer an update or an alternative.
The PBX should be just another server application, not a separate black box.
Resellers need to select a PBX that they are comfortable with administering on the customer's behalf. Failing that, they need to ensure that the customer is able to administer the PBX.
So once again it is all about education, with the responsibility at the sharp end remaining with the reseller. Too many choose the easy install without considering the longer term.
Nick Galea is chief executive of 3CX