Low-hanging Fruit

In the process of doing some research on another project, I noticed an article about SNMP. The article mentioned how one percent of system administrators are inadvertently leaving SNMP available to be read over the Internet. While I have not seen an abundance of VoIP configurations that are accessible from the Internet let alone using SNMP, I have noticed several default public and private strings during internal assessments and used this seemingly small oversight to enumerate the VoIP targets further. The SNMP article and memories of past assessments brought to mind the concept of low-hanging fruit and how it has been helpful in enumerating VoIP systems during an assessment.

The first thing a VoIP administrator should do to protect their network is to remove the low-hanging fruit (LHF) such as default passwords, default configurations, open ports, unused services, un-patched systems, and of course default public and private strings for SNMP just to name a few things. LHF is like an unlocked door in that it provides any would-be attacker an easy point of entry that can be easily mitigated and often overlooked.

While eliminating the LHF won’t make your VoIP network safe, it is the first of many steps towards a secure VoIP environment. For the next several steps to secure VoIP networks there are many sources of information available to administrators. This includes vendor information, security publications, and blogs like this one that can help to determine a methodology to implement at your organization to protect your VoIP infrastructure. We all know the security landscape is constantly evolving and it requires effort to stay abreast of new developments. If you don’t make security your concern, there are many dedicated people out there who are interested in security, albeit for a different reason, who want to get into your network. As a VoIP administrator, you want to make it as hard as possible for those individuals to gain access, so they will hopefully lose interest in your network and find someone less diligent than you.

A VoIP network can be very complicated and there are lots of things that can go wrong. This is without the additional work of implementing and maintain security measures. Security can be difficult to install and also “break” things that were already working. This often makes security less than desirable for people who just want their VoIP systems to work. This is of course until there is a security incident and suddenly VoIP security becomes very important due to a VoIP outage or receiving a long distance bill resulting from toll fraud that will profoundly affect your organization’s bottom line. As you know, “a journey of a thousand miles begins with a single step.” Implementing and maintaining security is a journey that never ends and the first step of many towards being secure is to eliminate the low-hanging fruit on your network.

Brian Lutz