Some of the greatest things about the telecommunications industry are the extreme creativity, rapid evolution, and constant innovation. Unfortunately, the darker side of the industry changes quickly as well. Cybercriminals are constantly finding new ways to attack and breach solutions and data.
Security is a hot topic in the communications industry today. Communications resellers feel a hefty responsibility to protect their solution, customers, and data. That is why security is one of our top priorities and we are committed to keep our partners as protected as possible.
Below we discuss the many ways we focus on security in our products and solutions.
System containers are software packages that virtualize systems or solutions to run in a contained environment, similar to a virtual machine. Containers offer advanced management tools in a safe environment. Some containers, like Linux Containers (LXC), receive regular distributions which include security updates.
SERVERware runs safely isolated Linux containers, giving us first access to Linux security updates. Our web UI enables users to monitor their containers and be proactive about security with tools like Control Lists, BSSUP, 2FA, and sipPROT (we will discuss each of these more below).
For software running outside of SERVERware, file-system isolation is implemented in PBXware by default.
One of the most obvious ways to keep our solutions secure is by limiting access as much as possible. We build access controls and limitations into our solutions and give users full control over how and when they grant access.
Minimal Public Access
Our developers keep our internal services as private as possible. Only the necessary services are exposed to the public Internet and the rest are bound to loopback interfaces only so they remain internal.
Sometimes it is necessary to open up access to your solution for support or maintenance, but sharing your root password is a huge security risk. Bicom Systems developed a special service called BSSUP that utilizes cryptographically-signed and time-limited SSH certificates for safer access.
SSH certificates give access for a limited, specific amount of time – days, hours, or even minutes. Once that time has passed, access will be restricted, ensuring your system is safe and secure.
This restriction is useful not only for granting temporary access to support teams, but also to keep passwords safe in case of lost or stolen hardware or changes in employees.
Our solutions give users the ability to manage API access in a number of ways, with the system defaults designed to offer protection wherever possible.
We allow users to create multiple API keys so that the same one is not used in multiple areas. Once those keys become inactive they can be automatically suspended so no access is left open unnecessarily.
Furthermore, system administrators have full control of who can access the IP address and hostname.
The Web UI in all of our solutions includes an Activity Log that tracks all actions performed across the system. This allows for accountability and the ability to quickly identify anyone that should not have access.
Our solutions will automatically lock if a password is entered incorrectly a given number of times. This applies not only to our main web interfaces, but also to specific applications that may contain private data like Voicemail or gloCOM.
Passwords and 2FA
A new default password is auto-generated for every single installation of our internal software components. There is no default password anywhere in our software (or ISOs) that would give access to other instances or systems.
Our web interface gives full control over admin, user, and endpoint passwords with protections in place to offer optimal security. For example, the system requires passwords to contain a certain amount of complexity that makes them more secure and requires passwords to be changed after a given amount of time. The system can automatically check online databases and inform users of breached passwords.
Two-Factor Authentication (2FA), also known as 2-Step Verification, requires the user to enter not only their normal password, but also a time-based one-time password (TOTP) received via a mobile app or email address. We recommend enabling 2FA for the extra layer of security.
LDAP (Lightweight Directory Access Protocol) finds and stores information about organizations or individuals. This can be used to control and provision all accounts.
All of our software and services are enabled to use encryption by default. We support ‘Let’s Encrypt’ TLS certificates and have an easy-to-use wizard to help users enable that. Web interfaces are exposed and redirected to encrypted ports by default.
When it comes to voice, users choose whether to use encrypted calls or not (SIP and RTP traffic), however we do recommend encrypted signaling and media. We utilize encrypted WebRTC signaling and media for our video and screen sharing services.
All of our software components that communicate with external services do so with encryption enabled by default. This includes CRM, SMS, archiving, speech-to-text, LDAP, IMAP, SMTP, provisioning services and more. We also enable strong ciphers by default for all of our services.
Our gloCOM desktop and mobile applications are protected by code signing and valid certificates for all platforms. Code signing is a process to determine the origin of the code and ensure it has not been changed. Certificates lend proof that code signing has occurred and that the application is valid.
gloCOM GO mobile app has additional security features. Login credentials and configuration are stored using encryption on the mobile device. Users can add Touch or Face ID to the app for additional protection. And push notifications are encrypted in transit and decrypted only on the user device, so if they are intercepted they will be unreadable.
Our SIP firewall protection solution (sipPROT) stops unauthorized attacks instantly and notifies the system administrator.
sipPROT uses advanced detection techniques to identify attacks in real-time. Our innovative technology monitors SIP packets and traffic in real time using pattern recognition, SIP scanner protection, and SIP protocol anomaly detection.
The moment an attack is detected, sipPROT updates the firewall rules and blocks the IP addresses from which the attack is coming. Learn more in our sipPROT brochure.
We also implement safety measures for auto-provisioning of endpoints including configuration over TLS, rate-limiting of requests, block of repeated requests, and mutual TLS client-certificate verification for support devices.
While we work relentlessly to prevent security incidents using all of the safeguards and encryptions just discussed, we are also aware that security breaches are inevitable when software is used on a daily basis, particularly third party software. We would be remiss not to discuss security fixes in addition to prevention.
One way we prepare to deal with security incidents as quickly as possible is by building our open source solutions using source code as much as possible. This gives us the ability to apply patches on any versions of software that are no longer maintained.
Last, but far from least, in our approach to security is communication. Though we have never experienced a security breach at Bicom Systems, we do have a Security Incident Procedure to ensure a transparent, efficient, and swift response if any incident ever does occur.
The foundation of that procedure is forthright communication and includes informing partners immediately if a breach is ever identified, sending timely progress updates, and opening a dialogue to help our partners through the process.