[VoiceOps] Unsecured conference lines

J. Oquendo joquendo at e-fensive.net
Thu Jun 2 15:04:48 EDT 2016 

On Thu, 02 Jun 2016, Carlos Alvarez wrote:

> We have a customer who has been nagging us to remove the PIN from their
> conference lines.  They are getting more insistent.  We've said no, for the
> obvious security reasons, and explained them all clearly.  On top of it,
> this is a medical-related company having sensitive conversations on
> conferences.  They keep pushing us.  What would you do?  On the one hand I
> think we have no liability in the matter, but on the other, we're more of a
> consulting ITSP than just a generic service provider.  We specialize in
> helping people not do stupid things with their phone system.  There's also
> the matter of just eating up a bunch of channels by people using it as
> their own conference.

THe honest answer would be for you to look over your
terms of services agreement. What was it you told them that
your organization would be responsible for. Now to the
technical slash security answer:

Who manages/maintains the network? This is important for
various reasons. If the network is segregated (voice and
data), it makes things easier to deal with from the
technical perspective. You could implement an ACL that
states something to the tune of: "This IP (conf phone)
should ONLY talk to the registrar, and no one else" but
this would remove any HTTP like functionality.

When you say: "Medical related company" it means little
without context. E.g.: "A company that delivers uniforms"
has less to worry about than a "A company that delivers
EMR data on their conferences." You are just an ITSP,
not a standards organization. 

The ultimate reality is, while you are an ITSP, they
paid for whatever it is they are paying for. This is
where you need to bring senior management into the
discussion to discuss AUP, TOS and other annoying
acronyms that we (technie folks) love to hate.

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

0B23 595C F07C 6092 8AEB  074B FC83 7AF5 9D8A 4463
https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463

More information about the VoiceOps mailing list