Call Centers

Call Centers deal with very sensitive customer data such as personally identifiable information including social security numbers, bank financial records such as credit card details, and the like. The top priority is keeping that data protected. The attack vector which Call Centers are most vulnerable to are their employees and the devices that they bring into the Call Center.

THE PROBLEM

Bob Baxley, Chief Engineer at Bastille Networks discusses "Call Center" security.

Call centers handle large volumes of requests by telephone daily. Many of those requests involve the transfer of highly sensitive data and records. Call center protection has become very complex with the influx of wireless devices that can easily capture records for data exfiltration. Centers want their employees to be device free in order to guard against unauthorized activities, but accomplishing this goal is a challenge. Some of the unauthorized activities include bringing devices into an area that is not approved for cell phones or laptops. For example, an employee with a cell phone or other wireless device can take pictures of sensitive data displayed on a monitor and backhaul it out of the center.

Call Center Security Vulnerabilities include:

  • Rogue wireless devices and networks being used for data exfiltration
    • Security teams have little visibility into the Radio Frequency Spectrum; therefore monitoring the influx of devices into call centers is difficult.
  • Improperly configured devices
    • Unencrypted DECT headsets and devices using other protocols leave an open gateway for attackers to eavesdrop on activities
  • DECT Network Scanning
    • The nature of DECT’s base-station selection criteria means the FP constantly transmits RFPI information, easily exposing it to network discovery and scanning attacks. In these attacks, attackers are able to identify and eavesdrop on the activity of DECT networks.
    • Many DECT devices do not implement the optional encryption capabilities available in the DECT Standard Cipher (DSC) algorithm. Further, it is very difficult for consumers to know if their selected DECT hardware supports encryption, leaving many consumers and businesses vulnerable to audio recording and eavesdropping attacks.

Typical security solutions have very little visibility into the radio frequency space allowing for no knowledge of the devices in call centers and how they are behaving, making BYOD policy enforcement very difficult.

THE REQUIREMENTS FOR A CALL CENTER RADIO SECURITY SOLUTION

A call center radio security solution needs to:

  1. Provide visibility into the wireless networks and traffic operating in your environment,
  2. Inform you of the devices in your environment and their behaviors, 

  3. Alert on active wireless attacks on those devices through your existing SIEM systems, and

  4. Suggest best practices for minimizing the attack surface and mitigating an attack action.

Specifically, a solution must:

  • Detect all devices operating in the wireless spectrum, to include but not limited to, Wi-Fi, cellular, Bluetooth, and the hundreds of other protocols in the Internet of Things (IoT)
  • Provide awareness of any wireless threats including active attacks, rogue networks, and misconfigured devices
  • Ingress and egress detection: Have the ability to track the movement of devices, both authorized and unauthorized, which include radios, to augment existing security measures
  • Show the movements of devices to help enforce access policies
  • Detect unauthorized access
  • Detect data exfiltration through wireless devices
  • Include geofencing capabilities to understand and protect specific areas
  • Detect vulnerable devices being installed
  • Detect misconfigured devices
  • Enforce company BYOD/IoT policy

What kind of organizations need this solution?

  • Call Centers
  • Organizations with wireless headsets that handle sensitive and confidential data
"