Don't Forget about VoIP as you onboard new clients or even with existing clients. There are significant risks in not including some level of management of the VoIP system or providing some support when there are issues on the network. I sit down with Alec Stanners of bVoIP to talk a bit about the history of VoIP solutions and the challenges we faced in the early days versus the cybersecurity challenges MSPs face today.
[00:00:06] Welcome to MSP 1337, I'm your host Chris Johnson, a show dedicated to cybersecurity challenges
[00:00:14] solutions, a journey together, not alone.
[00:00:21] Welcome everybody to another episode of MSP 1337, I'm joined this week by Alec Stanters
[00:00:27] of Be VoIP.
[00:00:28] Alec welcome to the show.
[00:00:30] Happy to be here Chris, appreciate you asking me to come up.
[00:00:33] So this is a little bit of a topic today for anybody wondering since we did save VoIP
[00:00:39] in the name of where Alec works, that would mean that it's probably going to be about phones.
[00:00:45] It has come up a few times over the last few months where I've had some conversations with
[00:00:50] MSPs, particularly MSPs going through the trust mark who have raised concerns around
[00:00:56] how they're doing some of the physical layer security with regards to their phone systems
[00:01:03] and so they would do physically phones are plugged into a separate switch and all that.
[00:01:10] And we know that in today's world, that's becoming less and less common just because
[00:01:15] we're not rolling out physical infrastructure to support physical layer segmentation for
[00:01:21] things like VoIP from computers, etc.
[00:01:24] But we are seeing a lot of V-Lanning where VoIPs can put on one channel and our channel.
[00:01:35] I'll put that on channel three, hold on a second let me just trim the knob.
[00:01:40] But what was interesting about the conversation that I had recently was the MSP was like
[00:01:46] we're totally hands off the voice services.
[00:01:50] We've put them on a separate V-Lan.
[00:01:52] We've partnered with a VoIP provider and they handle all the support for the phones and really
[00:01:58] hands off.
[00:01:59] And it made me think back to going back 2001, like a couple of years ago when VoIP was just
[00:02:06] kind of coming on the scene.
[00:02:08] In a lot of cases, you were doing VoIP was more of the GUI and what was happening in
[00:02:14] the cloud.
[00:02:15] And then you'd have some sort of SIP trunk T1, whatever it was that was bringing you
[00:02:20] the services to the building and then you had some sort of digital on-prem system.
[00:02:24] And as long as I met certain requirements, you were good to go.
[00:02:28] But back then, knowing how to support and manage phone systems was very different from
[00:02:34] what it is today and in the way we interact with them.
[00:02:37] And like today is more common to actually plug your computer into the back of your
[00:02:40] phone.
[00:02:41] Your phone is a switch.
[00:02:42] All those things that you maybe don't even want the end user to do.
[00:02:45] And so as you and I were talking as you came onto the show about some of your experiences,
[00:02:51] the precedent is well if I'm hands off or even hands on, what are some of the responsibility
[00:02:58] or obligations an MSP might have supporting VoIP or being hands off with VoIP?
[00:03:05] What are some of the security concerns that you're seeing and what are partners
[00:03:10] doing about it?
[00:03:11] Yeah, absolutely.
[00:03:13] Let's zoom back real quick and talk about the kind of landscape as a sit for MSPs.
[00:03:17] Because I think it's funny because I think a lot of the markets have matured and as much
[00:03:22] as VoIP has been around for a long time, you would expect that maturity to come.
[00:03:26] It hasn't necessarily.
[00:03:28] And when you look at a lot of the markets, they push towards things like MFA and single
[00:03:34] sign on, just basic stuff, right?
[00:03:37] The kind of one-on-ones security of today.
[00:03:40] And I think in the MSP space, I guess in space in general, there's a million options out
[00:03:46] there for VoIP.
[00:03:46] And I think that starts the problem because when there's a lot of things to manage,
[00:03:52] they don't always get regulated perfectly.
[00:03:54] So we've run into scenarios where people are on really old infrastructure, depending
[00:03:59] on where you are in the country or the world.
[00:04:01] Infrastructure can be drastically different than if I'm in a major metro with very
[00:04:06] updated infrastructure or I'm using, obviously there's a couple of different
[00:04:12] pieces of every single phone system that MSP is going to manage.
[00:04:15] There's the physical hardware, there's the software that's running it, and then
[00:04:18] there's the dial tone, sip trunk portion of it.
[00:04:21] Dial tone, sip trunk could be a really good high end provider.
[00:04:25] We work with a company called BCM-1.
[00:04:27] They're a major provider in New York.
[00:04:29] They require about seven or eight different companies and rolled them all
[00:04:32] up to become this super provider and they're very heavy on security.
[00:04:36] I've also run a MSPs that are utilizing Aboard Service.
[00:04:40] They're like, hey, I got way better tax coverage and taxes are way less.
[00:04:45] And I'm like, OK, let me take a look at this.
[00:04:48] Well, have you seen what their operation looks like?
[00:04:50] I mean, they're running this thing out of a garage.
[00:04:53] And it's not just any garage.
[00:04:55] It's the shed that you buy at Home Depot that's in the backyard
[00:04:58] that has door opening at the park of cards.
[00:05:00] Yeah, it's a rubber band.
[00:05:01] Exactly.
[00:05:03] Exactly.
[00:05:04] So that's kind of the range of what we're dealing with out there.
[00:05:10] So that's the first thing is to understand the infrastructure
[00:05:12] of what you're buying into.
[00:05:15] You know, where is this setup?
[00:05:17] What is the security and compliance that's on the data side of everything?
[00:05:21] Right?
[00:05:21] I think that's a major portion that MSPs really need to think about
[00:05:24] because we've seen the good, the bad and definitely the ugly.
[00:05:28] As you move on from that,
[00:05:29] I think there's become some best practices
[00:05:31] or we're starting to see some best practices made, which is great.
[00:05:35] You know, MFA started to be pushed a little bit more,
[00:05:37] but I mean, that felt like a practice
[00:05:39] that should have taken place five, six, seven, eight years ago.
[00:05:42] Well, and you're talking about in the context of phones,
[00:05:45] but I mean, like we really didn't see and still haven't seen that
[00:05:48] across switches or a lot of your on-prem infrastructure,
[00:05:53] whether it's firewalls or access points, adding in things like,
[00:05:56] oh, maybe maybe authenticating to this asset for management
[00:06:00] requires something more than, oh, no, no, no.
[00:06:03] We have a management port that you have to plug into
[00:06:05] and you would never keep that on the network.
[00:06:09] Yeah, exactly.
[00:06:11] Again, it's my worst, unfortunately.
[00:06:14] You know, in fairness, in fairness, when we think about,
[00:06:19] you know, going back to the beginning,
[00:06:21] you described a lot of the different things
[00:06:23] that have happened over the years, the new technologies.
[00:06:24] But one thing that's always been true this whole time
[00:06:27] is analog lines aren't gone.
[00:06:28] They're still here.
[00:06:30] Faxing is still a thing, even if it's not analog anymore.
[00:06:33] It's some sort of digital fax in theory.
[00:06:36] But along those lines, we wouldn't necessarily expect
[00:06:39] those technologies to change and yet things wear out, right?
[00:06:45] So I was thinking about like, if anytime you were describing
[00:06:47] all these different technologies,
[00:06:49] but don't forget the deterioration
[00:06:51] of physical infrastructure, right?
[00:06:53] Cat5 cable, Cat5e cables was largely the early standard
[00:06:58] of what everybody went to in the early...
[00:07:01] That's what you used, right?
[00:07:02] If it was data cable, it was Cat5 or Cat5e,
[00:07:05] which was really what was expected if you were doing VoIP.
[00:07:08] But those cables installed in 2001, 2005, even 2010.
[00:07:14] And then the other piece that you have
[00:07:15] is the fact that when the HIPAA law was passed,
[00:07:20] it was all about privacy.
[00:07:21] They added the security rule in in 2013.
[00:07:24] So what was traditional like,
[00:07:26] I have a traditional analog phone system
[00:07:28] and you leave a voicemail, fine.
[00:07:31] That's covered under the privacy rule
[00:07:32] and I don't care about it.
[00:07:33] But as soon as that phone switched from it being
[00:07:36] an analog message to a digital message, oh boy, now it's data.
[00:07:41] All bets are off.
[00:07:42] All bets are off.
[00:07:43] It's in the cloud.
[00:07:45] And that's the thing.
[00:07:46] Like we definitely still see copper out there, plenty.
[00:07:50] And you touched on another one there, fax.
[00:07:53] Fax seems to slid in some ways to be very industry specific now.
[00:07:57] Like medical...
[00:07:58] You got largely healthcare?
[00:07:59] Yep.
[00:08:00] Legal.
[00:08:01] Legal loves it.
[00:08:02] And maybe finance if you're dealing with like loan processing.
[00:08:06] They like to have their dot matrix printer
[00:08:08] with the three layers of paper.
[00:08:10] Love it.
[00:08:11] Yes.
[00:08:12] Go into cloud.
[00:08:14] Which it blows my mind because you have,
[00:08:16] you know, just sidetrack for a second.
[00:08:18] But you have that as the standard.
[00:08:20] And then, you know, you buy a Tesla and you can set up
[00:08:23] and do everything from your phone
[00:08:24] and initial three pieces of paper and drive away with car.
[00:08:27] Right.
[00:08:28] So what is the gap there?
[00:08:30] And who has the paper copy?
[00:08:34] Like right, like you think about it,
[00:08:35] like who's filing cabinet did this go into or was it scanned?
[00:08:39] I mean, DocuSign, you know, at CompTIA,
[00:08:41] we largely use DocuSign for everything.
[00:08:43] Yep.
[00:08:44] If we could get more in...
[00:08:47] Oh wait, I'm not spending any money on another service.
[00:08:50] I'd rather have my dot matrix printer
[00:08:52] than only three people in the world can service.
[00:08:55] Exactly.
[00:08:56] And that's where it gets weird, right?
[00:08:59] I think we all kind of said,
[00:09:00] oh, facts, that'll go away.
[00:09:02] And we all just figured it would kind of die this slow death
[00:09:04] and flame out and it hasn't.
[00:09:06] So we haven't updated it
[00:09:08] and we've just expected it to die and it hasn't.
[00:09:10] I think it's because that Hank Williams Jr. song,
[00:09:13] Facts Me a Beer,
[00:09:14] I think people are still trying to perfect that.
[00:09:17] That's what it is.
[00:09:18] Absolutely.
[00:09:18] That was a turning point of facts.
[00:09:20] That's right.
[00:09:20] They're like, it's going to die
[00:09:21] and then the song came out
[00:09:23] and there's no way this will ever die.
[00:09:24] And I mean, we're all imagining one day
[00:09:26] it'll just show up on a fax machine
[00:09:28] that's never had a fax sent to it.
[00:09:31] All of a sudden, it's going to materialize.
[00:09:33] You're like, ah, that's what I've been waiting for.
[00:09:34] That's why I kept it plugged in.
[00:09:36] That's a 3D printer we're all waiting for.
[00:09:38] That's right.
[00:09:40] I think it's funny because that,
[00:09:44] that I think is one of the major things we're watching
[00:09:47] and we're seeing as a security concern for sure
[00:09:49] are those two areas.
[00:09:51] And just that kind of standoff of who's going to budge first.
[00:09:56] Right?
[00:09:56] Are the systems going to say,
[00:09:57] okay, we're going to stop offering facts?
[00:09:59] So are we going to really just push the infrastructure?
[00:10:03] Because if you look at like Australia,
[00:10:04] for instance, it's a great example.
[00:10:06] They went out and they said,
[00:10:07] we're going to lay the entire country in 5G.
[00:10:09] First, we're going to try Tasmania.
[00:10:11] If Tasmania works out, there are testbed,
[00:10:13] then we're going to roll it out all the states.
[00:10:15] We're going to put out a bid.
[00:10:16] We're going to let all the major companies bid on it
[00:10:18] and they can come in.
[00:10:20] We're going to set up a government-funded project.
[00:10:22] And we're going to completely cover the entire country in 5G.
[00:10:26] And I mean, they're doing it.
[00:10:27] And so you look at where we are on our side,
[00:10:32] is somebody eventually going to say,
[00:10:33] hey, we're going to rip all the copper lines out?
[00:10:35] Are they going to say, hey, we're done with fax?
[00:10:37] Or are we going to accept that fax will probably be around longer
[00:10:41] than we all thought it would be?
[00:10:42] And that may not be going anywhere soon.
[00:10:44] We're going to update pieces a little bit
[00:10:47] and make sure there aren't any holes there.
[00:10:49] I mean, that's a very aging technology at this point.
[00:10:52] Bear, I think though that whether it goes away or not,
[00:10:57] the challenges I think that you see,
[00:11:00] I mean, you and I talked about this earlier about
[00:11:01] when George was running his MSP,
[00:11:04] the challenge is there.
[00:11:05] I mean, we can talk about that a little bit.
[00:11:06] But I mean, a lot of that technology was built
[00:11:10] way before any of the features that were baked into that technology
[00:11:14] were ever taken advantage of.
[00:11:16] So like I had a back in the day conference room phones
[00:11:19] were almost exclusively made by Polycom.
[00:11:23] And we had a Cisco branded, but it was obviously a poly,
[00:11:29] I mean, even the model number said right on there
[00:11:31] there was a Polycom conference phone.
[00:11:33] And in my office, we had the extension mics,
[00:11:36] offices that have the conference room,
[00:11:38] the table, the one table, it's like 60 people around it.
[00:11:41] So we had the little microphone extenders on each of our desk.
[00:11:46] And then that SIP unit sat in the middle.
[00:11:50] And so we had to use a, we had an asterisk box,
[00:11:56] essentially a Raspberry Pi that converted SIP to VoIP.
[00:11:59] And then it connected into our VoIP system.
[00:12:01] But like we use that for probably, I don't know, four or five years.
[00:12:06] That was our conference phone.
[00:12:07] And so you translate that and all those technologies
[00:12:10] that are still largely in use in some capacity across different ecosystems
[00:12:15] of VoIP services or phone services.
[00:12:18] Then I also think about the things like,
[00:12:21] you know, what is the obsolescence that's happening inside the VoIP services space?
[00:12:27] So like why do I have, you know,
[00:12:29] now a hundred different SIP or PRI type providers.
[00:12:34] And they're all offering, you know, services that, you know,
[00:12:37] 00 you can no longer do the math on how cheap your cost per call is.
[00:12:41] But then you're like, but wait a second, on my cell phone,
[00:12:44] I just pay flat unlimited fee.
[00:12:47] How are we still in the world of like,
[00:12:49] I might as well have a calling card for my local outbound calling?
[00:12:55] No, so, you know, I think that we are definitely seeing more of a shift.
[00:13:00] You know, we've seen a shift in both ways.
[00:13:03] B-Voy chose to kind of take a more agnostic approach
[00:13:07] in terms of how we're going to focus on the plans.
[00:13:10] But I think the whole industry shifted to per user per month.
[00:13:15] A lot of them will push an unlimited now, but it's a hefty cost.
[00:13:20] That moved away from the older set up that you're used to right,
[00:13:23] which was I can do a simultaneous call into the building.
[00:13:26] And I can decide how many open lines I need.
[00:13:29] And I think that was hard for the MSPs, because I think that took away a lot
[00:13:32] of the old margin that used to get because like you said,
[00:13:34] you used to make tons of money back in the day when you're on your MSP.
[00:13:38] And, you know, we actually offer both, which is cool.
[00:13:42] You know, we're able to let MSPs really decide what fits best for,
[00:13:46] you know, the individual environment that they're in.
[00:13:48] But yeah, I mean, I think when we look at...
[00:13:51] Emergency services often factor into that.
[00:13:53] If you need emergency services,
[00:13:55] so you have two extremes, right?
[00:13:57] All of the players like Zoom, Teams,
[00:14:01] you know, multi-conference platform type stuff that have added in,
[00:14:04] you know, DIDs directly to the user regardless of where they are.
[00:14:09] And then you still have this necessity for physical handsets
[00:14:12] in places like hospitals, you know, clinics or whatever, fire departments,
[00:14:18] even like elevators still have the ability to make some sort of call
[00:14:22] that's either analog or if you get us up and coming,
[00:14:27] you know, young whippersnapper that's like,
[00:14:29] hey, we're going to put phone lines into your elevator,
[00:14:31] but we're not doing analog.
[00:14:32] That's ridiculous. Why would we do analog?
[00:14:34] I don't need any more false calls happening
[00:14:36] because someone bumped, you know, the wall and crossed the copper
[00:14:41] and all of a sudden it's making dial tone and calling somebody.
[00:14:44] I remember saying that.
[00:14:45] Yeah, I mean, we're definitely seeing more push to less points
[00:14:50] and failure on site, which I like.
[00:14:52] So you talked about that Raspberry Pi box and stuff like that.
[00:14:55] Like we're definitely seeing a shift away from that
[00:14:57] to really kind of simplify it as much as possible on site,
[00:15:00] which, you know, I love from the technology standpoint,
[00:15:04] right? We're creating less points failure,
[00:15:05] less things to manage, less such endpoints
[00:15:08] that we're having to monitor and deal with.
[00:15:11] You know, and I think as we move down the road,
[00:15:13] we're going to continue to see that.
[00:15:14] I think, you know, if I look at our basic setup right now,
[00:15:17] it's pretty simple, right?
[00:15:18] We're doing handsites on the actual physical site.
[00:15:23] SPC's are at the data center, so that's all been moved off site.
[00:15:26] It's at the data center level now.
[00:15:27] So like just a lot easier.
[00:15:29] What I've gone and see is taken off the plate of the MSP largely.
[00:15:33] Exactly. Yeah, which I love.
[00:15:35] You know, I don't think it should be on their plate
[00:15:37] and I think it's on the provider's plate for sure.
[00:15:41] So it's good to see that.
[00:15:42] You know, where there's still some setups that will have
[00:15:45] the SPC's on site for sure.
[00:15:47] But, you know, I think it's, I look at the headaches,
[00:15:50] you know, you touched on earlier that George went through
[00:15:51] with his MSP from multiple different standpoints.
[00:15:55] Whether it was just a redundancy standpoint,
[00:15:58] you know, there used to be all the proprietary hardware
[00:16:01] and that's that was that was a bit of a nightmare.
[00:16:03] We moved away from that.
[00:16:04] You know, Polycom, as you said, came in and took over the industry.
[00:16:08] They split a couple of the engineers left,
[00:16:11] created Yailing.
[00:16:12] That's been pretty fast up and coming on.
[00:16:16] Yeah, we actually see more Yailing down than Poly, which is
[00:16:20] basically brought a phone to market that was like one fifth of the cost
[00:16:24] with a color screen and a bajillion features
[00:16:27] that no one knew what they were supposed to use them for.
[00:16:29] And Polycom's like, yeah, but I have a module you can buy
[00:16:32] and it gives you a camera functionality for teams.
[00:16:35] And you're like on my phone,
[00:16:37] like I'm going to now stare at my phone.
[00:16:38] Like who else has a phone in their office that they're like,
[00:16:41] hold on, I'm not going to use the camera on my computer
[00:16:44] because I have one that plugs into my phone.
[00:16:47] How about that?
[00:16:48] Yeah, I'm sure it's great quality.
[00:16:50] Yeah. And like if I was going to do that,
[00:16:52] why not just use teams on my smartphone?
[00:16:55] Like this seems like way overkill to be.
[00:16:58] Oh no, I don't have a smartphone.
[00:16:59] I just have my flip phone.
[00:17:01] Yeah.
[00:17:02] But it also has a camera.
[00:17:03] Oh, it's in never ending cycle.
[00:17:07] Yeah. I mean, it's
[00:17:09] it really is interesting to watch the hardware race
[00:17:12] has definitely taken off from
[00:17:15] we saw a huge pop about five, 10 years ago of innovation in it.
[00:17:20] It slowed a little bit, right?
[00:17:21] There was a weird time in the 2000s
[00:17:23] where everything had to be smaller and smaller.
[00:17:25] And now it's kind of bigger and bigger screens are bigger,
[00:17:27] a lot more color screens.
[00:17:29] And then it was the innovation thing that I saw that I saw was cool.
[00:17:32] So any medical focused MSPs that are listening,
[00:17:36] SNOM now makes a handset that is actually completely dipped in a
[00:17:43] coating that kills all germs.
[00:17:46] So great for like hospitals, doctors, all these things about it.
[00:17:49] I thought that was very cool.
[00:17:50] And it's that kind of handset you can carry around.
[00:17:52] So I know a bunch of our partners have been loving
[00:17:54] putting those into medical offices.
[00:17:56] Yeah. That's like their M80 and 90.
[00:17:59] Yep. Exactly.
[00:18:01] The it's funny you bring that up.
[00:18:03] The other side of that was and I think it wasn't all works.
[00:18:06] There was another phone brand that was very proprietary.
[00:18:11] They had their own switches and everything.
[00:18:13] And they came out with the phone dock.
[00:18:17] So like you brought your iPad or a smartphone and you would dock it.
[00:18:23] And that would give you all of the handset functionality
[00:18:25] plus the VoIP on that box.
[00:18:28] So like you would get so like there was no dialing options
[00:18:32] if you just came up to the handset, but someone could call it
[00:18:35] so you could answer it or you would dock your iPad or iPhone
[00:18:39] or whatever it was.
[00:18:40] And then that would give you all of the feature sets of that,
[00:18:43] you know, $400 color screen phone and a $400,
[00:18:47] you know, dysfunctional has no features unless you bring
[00:18:51] a thousand dollar device and plug into it.
[00:18:54] Every little yes.
[00:18:55] It's secure, right?
[00:18:56] Like you couldn't log into voicemail from that handset
[00:18:58] without the iPhone or whatever.
[00:19:01] So shifting gears, obviously this is a security focused show.
[00:19:07] We've talked a lot about the technology,
[00:19:09] which I think is important to put some back story to this
[00:19:12] because it's easy to take for granted that which is VoIP services
[00:19:17] or phone services in any environment.
[00:19:19] You know, who's responsible for it?
[00:19:21] I think this is just a touch on for a minute.
[00:19:23] One of the first areas that can be very dangerous
[00:19:26] for an MSP is coming into an environment
[00:19:28] that they're feasibly taking over the management of assets.
[00:19:31] They don't even consider the phones as part of the assets
[00:19:35] that are now part of the ecosystem
[00:19:37] that they're going to be responsible for.
[00:19:39] 100%.
[00:19:40] Yeah, no, I think that it's a major one.
[00:19:42] And the reason I was like touched on that portion of it,
[00:19:46] what we kind of talk about this is it still is such a wide range
[00:19:50] of technology out there with legacy hardware, legacy setups.
[00:19:54] So I would highly suggest you definitely always keep that
[00:19:59] as a serious potential area threat, right?
[00:20:02] Understand it.
[00:20:03] Understand what's coming through it.
[00:20:05] Understand who the provider is, who the provider is.
[00:20:09] How does everything manage?
[00:20:10] How does everything save?
[00:20:13] And understand the compliance around all of that
[00:20:14] just so there's no surprises for you down the road.
[00:20:18] You know, use that through any kind of, you know,
[00:20:22] fact-finding mission to find your next solution.
[00:20:24] Understand that you're getting into something
[00:20:26] that's not going to create a headache for you down the road.
[00:20:28] But as we move forward, right, talking about some of the areas
[00:20:31] where VoIP has been a concern,
[00:20:34] I think one of the major ones that we've seen,
[00:20:36] you don't have to go too far back in history is the MDM casino.
[00:20:41] Right? VoIP spoofing has become pretty common and pretty standard.
[00:20:47] You see that on self-ones too, right?
[00:20:50] Yeah, absolutely.
[00:20:51] How many times do you get a phone call in
[00:20:53] that's from the local number and you're like,
[00:20:54] oh, let me see what this is.
[00:20:55] Or your boss.
[00:20:56] That's not your boss.
[00:20:59] Yes.
[00:21:02] Oh, yes.
[00:21:04] So we've had that.
[00:21:05] I've actually had a call that came in
[00:21:07] that was from a number that I had saved.
[00:21:08] It was from an old friend from my school.
[00:21:10] And I was like, why are they calling me?
[00:21:12] And I picked it up and it just happened to be
[00:21:13] that that was the randomly generated phone
[00:21:15] number that they called me from.
[00:21:16] Oh, wow.
[00:21:16] So I messed up my phone book.
[00:21:19] But yeah, I've definitely seen this
[00:21:21] cellphone on one of the techs in the bosses
[00:21:23] giving a presentation and needs gift cards.
[00:21:25] Yep.
[00:21:27] We've absolutely seen that one.
[00:21:29] And it's just, it's crazy the amount of,
[00:21:33] you know, we talked about a lot less before,
[00:21:34] but I think this is another area
[00:21:35] that's very much in that category.
[00:21:38] I know Verizon is now working with
[00:21:40] a pretty cool provider that's,
[00:21:44] they were one of the original self-credit card processors.
[00:21:48] It's a family that owned the company.
[00:21:50] They've now invested into about 43 different companies.
[00:21:53] They're like extremely wealthy and investing heavily
[00:21:56] in technology, which is awesome.
[00:21:59] They are working with Verizon actually to launch a product
[00:22:01] that's going to verify every phone number
[00:22:03] and make sure it's actually the phone number
[00:22:04] that it says it's dialing from.
[00:22:06] Kind of like DKMS for email.
[00:22:10] Exactly.
[00:22:11] So it's going to be able to flash up and say,
[00:22:12] you know, not verified or not real or verified.
[00:22:17] So you'll know if it's actually that person calling you
[00:22:19] or not, which I think is terrific.
[00:22:21] And I hope to see that launch for all the providers.
[00:22:24] You know, obviously on the rest of it,
[00:22:27] user verification can also be controlled
[00:22:29] by the MSPs today.
[00:22:30] You know, it's something I'd really suggest.
[00:22:32] You know, we've seen that as best practice
[00:22:33] in a lot of our larger MSPs
[00:22:36] or more security-focused MSPs is
[00:22:38] when somebody's dialing in, verifying who is dialing in.
[00:22:41] So to some extent, it's ironic
[00:22:45] that we're talking about this.
[00:22:46] We're not talking about right now
[00:22:47] the flaws in the equipment itself per se.
[00:22:51] We're talking about the way in which people can be exploited
[00:22:54] because of the ways in which we can use the technology
[00:22:57] for say, you know, illicit gain.
[00:23:01] But there was also like, I want to say this was like 2022.
[00:23:05] Mitel had the big like business network compromise
[00:23:09] because you could get in through the Mitel phone system
[00:23:14] and then circumvent through the switching layer
[00:23:18] and literally attack the corporate network.
[00:23:21] And obviously more importantly,
[00:23:22] you could take advantage of all of the back doors
[00:23:24] into the Mitel system that was like,
[00:23:27] I think they patched it.
[00:23:28] Like their latest release had patched that flaw
[00:23:32] before the exploit was actually released into the wild
[00:23:36] that, you know, here's the thing
[00:23:37] and like put so many people fail to patch it.
[00:23:40] So before we get too far into all of the things
[00:23:42] that we can do, talk to me a little bit about
[00:23:45] and maybe you don't know the answer to this,
[00:23:48] but what does it look like to maintain phones
[00:23:52] or a VoIP system?
[00:23:53] Because I think that's one of the areas
[00:23:54] that maybe less responsibility is on MSPs anymore
[00:23:57] and more of that responsibility is on making sure
[00:23:59] that the who you're using as your VoIP provider
[00:24:02] is that they're doing regular updates
[00:24:04] to the firmware on the device.
[00:24:05] They're doing regular software updates to the applications
[00:24:09] and they're keeping you aware of known vulnerabilities
[00:24:13] kind of thing.
[00:24:14] For sure.
[00:24:15] Yeah, I think it's on a couple of layers, right?
[00:24:17] So a lot of providers out there are utilized as another provider.
[00:24:21] So for instance, AT&T forever,
[00:24:23] the business phone that they would offer you was really
[00:24:27] brain-central.
[00:24:28] Yeah.
[00:24:29] Or there's a lot of, you know,
[00:24:30] there's many providers who built off of
[00:24:34] Asteroids or other systems that are like 5.
[00:24:36] 3CX or one of the, yeah.
[00:24:38] Exactly.
[00:24:39] So I think there's a couple things that are in place,
[00:24:41] right?
[00:24:42] Are they updating you along with what the host product is
[00:24:48] updating, or are they following their update schedule?
[00:24:50] Are they checking their update schedule?
[00:24:52] Are they making sure that there's nothing funky in that
[00:24:55] before they push the update?
[00:24:57] Well, there's a lot of open source
[00:24:59] or white labeling happening in the space.
[00:25:01] So a lot of white labeling.
[00:25:02] Yeah.
[00:25:03] And then on the open source side,
[00:25:05] you know, with Asterix and some of those other platforms
[00:25:07] being used, who's maintaining that?
[00:25:11] That underlying infrastructure.
[00:25:14] Is it Larry who built it 20 years ago?
[00:25:17] If he still works on Thursdays?
[00:25:19] Yes.
[00:25:20] We haven't released the new long-term update
[00:25:23] to Linux for this kernel because,
[00:25:25] well, Larry's not coming in until next month.
[00:25:27] He's on sabbatical.
[00:25:29] He's got a Florida for the winter, but...
[00:25:32] ...when he gets back we're gonna be looking at that.
[00:25:33] He doesn't have internet down there, yeah.
[00:25:37] Yeah, I mean, it's definitely an area concern.
[00:25:40] I would say that should be part of your fact-finding
[00:25:45] when you're really deciding on a provider, right?
[00:25:47] Are they following a good update?
[00:25:49] Are they making sure?
[00:25:51] I agree with you.
[00:25:51] I think a lot of it has moved off the MSP, which is awesome.
[00:25:54] And that's really where it should be.
[00:25:56] The MSPs do not need another thing to worry about.
[00:26:00] They have more than enough.
[00:26:01] I think that there's a little bit of a push.
[00:26:06] MSPs we find one of three ways.
[00:26:08] I tried VoIP in the 90s or 2000s.
[00:26:11] It blew up my face.
[00:26:12] I never want to touch it again.
[00:26:14] We get...
[00:26:15] I'm doing it, but I just refer it down the road
[00:26:16] and I never think about it.
[00:26:19] Which generally it's a local provider, or you get...
[00:26:24] Yeah, I have a big box provider that either I lightly manage
[00:26:27] or I pass all support off to them.
[00:26:30] I think all have different risks to them.
[00:26:34] I think that one of them is if you're just passing it all off down the road,
[00:26:40] you don't know what they're updating.
[00:26:42] You don't know about the current compliance they have.
[00:26:46] I would hope that you're going through that discussion with them
[00:26:48] and you're regularly going through that
[00:26:50] because obviously compliance changes.
[00:26:51] If you haven't had that discussion with your provider in a little bit, have it.
[00:26:56] I think when you push everything off support-wise to another vendor,
[00:27:01] you don't know how they're supporting it.
[00:27:02] You don't know what they're going to tell them to do.
[00:27:04] You could be walking into a very scary...
[00:27:06] You talked earlier, are they plugged into the port that's going to allow
[00:27:10] somebody to get in?
[00:27:11] It might be after that call with AT&T,
[00:27:13] but those are the things that I would always say, be careful.
[00:27:19] And finally, I think if you haven't tried it in a while, it has changed a lot.
[00:27:26] The technology is vastly different like everything else.
[00:27:28] Our cell phones in the 90s, 2000s were drastically different than what they are today.
[00:27:34] Office phones are the same, but everything has also gotten more complex
[00:27:38] in terms of the threats out there too.
[00:27:41] So just be aware.
[00:27:43] Just thinking through this as we recap,
[00:27:46] if I was thinking about adding or changing or even understanding what I have today,
[00:27:50] because we could argue probably that for the most part,
[00:27:53] the feature sets at the underlying level are the same.
[00:27:58] I haven't forbid it.
[00:27:59] It does at least have good call quality and you can make and receive calls.
[00:28:03] If we've established that's going to be on all of them,
[00:28:06] then you get into how many people can you join to one call
[00:28:09] if it's actually an actual call as opposed to more of a conference platform.
[00:28:18] And then you get into...
[00:28:20] So assuming all that, now you're getting into where the security parts really come into play
[00:28:25] is who's responsible for what?
[00:28:27] So do we require any sort of handset or physical asset to be stored on the user's desk, if you will?
[00:28:36] But then some of the pieces that we've talked about that I think are really important is
[00:28:40] what are the responsibilities that an MSP really should take,
[00:28:43] say the bull by the horns and be vocal with their client.
[00:28:46] Yeah, it's fine if you're not having to deal with like,
[00:28:50] hey, we're getting static on our calls, you're handing that off, fine.
[00:28:54] But what is that a symptom of?
[00:28:57] Like, is there something else that's been plugged into the network that's causing noise?
[00:29:02] Any number of things, right?
[00:29:03] But like, what are you saying that...
[00:29:05] I think there's probably like five things and we've touched on at least two of them
[00:29:09] that they need to be consciously and actively participating in with their clients
[00:29:15] as it pertains to voice services.
[00:29:18] Yeah, so one of the things that we always suggest is,
[00:29:23] you know, first of all, when we're doing setup, we always go through permissions, right?
[00:29:27] Who in your business and your MSP needs access to what?
[00:29:31] Right? I think that's a major thing that you need to understand,
[00:29:34] set up and you also need to discuss with your clients.
[00:29:37] How many admin staffs do you want for auto attendant?
[00:29:42] That... Who can access the voicemails?
[00:29:44] It's probably one of the major ones I hear constantly, right?
[00:29:46] Especially depending on type of business or where we're dealing with.
[00:29:49] We have MSPs that are dealing with hedge funds,
[00:29:51] medical offices, insurance offices, 911 centers.
[00:29:55] So all of that, right?
[00:29:56] That's a major one that we see and can be just a very uncomfortable conversation
[00:30:03] from a compliance standpoint.
[00:30:05] So that's something that I highly suggest you understand.
[00:30:08] And then upstream, right?
[00:30:09] On your provider side, who can access it there?
[00:30:13] Who has access to those voicemails on their end?
[00:30:16] And I think the other one is going to be, obviously,
[00:30:19] how does this behave with the firewall or switches that we've standardized on?
[00:30:24] Understand all of that.
[00:30:25] Your QoS rules, if you will, does the hardware you're using actually support true
[00:30:33] traffic prioritization without it having to be like your manually writing rules saying,
[00:30:37] hey, prioritize this above this?
[00:30:39] You should be able to say, hey, enable QoS.
[00:30:41] It's going to know that it wants voice to be prioritized over other data traffic.
[00:30:46] And you're like, ah, but this is a sonic wall.
[00:30:47] No, this is, and it doesn't support that particular obscure protocol being used by your
[00:30:53] amazing web provider that's using a port that security through obscurity.
[00:30:59] They'll never know.
[00:31:01] Yeah, I mean, that's kind of the nice thing for us.
[00:31:05] Being a provider that came from an MSP, right?
[00:31:07] We quickly, obviously, self-servingly, we first built our first one on,
[00:31:12] we were a sonic wall MSP.
[00:31:14] So we first built the template around sonic wall and make sure that everything behaved really
[00:31:19] well and how do we optimize?
[00:31:20] We work with the sonic ball team for that.
[00:31:22] And since then, we've built it out for many of the other firewall providers out there.
[00:31:27] I would ask that question, right?
[00:31:29] Go through the hardware, have a hardware list, understand that.
[00:31:33] And then if you aren't standardizing with your clients,
[00:31:36] like really make sure that that's part of the discovery there.
[00:31:40] Is that going to work here?
[00:31:42] Is it going to work well or is it going to create more headaches before you roll it out?
[00:31:46] Most providers will be pretty good with you.
[00:31:48] Most providers will give you a test environment to test it in and send it out.
[00:31:53] I would suggest running those tests.
[00:31:55] Pop over there after hours, just do a quick run through on a Saturday or
[00:31:59] some of that, make sure it all sounds good runs well before you roll any out because
[00:32:04] people are not afraid to complain when QoS is not good.
[00:32:08] So I've gone through a few of these over the years.
[00:32:11] I would say in the course of my MSP, I think we probably did,
[00:32:17] I don't know, 30 or 40-wipe solutions for different that ranged in
[00:32:23] upfront costs of no upfront costs to $125,000 plus upfront costs.
[00:32:32] What I'm reminded of though is the things that we,
[00:32:37] and incoming MSP might not consider is who has LOA,
[00:32:43] the authorization to essentially pick up the phone still,
[00:32:49] call the provider and say, I want to cancel these 10 DIDs.
[00:32:53] I want to add these services.
[00:32:56] You often see this as a really common occurrence when you're dealing just with the
[00:33:00] service provider that's feeding the actual calls themselves.
[00:33:05] So whether it's the cell phone provider that also handles your SIP trunk,
[00:33:09] so Verizon or AT&T, but then there's also all of those Twilio and
[00:33:14] and of course the MSP, if they're doing any of the solution or the VoIP provider is
[00:33:20] only handling the on-prem VoIP services, they're not handling the trunking to the facility.
[00:33:27] Oh boy, you could end up with, you don't have it.
[00:33:30] And I had a strange one.
[00:33:32] I haven't been an MSP now for the better part of eight years.
[00:33:35] I think it's been eight years since I sold.
[00:33:37] And I had one that I was an employee of the company.
[00:33:43] I left that company in 2009.
[00:33:47] I got a call since I've been at CompTIA saying, hey,
[00:33:51] you're okay if we remove you from being the authorized person on this solution.
[00:33:58] And I'm like, so just thinking about that, the liability that was still on me
[00:34:04] because I was still on the list of I could call and say,
[00:34:06] I'd like to add three hints, that's please.
[00:34:08] And you can send them to this address.
[00:34:11] I mean, that's a whole other discussion of it.
[00:34:14] It is, but I think it's one of those that I just kind of wanted to reiterate a little bit
[00:34:18] the space that we're in where we take too many of the pieces for granted.
[00:34:24] So coming in as the MSP and seeing a phone on a desk,
[00:34:28] how many MSPs are looking at going, that's something that I need to take responsibility
[00:34:32] for at some level because I'm incurring liability as soon as we ink providing them with managed services.
[00:34:39] And we always talk about it as phones are no different than the electricity
[00:34:43] or the internet that's pumping into the building, right?
[00:34:46] It's an essential service.
[00:34:47] Everyone's going to have it.
[00:34:49] And data flows through it.
[00:34:51] Yep.
[00:34:51] And you can either be a part of it and then you can control the security of it
[00:34:55] and the management of it and make some extra money on it, which is great.
[00:34:59] Obviously, we all want margin.
[00:35:00] But the other end is you can just wait for, you know, you can cross your fingers
[00:35:05] and hope nothing ever blows up.
[00:35:07] But the reality is when something has a blinking light on and electricity
[00:35:11] pumping into it, you're going to get that phone call until it's not working.
[00:35:14] Whether you can tell them that.
[00:35:16] I think that's the important piece, right?
[00:35:19] Like setting up T's and C's to have everybody understand that there is
[00:35:22] some responsibility there.
[00:35:24] Like it is an asset that plugs into the network.
[00:35:26] Like it's not getting dial tone like it should because it has a bad data cable.
[00:35:32] Like those are things that you're going to end up on your plate anyways.
[00:35:35] Yeah.
[00:35:36] And I think when you don't manage it, right?
[00:35:38] You're going to, let's say you have a perfect client who isn't going to call you
[00:35:42] when the phone stops working well.
[00:35:44] They're going to call whoever big box provider here.
[00:35:48] That big box provider first thing that they're probably going to say is,
[00:35:51] oh, it's a network issue.
[00:35:52] You should call the person you manage to get a network.
[00:35:54] Well, I mean, come on.
[00:35:56] Yeah, that's the whole voice space, right?
[00:35:59] Phone services in general, when it got put on the network,
[00:36:01] no matter what we did, no matter how perfect it was,
[00:36:04] the blame game immediately.
[00:36:06] Yes, the point.
[00:36:07] Yeah, we tested this.
[00:36:11] So we tested it like multiple times you tested it while we plugged it in
[00:36:14] and turned it on and it worked when we set it up and no one was in the office.
[00:36:17] So it can't be a network problem.
[00:36:19] Oh yeah.
[00:36:20] So streaming what services?
[00:36:23] Exactly.
[00:36:24] ISP never gets more excited on a support call to hear that you're using not their router.
[00:36:28] Oh, right.
[00:36:29] Like that's their favorite point of the support call because then they can just say,
[00:36:33] not a problem.
[00:36:34] Good luck.
[00:36:35] Yep.
[00:36:36] Off-arquated?
[00:36:37] Not a problem.
[00:36:37] Yeah, that's often why when they say here's the $5 or $15 monthly rental fee for their router,
[00:36:44] what you're actually saying is for $15 a month,
[00:36:46] I can at least blame them when something goes wrong and the router is in the equation.
[00:36:50] Yep.
[00:36:51] Any last tips on security for VoIP solutions and then if you would tell people where they can find you?
[00:36:59] Yeah, I think the biggest ones, I'll just kind of recap a couple of pieces before you talk about it.
[00:37:04] First one I'm going to hit on is one we just did, which is include VoIP
[00:37:08] in all of your off-boarding for your employees.
[00:37:12] So everything from their CRM access to their PSA access to RM,
[00:37:18] all of the other tools would make sure that VoIP is not at list.
[00:37:21] If there's any kind of authority, I think that needs to be removed.
[00:37:24] Alert your off-boarding providers that that person is all over with you.
[00:37:28] If they had any sort of admin access into those tools from a phone standpoint,
[00:37:33] call and standpoint, etc.
[00:37:35] So that's a first and big one.
[00:37:37] Next up is verify, verify, verify.
[00:37:41] It's not uncommon for people to call in that should not be calling in.
[00:37:44] A, it's a waste of time for your texts.
[00:37:46] B, it's a huge liability standpoint.
[00:37:50] MGM learned that the hard way when somebody asked for password reset wasn't verified and just
[00:37:54] went on their very way into the system, shut the casino down for two weeks
[00:37:57] and cause nothing but havoc and dollars.
[00:38:02] So that's an easy one.
[00:38:03] There's a lot of great tools out there to do it.
[00:38:05] Highly suggest you make that part of your process.
[00:38:08] Next one is going to be understand the providers that you're working with,
[00:38:12] the providers you might work with,
[00:38:13] and the providers that your customers are working with.
[00:38:15] Because there's a lot of areas, we hit on at the end here, but it is a piece of the network.
[00:38:21] It's on the network.
[00:38:22] It's always going to live on the network.
[00:38:23] There's nothing you can do about it.
[00:38:25] So you've got to find a good way to make sure that it's not a hole or something
[00:38:30] that's going to cause an issue for you down the road.
[00:38:32] You can do that really simply by understanding,
[00:38:35] we have MSPs all time to call us and they said,
[00:38:37] we understand compliance standpoint where you said,
[00:38:41] we have all those documents ready to go.
[00:38:43] So if your provider doesn't, that's a red flag.
[00:38:49] So definitely make sure that's part of your discovery process.
[00:38:53] And last but not least, it is a service that no matter what,
[00:38:58] they will be calling you on.
[00:38:59] So it's better to manage it upfront and make sure that
[00:39:05] you at least have the control where when something does go wrong or something does
[00:39:09] happen, you've got that L.O.A. to call in and make something happen with the provider
[00:39:15] get your client back in a good spot.
[00:39:16] So at the end of the day, that's what's all about, right?
[00:39:18] Make sure the clients are up and running and having a good time.
[00:39:21] Yeah, security is pointless if you can't use the service.
[00:39:25] For sure.
[00:39:27] And where can listeners find you?
[00:39:30] Yeah, easiest way is probably going to be linked in.
[00:39:33] Feel free to email me, astandards.bboy.com
[00:39:36] or head over to bboy.com to find out more about us.
[00:39:39] You can find me right there as well.
[00:39:41] All right, sounds good.
[00:39:42] For those of you listening, this has been an episode of MSP 1337.
[00:39:46] Thanks and have a great week.