# Cloud Voice Security Guide

Your phone system is a target. Threats reach it from two directions: across the public Internet and over your telephone lines. Attackers spend their time hunting for a way in, and if they succeed they place fraudulent calls at your expense, pocket the revenue those calls generate, and leave you holding an unexpectedly large bill. This guide explains where those threats come from and how to harden your Cloud Voice system against them so you can keep toll fraud to a minimum.

:::note
A few terms used throughout this guide:

- **PBX** (Private Branch Exchange): the system that runs your organization's phone service. It routes internal and external calls, manages extensions, and connects you to the public phone network.
- **Toll fraud**: what happens when an attacker uses your phone system to place calls you get billed for, often to expensive international or premium-rate numbers.
- **Port**: a numbered doorway on your network that a service listens on. A port that is reachable from the Internet is described as "open."
- **Firewall**: the barrier between your network and the outside world. It decides which traffic is allowed through and which is blocked, and it is usually the first defense an attacker has to get past.
:::

## How attackers break into a phone system

Most intrusions begin with automated reconnaissance. Attackers run scanning tools that sweep the Internet looking for weak points in an organization's network defenses, with open ports being a common giveaway. When a scan turns up an exposed port, the attacker probes it, sending crafted requests to coax out details about how the system is configured and where it might be vulnerable.

:::caution
Open ports are the first thing an automated scanner looks for, and every port you expose to the public Internet is a possible way in. Leave only the ports your service genuinely needs reachable from outside, and keep everything else closed.
:::

Piece by piece, that information adds up. Armed with enough of it, an attacker can mount a brute-force attempt against your firewall (rapidly trying many passwords or requests until one gets through) and eventually force their way past it. Once inside, they reach the PBX itself, plant a hidden back door so they can return whenever they like, and begin pushing call traffic through your system. Left unchecked, this is exactly how toll fraud runs up a costly bill.

![Diagram tracing how an attacker moves from scanning the Internet for open ports to breaching the firewall and reaching the phone system](/images/pbx/fraudster-attack.png)

## How to defend against breaches and toll fraud

There is no way to make a phone system perfectly secure. Your communication needs keep changing, and the techniques attackers use keep evolving right alongside them, so new weaknesses will always appear. What you can do is shrink your exposure through steady, deliberate effort: stay aware of the risks, take preventive action before problems occur, and audit your configuration on a regular basis.

The most effective way to stay protected is to build your defenses in layers. Rather than relying on a single safeguard, you combine several independent protections so that they reinforce one another. The advantage of this approach is resilience: if an attacker manages to defeat one layer, the layers behind it are still standing and continue to guard the system.

![Illustration of stacked, independent security layers, each providing protection even if another is bypassed](/images/pbx/multi-layered-protection-pce.png)

:::tip
Security is an ongoing practice, not a one-time setup. Revisit your configuration periodically and treat regular audits as part of routine maintenance.
:::
