| π Back to Exam Syllabus | πΊ RooCloud on YouTube | π RooCloud Practice Exams |
CISSP 12.2 - Secure Voice Communications
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series turns Domain 4βs focus to the voice channels businesses still run on. It covers what telephony spans, where the traditional phone network fits today, the truth about VoIP encryption, and the attacks that target both the people on the line and the phone system itself.
What this episode covers
- Telephony β the full set of phone service methods spanning the public network, PBX, cellular, and VoIP, now converged onto the data network.
- The traditional phone network β the PSTN lingers as a backup, a rural-only option, and a last-resort voice line, still worth encrypting.
- VoIP encryption β widely available but rarely end-to-end, with protection usually holding only within a single provider.
- Hardening VoIP β strong authentication, reviewed call logs, blocked international calling, current firmware, and voice-aware intrusion prevention.
- Vishing and phreaking β voice phishing that fakes Caller ID versus attacks aimed at the phone system itself.
- PBX fraud β shared outside lines abused to dodge tolls and hide identity, reined in with cards, restricted dialing, and changed defaults.
- DISA β direct inward system access adds authentication to external PBX connections but only helps once armed, audited, and guarded.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What counts as telephony, and why does it still matter?
Telephony is the whole set of methods an organization uses for phone service, for voice or for data. It covers the traditional public network, the private branch exchange that runs an office, cellular service, and VoIP. Voice used to feel separate from IT security, but the two have converged, with most voice now riding the same network as your data, so whatever threatens the network threatens the call.
Is VoIP encryption really end-to-end?
Encryption is widely available for VoIP but rarely end-to-end. Products from different vendors often only agree on carrying the audio itself, so if your provider encrypts a call, that protection usually holds only when both parties use the same provider. Call someone on a different service and the audio crosses a VoIP-to-PSTN gateway where it must be decrypted, so do not assume the whole path is protected unless you stay inside one providerβs network.
How do you actually harden a VoIP deployment?
Even encrypted, VoIP still faces the usual network attacks and some voice-specific ones, so you layer on familiar controls. Use strong passwords and two-factor authentication, keep and review call logs, block international calling unless a role needs it, and keep firmware current. Consider a trusted cloud service, restrict physical access to voice equipment, train users, block phantom calls, and add a network intrusion prevention system that understands voice traffic.
What are vishing and phreaking?
Both target the human side of voice. Vishing is voice-based phishing, where an attacker uses a call to win trust and pry loose information or access, made cheap by VoIP and helped by faked Caller ID. Phreaking is the older cousin aimed at the phone system itself, where phreakers manipulate telephone services to place free calls, steal features, or disrupt service, and they have followed voice onto mobile, PBX, and VoIP.
How do attackers abuse a PBX, and how does DISA help?
A private branch exchange lets many office phones share a handful of outside lines and often supports remote calling, which attackers exploit to dodge toll charges, hide their identity, hijack voicemail, or reroute calls. Countermeasures include replacing remote dialing with calling cards, restricting dial-in and dial-out, changing default passwords, and logging activity. Direct inward system access, or DISA, adds authentication to every external connection, but only helps once it is well configured, audited, and physically protected.
π Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 12.2 - Secure Voice Communications.