The first part of this discussion was on simple things an IT Department should be doing to protect its IT infrastructure period. Today we will focus more on VoIP security actions a business should per perform. The first is to understand these are multiple levels of security required: the infrastructure, call management, endpoints and applications. For each level, tools already exist to manage and secure the IP communications whether it is data, voice or both. If your data traffic is exposed due to lax administrative process and weak authentication, then your VoIP traffic will be exposed in a similar fashion. VoIP does not necessarily expose the business to new attacks. Rather the expansion of the use of VoIP expands the interest and universe of hackers that want to try. Moreover, since the SIP and Universal Communications standards are open, they become alluring targets for hackers. One company in the Dallas area, Sipera, has had Broadvox over to see the work they are doing to strengthen security for the business. They put on a very interesting demonstration that pointed out one clear thing: the onus for securing IP communications begin at home or within the enterprise. In fact, Sipera produced a list of five threat predictions for the IP ecosystem (service providers, OEMs, VARs, IT managers and users) to consider:
1. Denial of service (DoS) and distributed DoS attacks on VoIP networks will become an increasingly important issue. One of my personal favorites is the INVITE of Death. Nasty name but an attack that is easily thwarted.
2. HTTP services running on VoIP end-points will be exploited for eavesdropping. Securing IP endpoints begins with managing access to the phones, softphones, laptops and other IP enabled devices.
3. The hacking community will turn its attention and tools towards Microsoft OCS - taking advantage of its UC connections to public IMs, email addresses and buddy lists to create botnets and launch attacks. As well, enterprise federation for OCS, a major productivity and business process enabler, will be a source of greater VoIP security risk since it exposes once closed networks to the risks found in other federations.
4. Hackers will attack more IP PBXs with vishing/phishing exploits.
5. VoIP escalate attacks against service providers attempting to spoof identities and use illegal accounts to launch a variety of attacks.
Sipera is not alone in building a business to provide IP security. VoIPshield is also another interested party in exposing and overcoming vulnerabilities related to VoIP. However, I cannot repeat this often enough. If you have adopted a "best practices" approach to managing your existing IT infrastructure, then the migration/adoption of VoIP/SIP Trunking will not increase your risk. In general, customers are far less likely to be a victim of interception or spoofing employing a VoIP system than they are by using a PSTN or cellular phone system.
Tomorrow, security and the service provider...