e book why voip security is more that just an it risk 83791

7/24/2019 e Book Why Voip Security is More That Just an It Risk 83791

1/14


2/14

Why VoIP SecurityIs More than Just anIT Risk

by Jon Arnold, Principal, J Arnold & Associates

November 2013

When Being Compliant Does Not Mean Being Secure

Executive Summary

Security may not be the rst thing that comes to mind whenyou think of VoIP, but if it is not near the top of your list,

you could be exposing your business to signicant risks.

The reasons for this are both complex and simple, but

there is no question the issue of VoIP security will become

more pressing as enterprises accelerate their adoption of

IP telephony along with its umbrella cousin, Unied

Communications (UC). Not only are these technologies

being deployed to make communications more effective,

but also to integrate with business processes that impact

overall operations and workows to increase employee

productivity.

This e-Book has been developed to educate IT and exec-

utive teams about the nature of VoIP, both in terms of its

benets and potential risks. Perhaps more importantly, the

objective is to reframe the thinking within enterprises to

view VoIP security more as a business risk than a risk

contained within the IT sphere. One need look no further

than the recent vulnerability updates made by Cisco for

Call Manager as evidence that these risks are more real

than perceived.

A key reason for this view is that VoIP along with UC

provides signicant business value that goes beyond

reducing telephony costs.

When tied to business processes, VoIP and UC can

transform your operations by improving productivity,

shortening decision timeframes, curtailing travel,

and improving customer satisfaction. However,

for these benets to be realized, the underlying

network environment must be secure, and in most

enterprises this is simply not the case when it

comes to VoIP.

Whether or not your business has experienced a VoIPsecurity breach, the associated threats and vulnerabilities

are real and becoming more sophisticated to remain a

step ahead of todays security frameworks. In fact, your

network may have already been compromised, and hack-

ers could quietly be monitoring your activity until the right

moment when they detect a VoIP-enabled vulnerability.

A key takeaway from this e-Book is that being compliant

does not mean being secure, so do not assume that a

clean bill of health from your latest IT security audit makes

your business immune from threats.

Building on that, our intention is to broaden your under -

standing of the issues, as you will need a core knowledge

base to develop an effective security plan and adopt

appropriate solutions to protect your network and busi-

ness, and to be compliant.

Introduction

The adoption of VoIP by enterprises has been underway

for some time, and as its value is being realized, this trend

is accelerating. While this is good news for VoIP vendors

and service providers, the related network security impli-

cations have received little consideration. Having closelytracked VoIP since 2001, J Arnold & Associates is attuned

to the inherent vulnerabilities that make VoIP a target for

a growing array of security threats. Our view is that the

associated risks to both businesses and networks are not

properly understood either.

To validate this, we have undertaken independent

research across the market, including senior enterprise

IT personnel, executive management, audit practition-

ers, security vendors, information security consultants,


3/14

3

[email protected] | www.voipshield.com

and service providers. This industry-based perspective

has provided a balanced base of learning upon which

this e-Book was written. J Arnold & Associates conducted

in-depth personal interviews during June-July 2013, and

while the results are qualitative, the sources are highly

informed and we believe that, collectively, they accurately

reect the broad state of thinking about VoIP security.

Our overall objective is to educate the market about the

realities of VoIP security, and how under present condi -

tions, enterprises cannot derive full benet from VoIP as

well as from the broader scope of IP communications now

integrated under the banner of Unied Communications.

When the vulnerabilities posed by VoIP are prop-

erly understood, enterprises will be better able to

manage the threats and safely exploit VoIP for its

business value. A full understanding will also help

ensure compliance with relevant information secu-

rity as well as control and privacy standards.

We begin with an analysis of six elements that were dis -

tilled from research, and explain their importance as well

as the role each can play in improving the overall under -

standing of VoIP security. Following this is a prescriptive

action plan and possible solutions enterprises can take to

move down that path.

Todays Changing ICT Security Landscape

Opportunities and Risks Posed by VoIP

There is good reason why VoIP has transformed the tele-

com industry for the better, and that impact is registering

now with enterprises. Just as there is more to VoIP than

cost savings, there is more to IP communications than

VoIP. Businesses can easily justify the move to VoIP on

economic grounds, not just for lower telephony costs, but

also streamlined network operations.

Converging voice and data on to this streamlined net-

work environment creates new value that Unied

Communications is just starting to address, espe-

cially when tied to Communications Enabled Business

Processes (CEBP). This adds a layer of strategic value

to VoIP as well as the broader suite of IP communications

supported by UC, all of which are now running over enter-

prise data networks.

Legacy telephony is being displaced largely because it

stopped evolving and could not match the business value

and innovation provided by VoIP. From its modest roots

as a hobby technology, VoIP has matured considerably,

and riding the wave of the broadband revolution, it is now

poised to be the standard for business telephony.

VoIPs ascendancy has been slow and enterprises are

only just beginning to tap its potential, not just because

it is relatively new, but also due to some realities that are

not well understood. Legacy telephony took many dec-

ades to perfect and VoIP is not yet fully standardized as

a technology. More importantly, with telephony now moving

over to the data network, it no longer has the protection

offered by the dedicated voice network used to support

your legacy Private Branch Exchange (PBX) infrastructure.

These changes add up to new opportunities that legacy

telephony could never deliver, but along with that come new

risks as enterprises migrate to IP-based communications.

With VoIP, telephony becomes a data application, and with-

out appropriate measures in place several risks become

very real, particularly business risk, technology risk, nan-

cial risk, network risk, security risk, and compliance risk.

Our industry-wide research supports the main message

of this e-Book that the vulnerabilities and risks are not well

understood and if not addressed, the benets of VoIP will

not be fully realized, and indeed may cause signicant

operational, nancial, and regulatory problems.


4/14

4


While the mainstream media have created awareness

about the threats posed by the Internet to the general pub-

lic, very little is heard about what can and does happen in

the business world. Large-scale breaches and exposs

such as WikiLeaks, Stuxnet, as well as the recent actions

of Bradley Manning, Edward Snowden, and others are

everyday news. This raises fundamental questions about

privacy and information security on the Web. Not only are

these problems happening with greater frequency, but the

growing sophistication of attacks means they will occur

without warning, with rapid impact, on a larger scale, and

with increasingly sensitive targets.

Since a great deal of IP communications touches the

Internet especially VoIP enterprises can be just as

vulnerable as consumers who unwittingly open an email

containing malware or government agencies with lax

controls over data access.

VoIP has become subject to an ever-expanding

class of security threats, many of which are tar-

geted specically at Enterprises that have access

to credit card and other personal information

(such as Contact Centers and Customer Service

departments), as well as critical infrastruc-

ture (such as power grids and communication

services) and rst responders. For more infor-

mation about common enterprise VoIP security

threats, please refer to the Appendix.

Figure 1illustrates attack points in an enterprise environ-

ment at a high level, with typical VoIP-based vulnerabil-

ities agged by red triangles. Voice-enabled endpoints

that did not exist when telephony operated separately

from the Local Area Network (LAN) provide pathways into

the network. In short, VoIP poses unique security chal-

lenges that do not apply to other data streams or modes

of IP communications.

AsFigure 1also illustrates, most of the vulnerabilities are

at the network perimeter, and given the variety of possible

entry points, effectively securing VoIP is a complex chal-

lenge. In addition to conventional threats that have long

existed with IP PBXs such as toll fraud, message tam -

pering, and eavesdropping VoIP exposes the network

to new threats, several of which can be debilitating for

your entire business, such as Telephony Denial of Service

(TDoS) attacks, data theft, identity spoong, Quality of

Service modication, and email hacking.


5/14

5


Figure 1 VoIP Vulnerabilities in the Enterprise Network Environment


6/14

6


Realities and Challenges

To properly assess the nature and scope of the risks posed by VoIP, six elements need to be considered. These ele-

ments were summarized from our research, and represent distinct touch points that must be understood to effectively

mitigate risk and enable VoIP to provide full value to your business. Key realities and challenges for each are summarized

as follows.

Element #1 VoIP Technology

As a technology, VoIP is not mature or standard-

ized enough to be effectively incorporated into the

Information Communications Technology (ICT)

frameworks that drive compliance for network secu-

rity. Essentially, this means that security compliance

for VoIP is voluntary rather than mandatory, leaving

it out of scope for most security audits.

VoIP is a blind spot in the IT infrastructure, whichmakes your IT assets and networks more vulnera-

ble. While VoIP is often associated with telephony,

the IP PBX or associated voice trafc are not typi-

cally the targets; rather, they provide access to cor-

porate information or the LAN since VoIP runs over

the same network as all the other data applications

used to drive the business.

IT security breaches attributable to VoIP are not yet

widespread, but that is changing as VoIP adoption

grows and hackers prey on vulnerabilities created

by a lack of understanding of the risks and subse-

quent need for best practices to address the threats.

VoIP is much more than telephony, and when the

broader scope of IP communications is considered,

the operational benets and strategic value are

compelling. While VoIP has inherent value to reduce

telephony costs, enterprises typically use it as a

stepping stone to Unied Communications and the

ability to support real-time multichannel interactions.

These capabilities can have a transformative impact

on operations, processes and customer experi-

ences, but also mean that the impact of VoIPs secu-

rity vulnerabilities go well beyond the IP PBX to otherapplications such as softphones, video chat, Web-

based VoIP, Smartphones, and tablets extend-

ing beyond the ofce to home-based and remote

locations.

Element #2 Hackers

The hacker community is diverse, ranging from

hobbyists working alone, to sophisticated criminal

operations, to state-sponsored cyber-espionage

cells. Since VoIP still lacks standardization, this

places the onus on organizations to defend their

network, and given the diversity of the hacker com-

munity, this task is very challenging.

Since its inception, the Internet has been rife with

security vulnerabilities and privacy exposures,

making trust difcult to establish. The anonymous

and porous nature of the Web is ideal for hackers.

Enterprises must be particularly alert with VoIP

since a great deal of IP PBX trafc traverses the

public Internet, creating a new security vulnerability

that did not exist when legacy telephony ran over a

dedicated voice network.

The motives of hackers are as varied as the com-

munity itself. Some will target VoIP specically for

toll fraud, but more likely this will be their point

of entry for other forms of malicious activity suchas disrupting operations, identity theft, nancial

theft, corporate espionage, or to support political

agendas.

Hackers are usually at least one step ahead of what

the enterprise can defend. While VoIP may not be

very attractive nancially beyond toll fraud, hackers

are looking for other ways to monetize corporate

data, and when they do their attacks will become

more brazen and targeted. Since VoIP currently

poses limited nancial risk, security measures are

limited as well, and if this continues, IT will onlyhave reactive, after-the-fact options when more

serious threats strike. The coming storm in network

security threats should not be underestimated. Not

only can hackers cause nancial loss by accessing


7/14

7


corporate data and bank accounts through a VoIP

breach, but also some would not hesitate to use the

same breach to launch Denial of Service attacks.

By constantly ooding your network with messages

through that breach, they can disrupt or even shut

down operations and will only stop once they have

extracted ransom payments from you.

Related to this is the growing complexity of enter-

prise networks, making it virtually impossible to plug

every hole in the dike. Sophisticated hackers can

always nd a point of entry, sometimes with minimal

effort, especially if basic security measures for VoIP

are not followed.

Organizations are blind to intrusions via the VoIP

channel; they may already have been attacked

and not know it. For example, traditional Intrusion

Protection Systems (IPS) have no VoIP endpoint

visibility, so the source of the intrusion remains

undetected. The intruder has assumed the legit-

imate users identity, permissions, and resulting

application access.

Hackers may be monitoring your network without

your knowledge and just waiting for a port to be left

open, or may have already penetrated and compro-

mised your network and are just waiting for the right

time to attack.

Element #3 Enterprise IT

Regardless of current threat levels both real and

perceived the value proposition for IT security is

challenging to sell to management. Enterprise IT

needs to protect the network and meet compliance

requirements at a reasonable cost, but also balance

this against managements needs for employees

to be as productive as possible. Onerous security

measures may make the network more secure,

but are just as likely to make UC applications less

user-friendly. If this prevents IP communications

tools such as VoIP from delivering full value to the

business, the return on investment (ROI) for VoIP

security solutions will be difcult to demonstrate.

Enterprise IT faces both a knowledge gap and

higher priorities when it comes to VoIP security.

Many IT departments are still rooted in the legacy

world and think of VoIP as telephony rather than

a data application. Legacy telephony poses few

security risks, but VoIP is the exact opposite if leftunchecked. This level of understanding varies

widely by industry, and where it is low, there is a

tendency to ignore the threats and simply hope no

major breaches occur.

Chief Information Ofcers (CIOs) have security com-

pliance obligations that take attention and budget

away from the actual threats aimed at their network.

Since VoIP is only nominally contained in the com-

pliance envelope, it will typically only get their atten-

tion after the fact when it has become the pathway

for the latest breach.

As do more with less becomes the new normal for

enterprise IT, resources are primarily consumed by

re ghting and keeping the network operational for

everyday needs. This leaves little for being proac-

tive and focusing on prevention and with that comes

an acceptance for a base level of compromise on

network security. With hackers one step ahead of

all but the most visionary IT teams, the aforemen-

tioned knowledge gap truly elevates the level of

risk with VoIP. To effectively manage these risks, IT

needs to think differently and adopt best practices

for prevention.

The workplace is changing in ways that pose new

challenges for IT, many involving IP communica-

tions. One key trend is the decentralization of the

workplace, where employees are increasingly work-

ing offsite, for instance from home, their cars, air-

planes, hotels, and client sites. These scenarios

provide one of the strongest use cases for Unied

Communications, allowing businesses to adopt vir-

tual models, optimize ofce space, and be more

responsive to customers. The IT challenge, how-

ever, is one of enabling all this in a secure environ -ment. As endpoints become more distant from the

LAN, the harder it is to control access. Moreover,

a great deal of this VoIP and UC trafc will be over

the public Internet and often across insecure Wi-Fi


8/14

8


connections. Offsite worker productivity depends on

these factors, but the associated network risks must

be understood and addressed.

Moving offsite to onsite, BYOD Bring Your Own

Device is another trend with similar implications.

The main difference is that employees are using

these devices, applications, and networks to be

more productive at the ofce. Of course, they are

also using them offsite, but the main issue is that by

virtue of owning these devices, employees feel enti-

tled to use them as they see t. This often means

theyre not used with consideration to how the enter-

prise as a whole may be impacted. There are many

aspects around this, but the key IT challenge lies in

developing a security plan that addresses the risks

without looking like Big Brother. Currently, many IT

departments are having BYOD forced upon them andby developing policies on the y, they are sure to miss

many threats that a proactive plan would anticipate.

On a strategic level, there is a distinct IT challenge

not just in understanding the threats well enough

around VoIP to develop a sound security plan, but

also in implementing it effectively. Data breach

reports consistently show how vulnerable IP PBXs

are, and if that remains true, IT has a long way to

go in addressing the broader scope of IP commu-

nications, of which VoIP is just one application.

Presuming IT can get there, the next challenge

calls for implementation in a way that does not draw

undue attention. This must be done carefully and

perhaps in stealth mode, otherwise employees may

get anxious about having been targeted by hack-

ers. There is also the Big Brother aspect to consider,

as IT does not want to create a climate of distrust

that may be implied by a heavy-handed security

plan. Furthermore, any such anxiety is sure to be

detected by hackers, raising a red ag that your

network is tightening up. Some will choose to strike

immediately before measures are in effect.

Element #4 - End Users

Employees play an important role around VoIP

security because they often control the endpoints

that are points of entry for attacks. Not only are they

the drivers of internal threats to network security,but also as end users, they are often the targets of

external threats. In terms of internal threats, there

are two forms unintentional and intentional. The

former is a mix of accidental actions that invoke

threats such as forwarding emails with sensitive

data to a group list that may include inappropriate

contacts or unwitting actions, such as opening a

voice message embedded with malware. Intentional

internal threats arise from disgruntled employees

who may use VoIP as a vehicle to disrupt opera-

tions, engage in fraud, and share sensitive data with

competitors.

In terms of external threats, end users pose a major

security challenge by serving as easy targets for

hackers. Despite the shortcomings described

herein of IT security, on a broad scale it serves as a

fairly effective deterrent. Rather than trying to bridge

this large security moat, many hackers simply nd

it easier to gain access by targeting individuals with

a low protection threshold. With so much personal

information posted online now, hackers often use

social engineering to lead them to weak points for

network access such as the IP PBX.

Even the best IT security regimes will be under -

mined by an end user if too much is asked of him

or her. Most people have trouble managing all their

passwords and user names, and if authentication

for network access requires too many steps, they

may not bother using the application or will revert to

the default settings. While the path of least resist-

ance seems easier, this makes them easy marks

for hackers. By nature, people will protect things

of value, and for this reason, employees are fairly

diligent updating their email credentials. Most, how-

ever, do not see VoIP the same way, nor do they

view their desk phone as a security risk. Employees

are very much part of the solution for VoIP security,

and IT must recognize the need to make it as simple

and transparent as possible.


9/14

9


Related to the above is the simple fact that end users

are not the experts when it comes to properly securing

IP communications and endpoints. They may be quite

tech savvy and familiar with the applications, but this is

usually in the context of personal usage. With BYOD,

employees may think they are using their mobile

devices responsibly, but in fact they are not doing so

on an enterprise-wide level and this is where they

may be exposing the business to many forms of risk.

IT has a broader mandate, and getting employees to

understand that is another aspect of where education

is needed to better manage VoIP security.

Element #5 Executives

First and foremost, research indicates that senior

executives view network security in nancial terms.

This reality means that so long as VoIP poses little

nancial risk, it will remain a low priority. Toll fraud is

a common form of nancial risk with VoIP, but is too

minuscule to change their thinking, and other forms

happen too infrequently (at least for now).

Executives see security as the domain of IT, impact-

ing the network but not the business itself. Given

how embedded communications technologies are

becoming in business processes, and the very real

potential for network threats to disrupt operations,

this mindset is out of synch with current realities.

Aside from network risk, these threats clearly

represent business and nancial risk and, like end

users, IT needs to better educate this stake-

holder group about the risks posed by VoIP and IP

communications.

Most management teams will be followers rather

than leaders when it comes to network security.

Rather than trying to understand and address spe-

cic types of risk posed by VoIP, they will be more

likely to invest in broader security efforts that keep

them on par with their industry peers. This will lead

them to support security initiatives that are easily

measured within existing compliance frameworks,

rather than focus on VoIP, where they have little

guidance from the regulatory and audit commu-

nity. Furthermore, management has little incentive

to improve security beyond their peers, and unless

someone suffers a serious breach or takes a lead-

ership position with VoIP for competitive advantage,

they will not likely pay it much heed.

Executives are also end users, and it is worth noting

they can be one of the greatest enablers of VoIP

security threats. Aside from being at the forefront of

BYOD adoption, their rank provides them access to

the most sensitive corporate data, wherever they

are and whenever they need it. Add to this their

general disregard of, or lack of inclination to use

even basic security precautions, and you have an

extremely attractive target for hackers.

Element #6 The Audit and ComplianceCommunity

In terms of VoIP, ensuring that minimal IT compli-

ance requirements have been met will likely create

a false sense of security. Most known VoIP threats

are not specically addressed in business risk

or information technology risk frameworks (such

as COBIT) or security implementation standards

(such as ISO27002), so they may not be speci-

cally addressed during the security audit process.

Perhaps more concerning is that other vulnerabili-

ties related to IP communications are not yet known

or have not yet materialized. Hackers will target

your network for a variety of reasons, and know-

ing that VoIP can be a weak link, they will continue

devising new threats, making it impossible for any

security system to be bulletproof. As such, one of

the strongest conclusions from our research is that

being compliant does not necessarily mean being

secure, and vice versa.

Related to this, existing security standards are effec-

tive at addressing threats in mature, standards-based

spaces such as Peripheral Component Interconnect

(PCI), but less so with VoIP, which is much newer on

the security horizon. One reason is that VoIP has not

yet become standardized, which makes it difcult to

understand its role in supporting business processes,

along with prescribing specic requirements to make

it secure. As a result, VoIP has not been part of the

security agenda or the audit mandate. Given howrapidly VoIP trafc is growing on enterprise networks,

this is not a tenable position, and introduces a form of

risk that was not present with legacy telephony.


10/14

10


The audit community tends to view VoIP as a PBX

issue where it will only have a localized impact on the

telephony system. Not only does this limit the focus

to one type of network endpoint desk phones but

also, VoIP is just one mode in the spectrum of IP

communications. When enterprises deploy Unied

Communications and other modes and applications

such as video, mobility, and conferencing they

create or inherit the same vulnerabilities, meaning

that security exposures now extend well beyond the

phone system and your PBX. While UC can truly

enhance productivity and business processes, its

absence from the risk agenda contributes to the

aforementioned false sense of security.

Another challenge facing this community is nd-

ing the right balance of inclusion with VoIP relative

to the risks posed to the enterprise. Since VoIP isnot well understood and lacks standardization, both

audit practitioners and IT executives have difculty

measuring the risks and providing guidance on the

appropriate level of effort needed to manage them.

In the current environment, this reality will likely

persist as compliance requirements become more

demanding, expensive, and resource-intensive.

Auditors are conscious of the need to keep the com -

pliance process manageable without impinging on

operational effectiveness, and will be more comforta-

ble focusing on areas of risk that are well understood

and have a measurable impact on the business.

The overall implication for the audit community is

that by viewing VoIP as a PBX issue, the asso-

ciated risk is nominal, making it a low priority

or non-issue in terms of security compliance.

Unfortunately, enterprises will likely need to expe-

rience some large scale and damaging security

breaches caused by VoIP vulnerabilities to get this

form of risk on the compliance agenda. The audit

community can certainly play a proactive role here

by including VoIP in IT and network infrastruc-

ture audits and assisting IT to connect the dots

between VoIP and business value.

Implications

Various stakeholders and communities have distinct challenges, realities, and interests when it comes to VoIP security.

Each needs to be understood on its own terms, and from there the interrelationships must also be considered. An effec-

tive response to VoIP security requires that all six elements be addressed and engaged at some point along the way.

To gauge the bigger picture and strategic level issues around VoIP security, consider the following:

Your home

To ensure family safety you may deploy a variety of secu-

rity measures, such as deadbolts, steel doors, window

bars, alarm systems, video surveillance, and motion sen-

sors. Yet, most people never feel 100% safe, and intrud -

ers keep devising new ways to bypass these deterrents,

such as entering through the roof or ductwork or even

using brute force to perform home invasions.

Critical Infrastructure

Think about what the Department of Homeland Security

focuses on control systems that keep airports running,

nancial markets open, and utilities operating. On a local

level, this applies to 911 and associated emergency ser -

vices police, re, and hospitals. As important as home

security is to your family, these services are equally vital

to the government and society at large. They simply can-

not be compromised, and with so much at risk, appropri-

ate measures have been taken to ensure 24/7 security.

In both of these environments, known threats have been

addressed quite well, but new tools are constantly being

adopted as unknown vulnerabilities and threats become

better understood. Neither environment can be 100%

secure 100% of the time, but the threats are taken seri-

ously and the high levels of risk that would come with a

breach dictate the investment in security. They may not

totally understand the risks posed by VoIP, but awareness

of its potential is growing, and with that will come a willing-

ness to add VoIP to overall security regimes.


11/14

11


Enterprise networks are of a different mindset

when it comes to VoIP security. Other forms of data

security may be well addressed by enterprise IT,

and compliance requirements have a lot to do with

that. When it comes to VoIP, however, most enter-

prises are either lacking in understanding, or willminimize the risk potential for a variety of reasons.

The comparisons are presented here because all these

environments use VoIP to varying degrees, and this

creates vulnerabilities that were not present with legacy

telephony. Without compliance frameworks requiring VoIP

to meet certain security standards, enterprises must rst

understand the associated vulnerabilities and threats and

then start thinking about the risks like we do in these other

environments.

This takes us back to the fact that VoIP is relatively newand not yet standardized. Security and safety are rarely

rst principles guiding innovation, and VoIP is no excep-

tion. VoIP emerged in 1995 when the Internet was still

in its infancy and the limitations of dial-up service pretty

much ruled out malicious activity, so there was little need

to consider security. In fact, the automobile industry pro-

vides a telling parallel.

Cars did not become mainstream until the highway

system was built, and seatbelts were not manda-

tory in the United States until 1968. For the better

part of the rst 70 years of automobiles, the risk

factor of seatbelts was not deemed high enough

relative to the inconvenience. Today, this would

be unthinkable, but it took many decades for the

auto industry to adopt safety standards to address

both a very real risk and a growing set of threats

as cars become faster and carry more passengers.

VoIP is no different, and in time will become fully

standardized.

The threats posed today may be relatively minor, but justas automobile risk levels elevate with drunk drivers, they

rise for enterprises with VoIP as more people use it with-

out regard for security, and as long as it remains a low

priority for IT, executives, and the audit community.

The Way Forward

While VoIP holds both promise and risk, there are effective solutions that speak directly to the problems but will not

compromise its value to the business. However, before those solutions can be implemented, a change in thinking isneeded, not just within IT, but also among the other stakeholders addressed in this e-Book. Education and awareness

of the basic problems are good starting points, but you must also understand how and why thinking needs to change.

For those who see no such need to change or educate, there are three effective but impractical solutions you

can take to mitigate VoIP security risks:

1. Do not migrate to VoIP, or shelve your VoIP deploy-

ment and revert back to Time-division Multiplexing

(TDM). This would be a drastic and disruptive meas-

ure and would be almost impossible to get support

for. The higher costs of TDM service and supporting

a dedicated voice network alone would rule this out,not to mention the phasing out of support for leg-

acy systems from vendors. Even more important is

taking a large step backwards in communications

efciency and losing all the benets associated with

VoIP and UC. On the other hand, the risks around

VoIP effectively disappear, but this would be a

heavy-handed, shortsighted rejection of technology

that is serving businesses very well.

2. Run all VoIP and IP communications trafc over a

segregated network. This would certainly solve the

problem, but it defeats the purpose of network con-

vergence. Extending this across the business will

not be practical, especially if operations are highly

decentralized. Network-wise, this would also take

you back to the TDM model, making it very dif -

cult for IT to add value to business processes with

todays communications tools.


12/14

12


3. Only run this trafc over a VPN and have VoIP fully

encrypted. This again provides a highly secure

approach, but also is not practical. IT will not be

able to cost justify such an extensive use of the

Virtual Private Network (VPN), especially when

better solutions are available, namely those outlined

in the next section. Encryption will also be expen-

sive on this scale, but equally concerning would

be the potential latency that can degrade the VoIP

experience.

Thinking Differently About VoIP Security

Most businesses are forward-thinking enough to seek better solutions so they can securely benet from all that VoIP has

to offer. That thinking, however, must be aligned with the interests of the various stakeholders into a shared vision for VoIP

security. To accomplish this, consider the following ve ways that businesses need to think differently about VoIP security:

1. Focus on prevention rather than treatment

VoIP vulnerabilities and threats evolve too quickly

for IT to keep on top of everything. Efforts are better

applied in understanding known vulnerabilities and

developing effective solutions for them. Unknown

vulnerabilities require a different response, and when

both are in place, IT will be much better prepared for

VoIP security threats. However, this can only happen

with a basic change in thinking about how to respond

to these vulnerabilities and threats.

2. Think about VoIP as a form of business risk

At face value, VoIPs virtue comes from lowering the

cost of telephony and adding new features. However,

with voice service becoming a commodity, there is

little strategic value attached to VoIP, and it is viewed

as solely in the realm of IT. Management needs to

see how VoIP touches all aspects of operations and

can add value to business processes. In that light,

when VoIP becomes the enabler of security threats,

there are both technology risks and business risks,

with the latter being far more damaging.

3. Think about how VoIP benets the business

This message applies not just to management, but

to IT and the audit community. Nobody will question

the need to keep the IP PBX secure and toll fraud in

check, but there is greater value in securing VoIP to

ensure business continuity and streamline business

processes. This has distinct implications for each

stakeholder group, but only if they view VoIP as being

more than low cost telephony.

4. View security as an integral part of business

processes

Too often, network security has been ad hoc or an

afterthought following the deployment of new tech-

nology. VoIP and UC can add signicant value here,

but only with effective security behind it. While com-

pliance frameworks are often built around supporting

business processes, they hardly touch on communi-

cations technologies, and bridging that gap is another

example of how enterprise thinking needs to change

around VoIP security.

5. Recognize that threats are real, not just perceived

There may be truth to both states of mind about

VoIP, but taking the ostrich approach and hoping

nothing bad happens is just a blind denial of reality.

Even worse is a dismissive approach that does not

take these threats seriously or the belief that cursory

measures will be sufcient. Our research also shows

a tacit acceptance in some cases where breaches

are tolerated, but not at a level where the requisite

security measures are deemed worthwhile.

Even though fear is a powerful agent of change, we

are not advocating this as the driver to rethink your

VoIP security. Taking ownership and responsibility

for VoIP security is a far better response, especiallywhen built on a foundation of knowledge. The busi-

ness case becomes even stronger if the nancial

impact of these risks can be quantied and then

measured against the investment needed in proper

VoIP security. However, this can only begin when

there is acceptance that a problem in fact exists.


13/14

13


VoIP Security Solutions

Given that VoIP is not well understood as a technology and how the threat landscape is constantly shifting, you need

to start from the position that this is an ongoing challenge, and that the risks will only intensify as adoption grows. From

there, you must determine where VoIP ts in your overall network and security plan and who will drive these plans. If IT

takes a PBX-centric approach to VoIP security, the plan will not be comprehensive enough to provide full value to thebusiness, and compliance frameworks will be of little help.

If enterprise IT adopts the thinking advocated herein about VoIP security, they will have an easier time identifying

the best courses of action. VoIP security is complex and the various solutions will require careful evaluation. Within the

scope of this e-Book, there are two basic types of solutions that can serve enterprises well.

Solution 1 Managed Security Service

This follows the cloud model that enterprises are rapidly

adopting for communications along with other business

applications. The notion of Security as a Service (SaaS)

has come of age, and can go a long way to making

VoIP and UC secure. By providing constant monitoring

like consumers do with anti-virus protection, IT is relieved

of the constant pressure to monitor threats and update

security coverage.

There is an attractive business opportunity here for ser-

vice providers, not just to tap new revenue streams, but

also to make it easier for enterprise customers to adopt a

wider range of UC applications that would also be hosted

by them. The limitation, however, arises from their limited

experience with VoIP security as well as long-term com-

mitment to supporting it.

This path can certainly address many VoIP security needs,

but likely not all of them. Furthermore, enterprises would

have to rely on and even be locked in with a provider

for updates and new security applications. Unless the

provider is prepared to deliver custom coverage to your

business, their offering may or may not cover your needs.

Another consideration is that the provider is offering this

to all their customers, making it difcult for you to differen-

tiate your VoIP security.

Solution 2 Standalone VoIP AuditApplication

Purpose-built solutions are generally preferable for com-

plex needs, and that certainly applies here. Finding the

right one is challenging, however, as the range of offerings

is broad. Some will be part of a Session Border Controller

solution; others will be built into a data security platform,

and some will be specically designed for VoIP. Given the

lack of standardization around VoIP, there is plenty of over-

lap here, so true direct comparisons are difcult to make.

The sponsor of this e-Book, VoIPshield Systems, is a

prime example of the last type, as their business is 100%

focused on this problem set. Vendors like this will have far

more comprehensive coverage than a managed service,

but require greater effort from the enterprise to assess

and manage directly.

We believe these vendors offer the best solution, espe-

cially for enterprises prepared to take a proactive stance

with VoIP security. Our research indicates these busi-

nesses are in the minority, and for that reason, purpose

built vendors such as VoIPshield Systems have had

limited traction to date. This e-Book hopes to change that,

but it is not clear whether these solutions will nd a market

in their current state, or take their form as a VoIP security

solution integrated within a broader network security offer-

ing from a vendor with an established enterprise footprint.

Jon Arnold, of J Arnold & Associates, an independent telecom analyst practice, authored this e-Book, which was

reproduced with permission by VoIPshield Systemsin March 2014. The contents herein reect conclusions

drawn from ongoing research about VoIP security and specic research for this e-Book.

For more information please contact:[email protected].


14/14

14


Appendix

Summary of VoIP Vulnerabilities and Threats

This Appendix summarizes common threats and vulnerabilities that can be enabled by VoIP as well as the broader

scope of IP communications. They have been grouped into two basic types, as per a taxonomy developed by ISACA.

Note that this summary is a high level review of common threat types, and for each a variety of variations exist. The list

is far from exhaustive, and beyond this lays the realm of unknown threats, some of which exist but have not yet made

an impact, while others are yet to be developed.

Type of Risk Threats

Disruption of VoIP Data and Service VoIP Control Packet Flood

VoIP Call Data Flood

TCP/UDP/ICMP Packet Flood

VoIP Implementation DoS Exploit

OS/Protocol Implementation DoS Exploit

VoIP Protocol DoS Exploit

Wireless DoS Attack

Network Service DoS Attacks

VoIP Application DoS Attacks

VoIP Endpoint PIN Change

VoIP Packet Replay

VoIP Packet Injection

VoIP Packet Modication

QoS Modication

VLAN Modication

VoIP Data and Service Theft VoIP Social Engineering

Rogue VoIP Device Connection

ARP Cache Poisoning

VoIP Call Hijacking

Network Eavesdropping

VoIP Application Data Theft

Address Spoong

VoIP Call Eavesdropping

VoIP Control Eavesdropping

VoIP Toll Fraud

VoIP Voice Mail Hacks

Source: ISACA, VoIP Audit/Assurance Program, Appendix 1 VoIP Threat Taxonomy, 2012

e book why voip security is more that just an it risk 83791

Documents