I write about VoIP security from time to time, and it’s a prime topic for this column in a few different ways. While VoIP security is of particular relevance to TMC’s (News - Alert) audience, it’s really a small branch of the data security tree, which encompasses many strands of traffic that IT must manage over their network. Stepping back even further, you have the very public – and very scary – NSA-style privacy breaches that make you wonder if anything is safe these days on the web. The short answer is no.
All of these threats are real, and are increasing both in terms of frequency and severity. Like many other modern day maladies, data security threats are impossible to eradicate, even if you have all the firepower in the world. A more realistic and effective strategy involves understanding the nature of these threats along with taking proactive measures to mitigate their impact. I can’t address all of this now, but want to provide a reality check by tying together three recent items from my ongoing industry research.
I’ll start with the highest profile item that does a great job of pinpointing some root causes that any business has the means to address. Verizon produces continuous research on this topic, and I would encourage you to follow its efforts to educate businesses about various forms of IT risk and data security threats.
This report focuses on PCI compliance, and while the customer base is mainly large enterprises, the issues are universal. Furthermore, while the target is credit cards rather than VoIP, the messages are highly relevant to INTERNET TELEPHONY readers, since pretty much all businesses have phone systems and accept credit cards as a form of payment from customers. My main takeaway here is that if businesses have this much vulnerability for a target as attractive as credit cards, they’ll be even more vulnerable to attacks on their phone systems. They may not perceive VoIP as a risk target, but hackers seek out the weakest link since any entry point will do the job.
To illustrate, here are some key findings from the report:
• Regarding the impact of security breaches, 69 percent of consumers said they would be less inclined to shop your brand after experiencing a credit card breach. No matter how good your product is, PCI (News - Alert) threats can quickly undermine your overall brand reputation.
• With the rise of the cloud and mobile broadband, there are more payment options than ever for credit cards, broadening the touch points for security threats. VoIP is no different when considering the many ways it can be used on your network – namely desk phone, softphone, PC client, Wi-Fi and now VoLTE.
• The PCI Data Security Standard is an established, comprehensive 12-step framework developed to address this issue. Despite that, none of the companies they’ve investigated breaches for over the last 10 years were fully DSS compliant. The solution exists, but nobody in this sample is deploying it fully.
• While most companies meet basic PCI compliance requirements, only 20 percent meet or sustain full DSS compliance. The broader 80 percent are at risk to some extent, mainly because they choose not to address the full scope required for complete compliance. Whether the issue is budget, IT priorities, or belief in the threat levels, the current situation absolutely ensures that PCI breaches on the scale of what Target (News - Alert) experienced in 2014 will continue to happen.
VoIP Security Customer Success Story
Ingate Systems is a vendor that you should be quite familiar with. The company recently shared a success story with a key customer, aided by eTechHelp, an IT consultancy and reseller partner. To learn more, I subsequently lined up a briefing with all three parties, including the customer’s president, Guru Amrit Khalsa. The customer is Nationwide Processing, and it provides outsourced support to mortgage brokers and lenders.
There are many highlights from this case study, and I will just touch on a few here. First is the validation that security breaches via Nationwide’s VoIP service are very real and were causing the company enough pain that it needed a proper fix. While Verizon’s PCI compliance study may seem remote to you, Nationwide’s problems are closer to home since VoIP was the point of entry. It was getting hit with two of the most common threats – DoS attacks and toll fraud. The former disrupts and even shuts down the network, making it impossible to service clients, and no business can tolerate that for long. Toll fraud, on the other hand, is outright service theft with a financial cost that will only get worse until the vulnerabilities are fixed.
The second key point here is the lack of understanding that these threats even existed in the first place. This was acknowledged by Guru, who added that SMBs tend to be non-technical and really have no way to know about these things. Without that knowledge, you may enjoy the initial cost savings that come with VoIP, but at some point, the hackers will find you. Compounding this is the mistaken assumption that the existing data firewalls provide sufficient protection for VoIP. We all know that’s not the case, and this is exactly why Ingate is in this business.
Finally, these threats are simply reaching critical mass now. Not only are they persistent, but more inventive. Guru has been using VoIP without incident for years, and had no reason to believe there would be problems down the line. He was quite surprised to learn how much things had changed, and I know he’s not alone based on my broader industry research.
Both Ingate and eTechHelp are familiar with these issues and understood the need to protect both Guru’s PBX system and SIP trunks. His team did not have the IT expertise to solve the problem in house, making a third-party solution the logical response. Once Ingate’s SIPerator E-SBC was deployed, the threats virtually disappeared. There are now far fewer panic calls to eTechHelp, and the solution allows Nationwide to maintain existing operations without concern for the VoIP security threats that remain persistent, but outside their network perimeter.
VoIPshield’s New Audit Download
Finally, I want to draw your attention to a vendor with a new audit tool to help companies determine just how vulnerable their VoIP deployments really are. VoIPshield is another vendor I’ve followed for a long time, and it is somewhat complementary to Ingate, which provides the network hardware to protect your phone system from attacks.
VoIPshield claims to have the most extensive database of “VoIP-specific vulnerabilities and threats,” so when it runs a network assessment, it may well find things you had no idea are there. While some VoIP threats unfold right away, others will lay dormant and take effect another time. As such, you may think you’re protected or even compliant, but if your tools have a limited scope, things could turn out very differently at any time.
Since VoIP threats are persistent – brute force is a term often used to describe malicious efforts to try endless combinations of passwords until one gets them into your phone system – and constantly evolving, the safest approach is to have an ongoing form of monitoring. To start down this path, you can access VoIPshield’s new audit trial, called VoIPaudit, from the company’s website. Currently, its assessment tool supports Cisco (News - Alert) CallManager and Avaya Aura Call Manager, so you need to be on one of those systems. In time, I’m sure it will support other vendors, and you can always contact the company with specific requests.
VoIPshield and Ingate are but two examples of companies doing innovative things around VoIP security, and my message is to say that solutions to this problem exist. More importantly, though, is the need for you to realize that these threats are real, and from there I hope you’ll take proactive measures to ensure that VoIP keeps delivering the benefits you signed up for.
Jon Arnold is principal of J Arnold & Associates, an independent telecom analyst and marketing consultancy.
Jon Arnold is principal of J Arnold & Associates, an independent telecom analyst and marketing consultancy with a focus on IP communications, and writes the Analyst 2.0 blog. Previously, he was the VoIP program leader at Frost & Sullivan.
Edited by Stefania Viscusi