The security landscape has changed dramatically during the past decade as the arrival of Internet-borne threats continues to take protection expenditure far higher for not just highly sensitive corporate organisations but also the smallest of SMEs.
Why, then, are the majority of Voice-over-IP (VoIP) systems being implemented without any consideration for the security risk? The days when telephone calls could only be intercepted by physical ‘tapping’ activities at the exchange are long gone. Today, hackers might easily eavesdrop media streams and intercept VoIP packets, reassembling them into coherent speech that then enables the ‘procurement’ of potentially sensitive information.
Nonetheless, the risks associated with VoIP have been consistently downplayed by vendors and service providers alike. As a result, a recent discussion between numerous chief information officers saw quality of service and cost deemed far more important VoIP concerns than security. Given the general security climate, this extraordinary attitude is backed up by the fact that, in our experience, only 15% of organisations consider security when implementing VoIP. Of those, few actually put adequate controls in place.
It’s a seriously tricky business
In most cases, vendors aren’t even including security as part of the VoIP solution as standard. Those that do concentrate primarily on securing the link between home, office and enterprise. That’s simply not enough.
As soon as an organisation starts to use the relatively simple Session Initiation Protocol – or other voice protocols – many of the basic elements of security are lost. The techniques that have been used to secure Virtual Private Networks, for example, simply cannot offer the quality of service required for VoIP. With no end point verification, no form of non-repudiation or source verification and no encryption, organisations employing VoIP are rendered vulnerable to a fast-growing number of attacks (undertaken by both criminal gangs and those involved in commercial espionage).
From Spam-over-Internet Telephony through to ‘vishing’ (the voice equivalent of phishing), there’s a raft of opportunities for criminal gangs. These highly sophisticated techniques have been developed to access exactly the sort of sensitive information that the ‘e-mail wary’ corporate world is careful not to reveal online.
If an organisation is using VoIP, it’s a very simple process to intercept and re-route calls or tamper with messages in order to add, remove or change data packets. Blended threat attacks are also on the increase. Users will receive an e-mail requesting them to call a financial institution, for example, on an 0800 number. On calling that number, they’ll be greeted by a CTI system that exactly mimics the standard bank call procedure, at which point they’ll provide the requested bank account details, post code and password information as they believe they’re on a genuine call.
Such a process can also be achieved simply by registering an 0800 number with an IP telephony provider such as Vonage or Skype, recording the chosen bank’s standard greetings and waiting for callers.
The trusted voice
It is vendors’ consistent failure to even mention security when tendering for VoIP contracts that’s fundamentally jeopardising the longer term success of the technology, while at the same time adding untenable corporate risk. Those very few suppliers offering VoIP security up front estimate an additional 20% cost to secure the unified network.
However, the result of this consistent downplaying of the VoIP security risk is that most organisations will simply not consider this additional cost, even when presented with a viable security option.
In reality, failure to address these security issues today will add not only risk to the business but also a very considerable cost: retro-fitting security to any technology is always a more complex and expensive business, with the ever-present risk of associated business downtime.
So what are the options open to the security and IT professional? The issue has to be addressed in two parts – internal and external VoIP. An audit of the internal LAN infrastructure to highlight security gaps is a key starting point along the road to effective and secure unified communications. Such an audit will highlight issues ranging from the ability to verify the number of endpoints on the system to the need for encryption on the LAN or a company’s ability to detect whether traffic is being copied.
By combining this insight with the use of a trusted end-to-end security architecture – such as Cisco’s SAFE solution – companies can build a platform for secure VoIP deployment.
Security: a global concern
The big challenge comes with the use of global call routing via IP. How can an organisation verify trusted sources or trusted destinations? With a current lack of internal standards or interoperability, concerns surrounding the ease of spoofing traffic, faking and injecting data packets and mimicking individuals are real.
Vendors are, of course, working on these issues at the moment, but with little or no co-operation and/or consistency. Knitting potential solutions together will be an issue. It will be less of an issue, though, for those that address the VoIP security question up front.
Obviously, it’s simply not going to be an option to add layers of complexity to VoIP. End users are far too familiar with making simple calls at a high, consistent quality. Therefore, it’s essential organisations look for partner organisations that are already setting up security measures when routing calls between two points to deliver the key balance satisfying security and flexibility.
In the long run, these calls will also be encrypted. However, in the short term, the key objectives are good endpoint verification, message and sequencing validation and non-repudiation to create the foundations of a secure voice communication.
There’s a clear risk involved
Today, few organisations have either experienced – or admitted to – VoIP-enabled security breaches. Indeed, in most cases any information gained in this way will be kept confidential and used for vast financial gain.
Without doubt, the underlying technologies and standards deployed to deliver secure VoIP communications will change over time. Waiting for standards and interoperability technologies is simply too high risk a strategy for organisations that are duly leaving themselves vulnerable to attack on a daily basis.
It’s those companies taking the right approach up front and building a VoIP system to encompass Best Practice – from ensuring all calls are routed through a single gateway to verification – that will secure their future.