Beware of UC Security Threats
Don't Ignore the Compliance Factor
Compliance is a big issue in industries such as finance, health care and the payment-card industry, which have regulations that can impact VoIP. UC must be defended against data leaks whether it be voice mail that gets e-mailed, an IM sent outside the company or an archived videoconference that's sitting on a disk and contains patient information.
UC also creates new legal complexities that can affect policies about storing call data, Ritter says. Voice mail attachments to e-mails, for instance, are classified as electronic data that must be made available during the discovery phase of lawsuits, he says. If such voice mail is stored on a thumb drive that sits in a desk drawer for three years, it's discoverable as electronically stored data, he says. "The voice mail is still around even though the voice mail system itself purged it years ago," Ritter says.
Businesses that are most successful with UC deployments bring their security teams in early on in the planning process, Ritter says, but that is not the usual case. "Unfortunately we still find security is typically one of the last teams to be involved in planning," he says.
Ritter recommends getting the security and compliance teams together early in the planning for UC and VoIP. That offloads much of the responsibility for security from the implementers who are more likely telephony experts or general infrastructure experts. Even corporate litigation teams should be brought in.
The exposure of VoIP will continue to increase with new technologies, he says. Nemertes found that 46% of IT executives surveyed who are planning service-oriented architectures say they also plan to integrate UC with their SOA applications such as CRM or ERP.
"That adds another layer of complexity because it extends UC and VoIP into the application domain," Ritter says. Despite this exposure, Nemertes found that security teams had the least amount of input into SOA deployments.
Part of the problem may be that business executives see security as just saying no to anything that exposes networks and data to more risk even if it means blocking useful ways of doing business.
"We don't know if they see security as business prevention and that's why they don't bring them in, or organizationally they're still in silos," Ritter says "We don't think the security teams are being brought in early enough in the planning to deal with the complexities and the vulnerabilities that are putting the organization at risk."
Perhaps the biggest threat to VoIP security is that many if not most users don't consider security thoroughly, the experts say.
"Most VoIP deployments I have seen do not have recommended best practices in place like strong encryption, authentication and access control protecting the VoIP network from the rest of the network," Ostrom says.
Beyond that, some businesses don't recognize that they use protocols that may be readily tampered with. "The most common mistake I see is the use of insecure protocols for things like VLAN assignment," says Andy Zmolek, senior manager for Security Planning and Strategy for Avaya.
"They should use link layer discovery protocol and 802.1X authentication to make sure VLAN assignments and access control are secure," Zmolek says. Without secure authentication, a PC could masquerade as a phone, get access to the VoIP VLAN and then wreak havoc."
Another problem has nothing to do with technology but rather the communication within the teams that are supposed to deploy it, he says. For instance many customers send out RFPs that include features that never get turned on after they make the purchase. "They have the ability of encrypting signaling and media, and they rarely turn that on. You could argue the security organization should handle that, but the security teams are just beginning to understand how to make sure the desired security is enforced," he says.
Businesses should beware of automatically trusting their own employees, Ostrom says. He says he finds faulty thinking among corporations relying on VoIP: because VoIP users are on the internal network, and those users are trusted so there is no VoIP security problem. That is a dangerous assumption because if they are wrong, an attacker with network access can do vast damage, he says.
A user with network access can piggybacking on the successful 802.1X authentication of an IP phone by inserting a rogue laptop on a hub shared by the phone, he says.
The phone authenticates to the switch port, but there is no per-packet authentication after that. If an attacker shares the authentication with a hub that the phone uses to connect to the network, it gains access to the VoIP network and can create man-in-the-middle attacks for eavesdropping or changing the content of phone calls, he says.
"We've developed a proof-of-concept tool to demonstrate this attack," he says. "With it they can target other phones or VLAN hop to attack the data network."
Most of the concern businesses have about VoIP still centers around protecting the underlying data network from assaults like denial-of-service attacks, says Irwin Lazar, an analyst with Nemertes.
"Overall though I'd say that security doesn't rank all that high among IT executive concerns around VoIP right now," Lazar says, "though as enterprise VoIP networks are extended beyond the network boundary via peering and SIP trunking, concerns will increase."
It may take serious consequences, though, to prompt better VoIP security practices like encryption, McLeod says. "I think the average Fortune 500 company is going to have to have some security event occur to have a wake-up call before they spend the money," he says. "Then there will be more pressure placed on the vendor to make security like it is in Wi-Fi -- automatic, easy and every piece of gear includes it."