VoIP and Compliance Regulations Make Strange Bedfellows
As attacks against VoIP persist businesses not only have to defend themselves, they have to do it under the gun of regulators who want proof that security was addressed in accordance with their ever-changing rules.
VoIP denial of service, toll fraud and eavesdropping attacks are serious problems, yet many businesses lack some of the most basic VoIP protections such as encryption, experts say. There is a sense of urgency to deal with these issues because at the same time, businesses are forced to comply with regulations such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPPA) and Payment Card Industry (PCI) standards that present a moving target as they are revised and updated.
"Recent events involving financial fraud, product safety recalls, and disasters in environmental health and safety have escalated this issue even more in the past two years," according to a Forrester Research study, "The Regulatory Intelligence Battlefield Heats Up", "and the appetite among legislators in the U.S. and abroad seems decidedly in favor of tighter regulatory control."
For the most part, regulations try to protect personally identifiable information that can lead to identity theft, fraudulent use of credit cards, pilfered bank accounts and toll fraud against corporate phone systems.
VoIP is rarely addressed directly in these regulations, but the rules nevertheless apply in some cases. For example, PCI standards say, "Use strong cryptography and security such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks."
That calls for encrypting VoIP calls that cross the open Internet in which credit card numbers are being recited, says Michelle Klinger, a PCI qualified security assessor from Dallas. "I would be inclined to validate that the calls are being encrypted," she says, although VoIP on internal networks would not need that protection. Businesses need to look out for language in regulations that sound like it refers to VoIP.
For instance, HIPAA says businesses must take steps to secure electronic protected health information, which might not seem to affect VoIP calls, but relates directly to recorded calls and digitally stored voice mail, part of any VoIP system. Similarly, if interactive voice response is used to navigate to protected information, its use should be monitored and documented.
On the other hand, the Federal Deposit Insurance Corporation (FDIC) has published specific VoIP guidelines to protect customer data traveling in IP voice networks in accordance with Graham-Leach-Bliley regulations.
"The risks associated with VoIP should be evaluated as part of a financial institution's periodic risk assessment," the advisory says, "with status reports submitted to the board of directors as mandated by section 501(b) of the Gramm-Leach-Bliley Act (GLBA). Any identified weaknesses should be corrected during the normal course of business." That is accompanied by a list of nine recommended actions.
The threats are real, says Jason Ostrom, the director of Viper Lab, the VoIP and unified communications vulnerability arm of Sipera Systems. A client suspected eavesdropping and planted false information in VoIP calls to see whether it was cited by those suspected of listening in. It was, Ostrom says. It turns out a third party with legitimate access to the corporate network but that was in litigation with Viper's client had tapped the VoIP network, he says.
(The problem can be equally grave with video. The telepresence communications of a Fortune 500 CEO were being picked off by eavesdroppers, Ostrom says.)
Some IT directors Ostrom has dealt with try to keep up with the regulations by educating themselves. That doesn't always prove to be enough says Ross Leo, a senior consultant and trainer for Supremus Group, because some businesses overlook the phone system entirely as a possible vulnerability. "I've had clients who said they'd completely forgotten about it. They think it just a phone system, but it's not; it's computers."
Chris McClean, an analyst for Forrester, says that as regulations change and become more complex, businesses will have to address VoIP compliance more directly, either by investing in internal groups to keep on top of them or by hiring third parties to do it for them.
If by the nature of its work a business faces three or four sets of regulations each with quarterly compliance reports, the task quickly becomes overwhelming for many IT departments, McClean says. And regulators aren't the only ones adding to the burden. Business partners may have contractual demands about security that need verification.
Businesses that record VoIP calls need to store them with applicable regulations in mind as well as the demands of legal discovery should the stored conversations become relevant to court cases, McClean says. "How are you keeping track of these conversations? They may be discoverable if there is an investigation," he says.
Diligence in following cases of VoIP exploitation is essential, he says. When details of such attacks are publicized, businesses should examine their own defenses to determine whether they could have withstood the published assault. If not, they should remediate. "They should ask, 'How would we have responded? Could we have prevented a similar attack?'" McClean says.
Such opportunities are limited, Ostrom says. "The reality of the situation is businesses don't disclose. There's no incentive if they've suffered a breach," he says.
Businesses seeking how to deploy VoIP in compliance with regulations may benefit from services that are just now coming to light, McClean says, from such consultants as LexisNexis (a member firm of Reed Elsevier), SAI Global, Thomson Reuters
"The battle will come down to delivery of premium content, which will still come through a mix of legal and consulting firms, specialty research providers and compliance product integration," he says in his report.
To be valuable, those firms will provide legal analysis of the implications of new rules, define the controls that businesses must use to meet the updated regulations and share what other similar businesses are doing in response to establish a new set of best practices, he says.
"In the next three years," he predicts, "detailed updates will be widely available through RSS feeds, and nearly all GRC and compliance management vendors will support regulatory updates mapped to risks and controls using XML tags."
Read more about wide area network in Network World's Wide Area Network section.