Security: on the line

But, while it has taken decades to reach the level of security that exists in those legacy technologies today, for VoIP and IP telephony it is still early days. It’s unsurprising, therefore, that the odd wrinkle still needs to be ironed out.

Part of the challenge, of course, is identifying where the threat lies in the first place. Aiming to drive adoption of VoIP by promoting current activities in VoIP security development, the Voice over IP Security Alliance (VOIPSA) has addressed this need with its Threat Taxonomy Working Group. CXO caught up with VOIPSA Chairman David Endler to find out more.

CXO. What impact do you think the VoIP Security Threat Taxonomy has had on the industry and on the use of the technology to date?

DE. While some early press accounts have focused on potential VoIP spam and VoIP eavesdropping, the consensus of learning from the Taxonomy project is that there are many other more prevalent and significant risks today. These include economic threats from deceptive practices, like VoIP phishing, malware threats, such as viruses and worms, and denial of service.

CXO. And what work has been ongoing since the Taxonomy was released?

DE. The first release of the Threat Taxonomy was published in two forms: a static pdf document and also an online version through a collaborative wiki. Through this wiki, we have collected feedback and suggestions from the industry in order to improve and enhance the next version of the Threat Taxonomy. It is our hope that we will publish an updated version, incorporating much of this feedback, in the next few months.

CXO. You mentioned some of the significant risks earlier. What currently do you consider to be the biggest threats to VoIP security?

DE. VoIP packetises phonecalls through the same routes used by traditional data networks today and is consequently prone to the same cyber threats that plague those same networks today. These include denial of service attacks, worms, viruses and general hacker exploitation.

In addition to these traditional network security and availability concerns, there is also a plethora of new VoIP protocol implementations that have yet to undergo detailed security analysis and scrutiny.

CXO. To what extent are VoIP carriers now improving their efforts to safeguard users, and do you think they are they doing enough?

DE. Many VoIP carriers are beginning to launch their own VoIP security assessment services as a value-add for their customers. This is a great first step. However, VoIP security is not just dependent on the carriers, but also on their enterprise customers that are deploying VoIP gear. There are a variety of general best practices that each of these customers can follow, as well as vendor-specific guidelines that can help harden the VoIP deployment to simple hacker attacks.

CXO. Looking forward then, what do you expect to be the emerging threats, and how can we head these off at the pass?

DE. In the same way that the prevalence of phishing and spyware has skyrocketed in the last couple of years, we can also expect financially-motivated attacks to target the VoIP realm. For example, just a few months ago we saw the emergence of voice phishing (or ‘vishing’). This is where an attacker sets up a spoofed interactive voice response system – rather than a fake website, as is the case with traditional phishing – which sounds just like a legitimate bank. The attacker then tries to lure his victims into dialing his IVR number. The aim is to trick them into pressing dial tones with sensitive information such as account numbers, pin numbers, social security numbers, or generally any authentication information used to verify someone online.

At the recent Black Hat Briefings in Las Vegas this past August, I gave a presentation on just how easy it is for someone to set up such a phishing system with open source tools.

CXO. It’s unlikely we can predict all of the weak spots or emerging methods of cyber-crime. How then can we prepare for the unknown to the best of our ability?

DE. The challenge of VoIP security is not that unique. History has shown that many other advances and trends in information technology (TCP/IP, Wi-Fi 802.11, web services, for example) typically outpace the corresponding realistic security requirements, which are often tackled only after these technologies have been widely adopted and deployed. The best strategy, therefore, is to define an effective security policy that involves not just the technological aspects of VoIP but the physical and social aspects as well. Best practices should be applied across the board to help mitigate the easiest low-hanging fruit that attackers typically search for when targeting an organisation.

David Endler is Director of Security Research at TippingPoint, a division of 3Com, and Chairman of the Voice over IP Security Alliance.

The Threat Taxonomy is available online at: www.voipsa.org/Activities/taxonomy-wiki.php