7/24/2019 e Book Why Voip Security is More That Just an It Risk 83791
1/14
7/24/2019 e Book Why Voip Security is More That Just an It Risk 83791
2/14
Why VoIP SecurityIs More than Just anIT Risk
by Jon Arnold, Principal, J Arnold & Associates
November 2013
When Being Compliant Does Not Mean Being Secure
Executive Summary
Security may not be the rst thing that comes to mind whenyou think of VoIP, but if it is not near the top of your list,
you could be exposing your business to signicant risks.
The reasons for this are both complex and simple, but
there is no question the issue of VoIP security will become
more pressing as enterprises accelerate their adoption of
IP telephony along with its umbrella cousin, Unied
Communications (UC). Not only are these technologies
being deployed to make communications more effective,
but also to integrate with business processes that impact
overall operations and workows to increase employee
productivity.
This e-Book has been developed to educate IT and exec-
utive teams about the nature of VoIP, both in terms of its
benets and potential risks. Perhaps more importantly, the
objective is to reframe the thinking within enterprises to
view VoIP security more as a business risk than a risk
contained within the IT sphere. One need look no further
than the recent vulnerability updates made by Cisco for
Call Manager as evidence that these risks are more real
than perceived.
A key reason for this view is that VoIP along with UC
provides signicant business value that goes beyond
reducing telephony costs.
When tied to business processes, VoIP and UC can
transform your operations by improving productivity,
shortening decision timeframes, curtailing travel,
and improving customer satisfaction. However,
for these benets to be realized, the underlying
network environment must be secure, and in most
enterprises this is simply not the case when it
comes to VoIP.
Whether or not your business has experienced a VoIPsecurity breach, the associated threats and vulnerabilities
are real and becoming more sophisticated to remain a
step ahead of todays security frameworks. In fact, your
network may have already been compromised, and hack-
ers could quietly be monitoring your activity until the right
moment when they detect a VoIP-enabled vulnerability.
A key takeaway from this e-Book is that being compliant
does not mean being secure, so do not assume that a
clean bill of health from your latest IT security audit makes
your business immune from threats.
Building on that, our intention is to broaden your under -
standing of the issues, as you will need a core knowledge
base to develop an effective security plan and adopt
appropriate solutions to protect your network and busi-
ness, and to be compliant.
Introduction
The adoption of VoIP by enterprises has been underway
for some time, and as its value is being realized, this trend
is accelerating. While this is good news for VoIP vendors
and service providers, the related network security impli-
cations have received little consideration. Having closelytracked VoIP since 2001, J Arnold & Associates is attuned
to the inherent vulnerabilities that make VoIP a target for
a growing array of security threats. Our view is that the
associated risks to both businesses and networks are not
properly understood either.
To validate this, we have undertaken independent
research across the market, including senior enterprise
IT personnel, executive management, audit practition-
ers, security vendors, information security consultants,
7/24/2019 e Book Why Voip Security is More That Just an It Risk 83791
3/14
3
[email protected] | www.voipshield.com
and service providers. This industry-based perspective
has provided a balanced base of learning upon which
this e-Book was written. J Arnold & Associates conducted
in-depth personal interviews during June-July 2013, and
while the results are qualitative, the sources are highly
informed and we believe that, collectively, they accurately
reect the broad state of thinking about VoIP security.
Our overall objective is to educate the market about the
realities of VoIP security, and how under present condi -
tions, enterprises cannot derive full benet from VoIP as
well as from the broader scope of IP communications now
integrated under the banner of Unied Communications.
When the vulnerabilities posed by VoIP are prop-
erly understood, enterprises will be better able to
manage the threats and safely exploit VoIP for its
business value. A full understanding will also help
ensure compliance with relevant information secu-
rity as well as control and privacy standards.
We begin with an analysis of six elements that were dis -
tilled from research, and explain their importance as well
as the role each can play in improving the overall under -
standing of VoIP security. Following this is a prescriptive
action plan and possible solutions enterprises can take to
move down that path.
Todays Changing ICT Security Landscape
Opportunities and Risks Posed by VoIP
There is good reason why VoIP has transformed the tele-
com industry for the better, and that impact is registering
now with enterprises. Just as there is more to VoIP than
cost savings, there is more to IP communications than
VoIP. Businesses can easily justify the move to VoIP on
economic grounds, not just for lower telephony costs, but
also streamlined network operations.
Converging voice and data on to this streamlined net-
work environment creates new value that Unied
Communications is just starting to address, espe-
cially when tied to Communications Enabled Business
Processes (CEBP). This adds a layer of strategic value
to VoIP as well as the broader suite of IP communications
supported by UC, all of which are now running over enter-
prise data networks.
Legacy telephony is being displaced largely because it
stopped evolving and could not match the business value
and innovation provided by VoIP. From its modest roots
as a hobby technology, VoIP has matured considerably,
and riding the wave of the broadband revolution, it is now
poised to be the standard for business telephony.
VoIPs ascendancy has been slow and enterprises are
only just beginning to tap its potential, not just because
it is relatively new, but also due to some realities that are
not well understood. Legacy telephony took many dec-
ades to perfect and VoIP is not yet fully standardized as
a technology. More importantly, with telephony now moving
over to the data network, it no longer has the protection
offered by the dedicated voice network used to support
your legacy Private Branch Exchange (PBX) infrastructure.
These changes add up to new opportunities that legacy
telephony could never deliver, but along with that come new
risks as enterprises migrate to IP-based communications.
With VoIP, telephony becomes a data application, and with-
out appropriate measures in place several risks become
very real, particularly business risk, technology risk, nan-
cial risk, network risk, security risk, and compliance risk.
Our industry-wide research supports the main message
of this e-Book that the vulnerabilities and risks are not well
understood and if not addressed, the benets of VoIP will
not be fully realized, and indeed may cause signicant
operational, nancial, and regulatory problems.
7/24/2019 e Book Why Voip Security is More That Just an It Risk 83791
4/14
4
[email protected] | www.voipshield.com
While the mainstream media have created awareness
about the threats posed by the Internet to the general pub-
lic, very little is heard about what can and does happen in
the business world. Large-scale breaches and exposs
such as WikiLeaks, Stuxnet, as well as the recent actions
of Bradley Manning, Edward Snowden, and others are
everyday news. This raises fundamental questions about
privacy and information security on the Web. Not only are
these problems happening with greater frequency, but the
growing sophistication of attacks means they will occur
without warning, with rapid impact, on a larger scale, and
with increasingly sensitive targets.
Since a great deal of IP communications touches the
Internet especially VoIP enterprises can be just as
vulnerable as consumers who unwittingly open an email
containing malware or government agencies with lax
controls over data access.
VoIP has become subject to an ever-expanding
class of security threats, many of which are tar-
geted specically at Enterprises that have access
to credit card and other personal information
(such as Contact Centers and Customer Service
departments), as well as critical infrastruc-
ture (such as power grids and communication
services) and rst responders. For more infor-
mation about common enterprise VoIP security
threats, please refer to the Appendix.
Figure 1illustrates attack points in an enterprise environ-
ment at a high level, with typical VoIP-based vulnerabil-
ities agged by red triangles. Voice-enabled endpoints
that did not exist when telephony operated separately
from the Local Area Network (LAN) provide pathways into
the network. In short, VoIP poses unique security chal-
lenges that do not apply to other data streams or modes
of IP communications.
AsFigure 1also illustrates, most of the vulnerabilities are
at the network perimeter, and given the variety of possible
entry points, effectively securing VoIP is a complex chal-
lenge. In addition to conventional threats that have long
existed with IP PBXs such as toll fraud, message tam -
pering, and eavesdropping VoIP exposes the network
to new threats, several of which can be debilitating for
your entire business, such as Telephony Denial of Service
(TDoS) attacks, data theft, identity spoong, Quality of
Service modication, and email hacking.
7/24/2019 e Book Why Voip Security is More That Just an It Risk 83791
5/14
5
[email protected] | www.voipshield.com
Figure 1 VoIP Vulnerabilities in the Enterprise Network Environment
7/24/2019 e Book Why Voip Security is More That Just an It Risk 83791
6/14
6
[email protected] | www.voipshield.com
Realities and Challenges
To properly assess the nature and scope of the risks posed by VoIP, six elements need to be considered. These ele-
ments were summarized from our research, and represent distinct touch points that must be understood to effectively
mitigate risk and enable VoIP to provide full value to your business. Key realities and challenges for each are summarized
as follows.
Element #1 VoIP Technology
As a technology, VoIP is not mature or standard-
ized enough to be effectively incorporated into the
Information Communications Technology (ICT)
frameworks that drive compliance for network secu-
rity. Essentially, this means that security compliance
for VoIP is voluntary rather than mandatory, leaving
it out of scope for most security audits.
VoIP is a blind spot in the IT infrastructure, whichmakes your IT assets and networks more vulnera-
ble. While VoIP is often associated with telephony,
the IP PBX or associated voice trafc are not typi-
cally the targets; rather, they provide access to cor-
porate information or the LAN since VoIP runs over
the same network as all the other data applications
used to drive the business.
IT security breaches attributable to VoIP are not yet
widespread, but that is changing as VoIP adoption
grows and hackers prey on vulnerabilities created
by a lack of understanding of the risks and subse-
quent need for best practices to address the threats.
VoIP is much more than telephony, and when the
broader scope of IP communications is considered,
the operational benets and strategic value are
compelling. While VoIP has inherent value to reduce
telephony costs, enterprises typically use it as a
stepping stone to Unied Communications and the
ability to support real-time multichannel interactions.
These capabilities can have a transformative impact
on operations, processes and customer experi-
ences, but also mean that the impact of VoIPs secu-
rity vulnerabilities go well beyond the IP PBX to otherapplications such as softphones, video chat, Web-
based VoIP, Smartphones, and tablets extend-
ing beyond the ofce to home-based and remote
locations.
Element #2 Hackers
The hacker community is diverse, ranging from
hobbyists working alone, to sophisticated criminal
operations, to state-sponsored cyber-espionage
cells. Since VoIP still lacks standardization, this
places the onus on organizations to defend their
network, and given the diversity of the hacker com-
munity, this task is very challenging.
Since its inception, the Internet has been rife with
security vulnerabilities and privacy exposures,
making trust difcult to establish. The anonymous
and porous nature of the Web is ideal for hackers.
Enterprises must be particularly alert with VoIP
since a great deal of IP PBX trafc traverses the
public Internet, creating a new security vulnerability
that did not exist when legacy telephony ran over a
dedicated voice network.
The motives of hackers are as varied as the com-
munity itself. Some will target VoIP specically for
toll fraud, but more likely this will be their point
of entry for other forms of malicious activity suchas disrupting operations, identity theft, nancial
theft, corporate espionage, or to support political
agendas.
Hackers are usually at least one step ahead of what
the enterprise can defend. While VoIP may not be
very attractive nancially beyond toll fraud, hackers
are looking for other ways to monetize corporate
data, and when they do their attacks will become
more brazen and targeted. Since VoIP currently
poses limited nancial risk, security measures are
limited as well, and if this continues, IT will onlyhave reactive, after-the-fact options when more
serious threats strike. The coming storm in network
security threats should not be underestimated. Not
only can hackers cause nancial loss by accessing
7/24/2019 e Book Why Voip Security is More That Just an It Risk 83791
7/14
7
[email protected] | www.voipshield.com
corporate data and bank accounts through a VoIP
breach, but also some would not hesitate to use the
same breach to launch Denial of Service attacks.
By constantly ooding your network with messages
through that breach, they can disrupt or even shut
down operations and will only stop once they have
extracted ransom payments from you.
Related to this is the growing complexity of enter-
prise networks, making it virtually impossible to plug
every hole in the dike. Sophisticated hackers can
always nd a point of entry, sometimes with minimal
effort, especially if basic security measures for VoIP
are not followed.
Organizations are blind to intrusions via the VoIP
channel; they may already have been attacked
and not know it. For example, traditional Intrusion
Protection Systems (IPS) have no VoIP endpoint
visibility, so the source of the intrusion remains
undetected. The intruder has assumed the legit-
imate users identity, permissions, and resulting
application access.
Hackers may be monitoring your network without
your knowledge and just waiting for a port to be left
open, or may have already penetrated and compro-
mised your network and are just waiting for the right
time to attack.
Element #3 Enterprise IT
Regardless of current threat levels both real and
perceived the value proposition for IT security is
challenging to sell to management. Enterprise IT
needs to protect the network and meet compliance
requirements at a reasonable cost, but also balance
this against managements needs for employees
to be as productive as possible. Onerous security
measures may make the network more secure,
but are just as likely to make UC applications less
user-friendly. If this prevents IP communications
tools such as VoIP from delivering full value to the
business, the return on investment (ROI) for VoIP
security solutions will be difcult to demonstrate.
Enterprise IT faces both a knowledge gap and
higher priorities when it comes to VoIP security.
Many IT departments are still rooted in the legacy
world and think of VoIP as telephony rather than
a data application. Legacy telephony poses few
security risks, but VoIP is the exact opposite if leftunchecked. This level of understanding varies
widely by industry, and where it is low, there is a
tendency to ignore the threats and simply hope no
major breaches occur.
Chief Information Ofcers (CIOs) have security com-
pliance obligations that take attention and budget
away from the actual threats aimed at their network.
Since VoIP is only nominally contained in the com-
pliance envelope, it will typically only get their atten-
tion after the fact when it has become the pathway
for the latest breach.
As do more with less becomes the new normal for
enterprise IT, resources are primarily consumed by
re ghting and keeping the network operational for
everyday needs. This leaves little for being proac-
tive and focusing on prevention and with that comes
an acceptance for a base level of compromise on
network security. With hackers one step ahead of
all but the most visionary IT teams, the aforemen-
tioned knowledge gap truly elevates the level of
risk with VoIP. To effectively manage these risks, IT
needs to think differently and adopt best practices
for prevention.
The workplace is changing in ways that pose new
challenges for IT, many involving IP communica-
tions. One key trend is the decentralization of the
workplace, where employees are increasingly work-
ing offsite, for instance from home, their cars, air-
planes, hotels, and client sites. These scenarios
provide one of the strongest use cases for Unied
Communications, allowing businesses to adopt vir-
tual models, optimize ofce space, and be more
responsive to customers. The IT challenge, how-
ever, is one of enabling all this in a secure environ -ment. As endpoints become more distant from the
LAN, the harder it is to control access. Moreover,
a great deal of this VoIP and UC trafc will be over
the public Internet and often across insecure Wi-Fi
7/24/2019 e Book Why Voip Security is More That Just an It Risk 83791
8/14
8
[email protected] | www.voipshield.com
connections. Offsite worker productivity depends on
these factors, but the associated network risks must
be understood and addressed.
Moving offsite to onsite, BYOD Bring Your Own
Device is another trend with similar implications.
The main difference is that employees are using
these devices, applications, and networks to be
more productive at the ofce. Of course, they are
also using them offsite, but the main issue is that by
virtue of owning these devices, employees feel enti-
tled to use them as they see t. This often means
theyre not used with consideration to how the enter-
prise as a whole may be impacted. There are many
aspects around this, but the key IT challenge lies in
developing a security plan that addresses the risks
without looking like Big Brother. Currently, many IT
departments are having BYOD forced upon them andby developing policies on the y, they are sure to miss
many threats that a proactive plan would anticipate.
On a strategic level, there is a distinct IT challenge
not just in understanding the threats well enough
around VoIP to develop a sound security plan, but
also in implementing it effectively. Data breach
reports consistently show how vulnerable IP PBXs
are, and if that remains true, IT has a long way to
go in addressing the broader scope of IP commu-
nications, of which VoIP is just one application.
Presuming IT can get there, the next challenge
calls for implementation in a way that does not draw
undue attention. This must be done carefully and
perhaps in stealth mode, otherwise employees may
get anxious about having been targeted by hack-
ers. There is also the Big Brother aspect to consider,
as IT does not want to create a climate of distrust
that may be implied by a heavy-handed security
plan. Furthermore, any such anxiety is sure to be
detected by hackers, raising a red ag that your
network is tightening up. Some will choose to strike
immediately before measures are in effect.
Element #4 - End Users
Employees play an important role around VoIP
security because they often control the endpoints
that are points of entry for attacks. Not only are they
the drivers of internal threats to network security,but also as end users, they are often the targets of
external threats. In terms of internal threats, there
are two forms unintentional and intentional. The
former is a mix of accidental actions that invoke
threats such as forwarding emails with sensitive
data to a group list that may include inappropriate
contacts or unwitting actions, such as opening a
voice message embedded with malware. Intentional
internal threats arise from disgruntled employees
who may use VoIP as a vehicle to disrupt opera-
tions, engage in fraud, and share sensitive data with
competitors.
In terms of external threats, end users pose a major
security challenge by serving as easy targets for
hackers. Despite the shortcomings described
herein of IT security, on a broad scale it serves as a
fairly effective deterrent. Rather than trying to bridge
this large security moat, many hackers simply nd
it easier to gain access by targeting individuals with
a low protection threshold. With so much personal
information posted online now, hackers often use
social engineering to lead them to weak points for
network access such as the IP PBX.
Even the best IT security regimes will be under -
mined by an end user if too much is asked of him
or her. Most people have trouble managing all their
passwords and user names, and if authentication
for network access requires too many steps, they
may not bother using the application or will revert to
the default settings. While the path of least resist-
ance seems easier, this makes them easy marks
for hackers. By nature, people will protect things
of value, and for this reason, employees are fairly
diligent updating their email credentials. Most, how-
ever, do not see VoIP the same way, nor do they
view their desk phone as a security risk. Employees
are very much part of the solution for VoIP security,
and IT must recognize the need to make it as simple
and transparent as possible.
7/24/2019 e Book Why Voip Security is More That Just an It Risk 83791
9/14
9
[email protected] | www.voipshield.com
Related to the above is the simple fact that end users
are not the experts when it comes to properly securing
IP communications and endpoints. They may be quite
tech savvy and familiar with the applications, but this is
usually in the context of personal usage. With BYOD,
employees may think they are using their mobile
devices responsibly, but in fact they are not doing so
on an enterprise-wide level and this is where they
may be exposing the business to many forms of risk.
IT has a broader mandate, and getting employees to
understand that is another aspect of where education
is needed to better manage VoIP security.
Element #5 Executives
First and foremost, research indicates that senior
executives view network security in nancial terms.
This reality means that so long as VoIP poses little
nancial risk, it will remain a low priority. Toll fraud is
a common form of nancial risk with VoIP, but is too
minuscule to change their thinking, and other forms
happen too infrequently (at least for now).
Executives see security as the domain of IT, impact-
ing the network but not the business itself. Given
how embedded communications technologies are
becoming in business processes, and the very real
potential for network threats to disrupt operations,
this mindset is out of synch with current realities.
Aside from network risk, these threats clearly
represent business and nancial risk and, like end
users, IT needs to better educate this stake-
holder group about the risks posed by VoIP and IP
communications.
Most management teams will be followers rather
than leaders when it comes to network security.
Rather than trying to understand and address spe-
cic types of risk posed by VoIP, they will be more
likely to invest in broader security efforts that keep
them on par with their industry peers. This will lead
them to support security initiatives that are easily
measured within existing compliance frameworks,
rather than focus on VoIP, where they have little
guidance from the regulatory and audit commu-
nity. Furthermore, management has little incentive
to improve security beyond their peers, and unless
someone suffers a serious breach or takes a lead-
ership position with VoIP for competitive advantage,
they will not likely pay it much heed.
Executives are also end users, and it is worth noting
they can be one of the greatest enablers of VoIP
security threats. Aside from being at the forefront of
BYOD adoption, their rank provides them access to
the most sensitive corporate data, wherever they
are and whenever they need it. Add to this their
general disregard of, or lack of inclination to use
even basic security precautions, and you have an
extremely attractive target for hackers.
Element #6 The Audit and ComplianceCommunity
In terms of VoIP, ensuring that minimal IT compli-
ance requirements have been met will likely create
a false sense of security. Most known VoIP threats
are not specically addressed in business risk
or information technology risk frameworks (such
as COBIT) or security implementation standards
(such as ISO27002), so they may not be speci-
cally addressed during the security audit process.
Perhaps more concerning is that other vulnerabili-
ties related to IP communications are not yet known
or have not yet materialized. Hackers will target
your network for a variety of reasons, and know-
ing that VoIP can be a weak link, they will continue
devising new threats, making it impossible for any
security system to be bulletproof. As such, one of
the strongest conclusions from our research is that
being compliant does not necessarily mean being
secure, and vice versa.
Related to this, existing security standards are effec-
tive at addressing threats in mature, standards-based
spaces such as Peripheral Component Interconnect
(PCI), but less so with VoIP, which is much newer on
the security horizon. One reason is that VoIP has not
yet become standardized, which makes it difcult to
understand its role in supporting business processes,
along with prescribing specic requirements to make
it secure. As a result, VoIP has not been part of the
security agenda or the audit mandate. Given howrapidly VoIP trafc is growing on enterprise networks,
this is not a tenable position, and introduces a form of
risk that was not present with legacy telephony.
7/24/2019 e Book Why Voip Security is More That Just an It Risk 83791
10/14
10
[email protected] | www.voipshield.com
The audit community tends to view VoIP as a PBX
issue where it will only have a localized impact on the
telephony system. Not only does this limit the focus
to one type of network endpoint desk phones but
also, VoIP is just one mode in the spectrum of IP
communications. When enterprises deploy Unied
Communications and other modes and applications
such as video, mobility, and conferencing they
create or inherit the same vulnerabilities, meaning
that security exposures now extend well beyond the
phone system and your PBX. While UC can truly
enhance productivity and business processes, its
absence from the risk agenda contributes to the
aforementioned false sense of security.
Another challenge facing this community is nd-
ing the right balance of inclusion with VoIP relative
to the risks posed to the enterprise. Since VoIP isnot well understood and lacks standardization, both
audit practitioners and IT executives have difculty
measuring the risks and providing guidance on the
appropriate level of effort needed to manage them.
In the current environment, this reality will likely
persist as compliance requirements become more
demanding, expensive, and resource-intensive.
Auditors are conscious of the need to keep the com -
pliance process manageable without impinging on
operational effectiveness, and will be more comforta-
ble focusing on areas of risk that are well understood
and have a measurable impact on the business.
The overall implication for the audit community is
that by viewing VoIP as a PBX issue, the asso-
ciated risk is nominal, making it a low priority
or non-issue in terms of security compliance.
Unfortunately, enterprises will likely need to expe-
rience some large scale and damaging security
breaches caused by VoIP vulnerabilities to get this
form of risk on the compliance agenda. The audit
community can certainly play a proactive role here
by including VoIP in IT and network infrastruc-
ture audits and assisting IT to connect the dots
between VoIP and business value.
Implications
Various stakeholders and communities have distinct challenges, realities, and interests when it comes to VoIP security.
Each needs to be understood on its own terms, and from there the interrelationships must also be considered. An effec-
tive response to VoIP security requires that all six elements be addressed and engaged at some point along the way.
To gauge the bigger picture and strategic level issues around VoIP security, consider the following:
Your home
To ensure family safety you may deploy a variety of secu-
rity measures, such as deadbolts, steel doors, window
bars, alarm systems, video surveillance, and motion sen-
sors. Yet, most people never feel 100% safe, and intrud -
ers keep devising new ways to bypass these deterrents,
such as entering through the roof or ductwork or even
using brute force to perform home invasions.
Critical Infrastructure
Think about what the Department of Homeland Security
focuses on control systems that keep airports running,
nancial markets open, and utilities operating. On a local
level, this applies to 911 and associated emergency ser -
vices police, re, and hospitals. As important as home
security is to your family, these services are equally vital
to the government and society at large. They simply can-
not be compromised, and with so much at risk, appropri-
ate measures have been taken to ensure 24/7 security.
In both of these environments, known threats have been
addressed quite well, but new tools are constantly being
adopted as unknown vulnerabilities and threats become
better understood. Neither environment can be 100%
secure 100% of the time, but the threats are taken seri-
ously and the high levels of risk that would come with a
breach dictate the investment in security. They may not
totally understand the risks posed by VoIP, but awareness
of its potential is growing, and with that will come a willing-
ness to add VoIP to overall security regimes.
7/24/2019 e Book Why Voip Security is More That Just an It Risk 83791
11/14
11
[email protected] | www.voipshield.com
Enterprise networks are of a different mindset
when it comes to VoIP security. Other forms of data
security may be well addressed by enterprise IT,
and compliance requirements have a lot to do with
that. When it comes to VoIP, however, most enter-
prises are either lacking in understanding, or willminimize the risk potential for a variety of reasons.
The comparisons are presented here because all these
environments use VoIP to varying degrees, and this
creates vulnerabilities that were not present with legacy
telephony. Without compliance frameworks requiring VoIP
to meet certain security standards, enterprises must rst
understand the associated vulnerabilities and threats and
then start thinking about the risks like we do in these other
environments.
This takes us back to the fact that VoIP is relatively newand not yet standardized. Security and safety are rarely
rst principles guiding innovation, and VoIP is no excep-
tion. VoIP emerged in 1995 when the Internet was still
in its infancy and the limitations of dial-up service pretty
much ruled out malicious activity, so there was little need
to consider security. In fact, the automobile industry pro-
vides a telling parallel.
Cars did not become mainstream until the highway
system was built, and seatbelts were not manda-
tory in the United States until 1968. For the better
part of the rst 70 years of automobiles, the risk
factor of seatbelts was not deemed high enough
relative to the inconvenience. Today, this would
be unthinkable, but it took many decades for the
auto industry to adopt safety standards to address
both a very real risk and a growing set of threats
as cars become faster and carry more passengers.
VoIP is no different, and in time will become fully
standardized.
The threats posed today may be relatively minor, but justas automobile risk levels elevate with drunk drivers, they
rise for enterprises with VoIP as more people use it with-
out regard for security, and as long as it remains a low
priority for IT, executives, and the audit community.
The Way Forward
While VoIP holds both promise and risk, there are effective solutions that speak directly to the problems but will not
compromise its value to the business. However, before those solutions can be implemented, a change in thinking isneeded, not just within IT, but also among the other stakeholders addressed in this e-Book. Education and awareness
of the basic problems are good starting points, but you must also understand how and why thinking needs to change.
For those who see no such need to change or educate, there are three effective but impractical solutions you
can take to mitigate VoIP security risks:
1. Do not migrate to VoIP, or shelve your VoIP deploy-
ment and revert back to Time-division Multiplexing
(TDM). This would be a drastic and disruptive meas-
ure and would be almost impossible to get support
for. The higher costs of TDM service and supporting
a dedicated voice network alone would rule this out,not to mention the phasing out of support for leg-
acy systems from vendors. Even more important is
taking a large step backwards in communications
efciency and losing all the benets associated with
VoIP and UC. On the other hand, the risks around
VoIP effectively disappear, but this would be a
heavy-handed, shortsighted rejection of technology
that is serving businesses very well.
2. Run all VoIP and IP communications trafc over a
segregated network. This would certainly solve the
problem, but it defeats the purpose of network con-
vergence. Extending this across the business will
not be practical, especially if operations are highly
decentralized. Network-wise, this would also take
you back to the TDM model, making it very dif -
cult for IT to add value to business processes with
todays communications tools.
7/24/2019 e Book Why Voip Security is More That Just an It Risk 83791
12/14
12
[email protected] | www.voipshield.com
3. Only run this trafc over a VPN and have VoIP fully
encrypted. This again provides a highly secure
approach, but also is not practical. IT will not be
able to cost justify such an extensive use of the
Virtual Private Network (VPN), especially when
better solutions are available, namely those outlined
in the next section. Encryption will also be expen-
sive on this scale, but equally concerning would
be the potential latency that can degrade the VoIP
experience.
Thinking Differently About VoIP Security
Most businesses are forward-thinking enough to seek better solutions so they can securely benet from all that VoIP has
to offer. That thinking, however, must be aligned with the interests of the various stakeholders into a shared vision for VoIP
security. To accomplish this, consider the following ve ways that businesses need to think differently about VoIP security:
1. Focus on prevention rather than treatment
VoIP vulnerabilities and threats evolve too quickly
for IT to keep on top of everything. Efforts are better
applied in understanding known vulnerabilities and
developing effective solutions for them. Unknown
vulnerabilities require a different response, and when
both are in place, IT will be much better prepared for
VoIP security threats. However, this can only happen
with a basic change in thinking about how to respond
to these vulnerabilities and threats.
2. Think about VoIP as a form of business risk
At face value, VoIPs virtue comes from lowering the
cost of telephony and adding new features. However,
with voice service becoming a commodity, there is
little strategic value attached to VoIP, and it is viewed
as solely in the realm of IT. Management needs to
see how VoIP touches all aspects of operations and
can add value to business processes. In that light,
when VoIP becomes the enabler of security threats,
there are both technology risks and business risks,
with the latter being far more damaging.
3. Think about how VoIP benets the business
This message applies not just to management, but
to IT and the audit community. Nobody will question
the need to keep the IP PBX secure and toll fraud in
check, but there is greater value in securing VoIP to
ensure business continuity and streamline business
processes. This has distinct implications for each
stakeholder group, but only if they view VoIP as being
more than low cost telephony.
4. View security as an integral part of business
processes
Too often, network security has been ad hoc or an
afterthought following the deployment of new tech-
nology. VoIP and UC can add signicant value here,
but only with effective security behind it. While com-
pliance frameworks are often built around supporting
business processes, they hardly touch on communi-
cations technologies, and bridging that gap is another
example of how enterprise thinking needs to change
around VoIP security.
5. Recognize that threats are real, not just perceived
There may be truth to both states of mind about
VoIP, but taking the ostrich approach and hoping
nothing bad happens is just a blind denial of reality.
Even worse is a dismissive approach that does not
take these threats seriously or the belief that cursory
measures will be sufcient. Our research also shows
a tacit acceptance in some cases where breaches
are tolerated, but not at a level where the requisite
security measures are deemed worthwhile.
Even though fear is a powerful agent of change, we
are not advocating this as the driver to rethink your
VoIP security. Taking ownership and responsibility
for VoIP security is a far better response, especiallywhen built on a foundation of knowledge. The busi-
ness case becomes even stronger if the nancial
impact of these risks can be quantied and then
measured against the investment needed in proper
VoIP security. However, this can only begin when
there is acceptance that a problem in fact exists.
7/24/2019 e Book Why Voip Security is More That Just an It Risk 83791
13/14
13
[email protected] | www.voipshield.com
VoIP Security Solutions
Given that VoIP is not well understood as a technology and how the threat landscape is constantly shifting, you need
to start from the position that this is an ongoing challenge, and that the risks will only intensify as adoption grows. From
there, you must determine where VoIP ts in your overall network and security plan and who will drive these plans. If IT
takes a PBX-centric approach to VoIP security, the plan will not be comprehensive enough to provide full value to thebusiness, and compliance frameworks will be of little help.
If enterprise IT adopts the thinking advocated herein about VoIP security, they will have an easier time identifying
the best courses of action. VoIP security is complex and the various solutions will require careful evaluation. Within the
scope of this e-Book, there are two basic types of solutions that can serve enterprises well.
Solution 1 Managed Security Service
This follows the cloud model that enterprises are rapidly
adopting for communications along with other business
applications. The notion of Security as a Service (SaaS)
has come of age, and can go a long way to making
VoIP and UC secure. By providing constant monitoring
like consumers do with anti-virus protection, IT is relieved
of the constant pressure to monitor threats and update
security coverage.
There is an attractive business opportunity here for ser-
vice providers, not just to tap new revenue streams, but
also to make it easier for enterprise customers to adopt a
wider range of UC applications that would also be hosted
by them. The limitation, however, arises from their limited
experience with VoIP security as well as long-term com-
mitment to supporting it.
This path can certainly address many VoIP security needs,
but likely not all of them. Furthermore, enterprises would
have to rely on and even be locked in with a provider
for updates and new security applications. Unless the
provider is prepared to deliver custom coverage to your
business, their offering may or may not cover your needs.
Another consideration is that the provider is offering this
to all their customers, making it difcult for you to differen-
tiate your VoIP security.
Solution 2 Standalone VoIP AuditApplication
Purpose-built solutions are generally preferable for com-
plex needs, and that certainly applies here. Finding the
right one is challenging, however, as the range of offerings
is broad. Some will be part of a Session Border Controller
solution; others will be built into a data security platform,
and some will be specically designed for VoIP. Given the
lack of standardization around VoIP, there is plenty of over-
lap here, so true direct comparisons are difcult to make.
The sponsor of this e-Book, VoIPshield Systems, is a
prime example of the last type, as their business is 100%
focused on this problem set. Vendors like this will have far
more comprehensive coverage than a managed service,
but require greater effort from the enterprise to assess
and manage directly.
We believe these vendors offer the best solution, espe-
cially for enterprises prepared to take a proactive stance
with VoIP security. Our research indicates these busi-
nesses are in the minority, and for that reason, purpose
built vendors such as VoIPshield Systems have had
limited traction to date. This e-Book hopes to change that,
but it is not clear whether these solutions will nd a market
in their current state, or take their form as a VoIP security
solution integrated within a broader network security offer-
ing from a vendor with an established enterprise footprint.
Jon Arnold, of J Arnold & Associates, an independent telecom analyst practice, authored this e-Book, which was
reproduced with permission by VoIPshield Systemsin March 2014. The contents herein reect conclusions
drawn from ongoing research about VoIP security and specic research for this e-Book.
For more information please contact:[email protected].
7/24/2019 e Book Why Voip Security is More That Just an It Risk 83791
14/14
14
[email protected] | www.voipshield.com
Appendix
Summary of VoIP Vulnerabilities and Threats
This Appendix summarizes common threats and vulnerabilities that can be enabled by VoIP as well as the broader
scope of IP communications. They have been grouped into two basic types, as per a taxonomy developed by ISACA.
Note that this summary is a high level review of common threat types, and for each a variety of variations exist. The list
is far from exhaustive, and beyond this lays the realm of unknown threats, some of which exist but have not yet made
an impact, while others are yet to be developed.
Type of Risk Threats
Disruption of VoIP Data and Service VoIP Control Packet Flood
VoIP Call Data Flood
TCP/UDP/ICMP Packet Flood
VoIP Implementation DoS Exploit
OS/Protocol Implementation DoS Exploit
VoIP Protocol DoS Exploit
Wireless DoS Attack
Network Service DoS Attacks
VoIP Application DoS Attacks
VoIP Endpoint PIN Change
VoIP Packet Replay
VoIP Packet Injection
VoIP Packet Modication
QoS Modication
VLAN Modication
VoIP Data and Service Theft VoIP Social Engineering
Rogue VoIP Device Connection
ARP Cache Poisoning
VoIP Call Hijacking
Network Eavesdropping
VoIP Application Data Theft
Address Spoong
VoIP Call Eavesdropping
VoIP Control Eavesdropping
VoIP Toll Fraud
VoIP Voice Mail Hacks
Source: ISACA, VoIP Audit/Assurance Program, Appendix 1 VoIP Threat Taxonomy, 2012