VoIP Security Assessment: How Long are You Going to Wait?

 

Most of the enterprises that we encounter through the service of our practice have top-notch Information Security teams.  The basic existence of a security team in the organization is evidence that the CIO recognizes and appreciates the enormous risk exposure and potential loss to the business that can result from information security breaches, and has committed to managing it.  Indeed, because of the nature of security professionals in general, having such a team at all typically brings seriousness and diligence to this area of governance in the firm.  We have further seen that Information Security teams of the Clients that we’ve served are typically very well funded.  This again, reflects recognition of the importance of a strong security posture for good corporate governance, and a commitment on the part of executive management to invest in Information Security. 

Information Security implementations dedicate substantial resources toward protecting the network, systems, and data that serve the enterprise.  Organizations have traditionally created protection against breaches by creating security barriers such as access controls, Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS), firewalls, and cryptography.  It is alarmingly common, however, for the voice communications systems to be omitted from the security plan.  Beyond the core components of the PBX and Voice Mail platforms, modems and fax lines often serve as bastions of fraud and abuse (costs) as well as back-door access to the data network.  While much can be said about adequate inclusion of voice systems in the overall security policy, the increasing proliferation of VoIP deployments and IP Telephony in general, tend to amplify the risk to the overall security posture.

VoIP implementations drive changes beyond the fundamental replacement of voice processing platforms.  More so than perhaps any other technology one can think of, these changes have a broad impact on an organization’s security posture.  Let’s discuss a few of these at a high level.

At a very fundamental level, VoIP implementations change the characteristics of the data network.  We are all very familiar by now with the requirements of IP Telephony on network latency and jitter for acceptable quality of service (often measured as Mean Opinion Score, or MOS).  From a security perspective, this translates into not only performance metrics but also availability (one of the legs of the CIA triad for Information Security).  Said another way, the management of network performance is, in a sense, now a security issue.  In addition to issues of availability and performance, IP Telephony introduces a new family of protocols carried on the data network, as well as stateful session management through firewalls and perimeter boundaries. 

If you’re in the implementation stages of a VoIP deployment, then you know that organizational change of some kind is necessary in order to accommodate convergence of voice and data in an operational production environment.  If you’re in the consideration or planning stages of a VoIP implementation and think that the traditional Telecom and Data teams can continue to work and be managed with the same level of segregation and independence in the post-convergence environment, well may the force be with you.  Organizational changes that occur as a result of IP Telephony implementations are largely driven by Technical Operations concerns.  In the pre-convergence environment, a user can request a new phone to be installed, changes to number plans, even call routing and expect the request to be honored ad hoc.  In a post-convergence environment, this is a request to add a new endpoint to the network.   This is a production impact of a different color, and also now includes AAA (Authentication, Authorization, and Accounting) security components.

Of course there are also numerous technical security aspects introduced by VoIP implementations.  We’ve already touched upon the Availability component of the CIA triad.  There are also substantial issues to address with the Integrity and Confidentiality components.  These issues directly parallel the similar threat taxonomy with data traffic, including packet capture, eavesdropping, redirection, malicious modification, spoofing, and so on.  The difference though, is that with VoIP we’re dealing with conversations, person-to-person messages, recordings, and voice mail.  In fact, the implementation of IP Telephony creates an opportunity (necessity) for synchronization of the Security Policy with Technical Operations as well as Architecture and Engineering functions.

Given this backdrop of change to the technical environment, to the technical organization, and to governance policies due to this change of core technology, it is wise to consider conducting a VoIP Security Assessment as a part of the technology governance framework.  During the planning and implementation phases of an IP Telephony deployment, a VoIP Security Assessment is just as essential as a network readiness assessment.  Including voice security as a part of periodic security assessments is essential as well.

You’re probably seeing the same articles as I am in the trade journals that warn about VoIP Security concerns, but in the same breath say that things haven’t gotten all that bad just yet.  I would counter that this sentiment is somewhat relative.  Are VoIP Security incidents as numerous today as email incidents?  No, they’re not.  However, I’m here to tell you that they’re far from non-existent.

Just this past week, a long time Client of ours, and an international multi-billion dollar firm, called for help because of virus infection in their telephony system that was crippling there voice communications on a wide scale.  A VoIP Security plan would likely have mitigated the risk that was exploited in this case.  As a matter of fact, some industry sources are recommending at least annual VoIP Security Assessments, due to the frequency of change characteristic of voice communications platforms and their (now) intimate interconnection with core enterprise data.  VoIP Security Assessments should be grounded upon a comprehensive taxonomy of threats to the environment, including not only technical, operational, and compliance issues but also social threats because of the strong impact of human behavior on the security posture of voice systems.

If you care to weigh-in on this topic, I’d be grateful to learn about your experiences with VoIP Security, how you’re monitoring and managing, or any perspectives you’d care to share.