VoIP Security: More Than Just IT Risk. When Being Compliant Does Not Mean Being Secure

Size: px
Start display at page:

Download "VoIP Security: More Than Just IT Risk. When Being Compliant Does Not Mean Being Secure"


1 VoIP Security: More Than Just IT Risk When Being Compliant Does Not Mean Being Secure November 2013

2 Table of Contents Executive Summary. 3 Introduction.. 3 Today s Changing Information and Communications Technology Security Landscape.. 4 Opportunities and Risks Posed by VoIP.. 4 Realities and Challenges. 6 Implications. 10 The Way Forward 11 One Path Forward, but backwards as well 11 Thinking Differently About VoIP Security 12 VoIP Security Solutions. 13 Appendix Summary of VoIP Vulnerabilities and Threats. 15 VoIP Security More Than Just IT Risk J Arnold & Associates Page 2

3 Executive Summary Security may not be the first thing that comes to mind with VoIP, but if it is not near the top of your list, you could be exposing the business to significant risk. The reasons are both complex and simple, but there is no question VoIP security will become more pressing as enterprises accelerate their adoption of IP telephony along with its umbrella cousin, Unified Communications. Not only are these technologies being deployed to make communications more effective, but also to integrate with business processes that impact overall operations and workflows to make employees more productive. This white paper has been produced to educate both IT and executive teams in an objective manner about the nature of VoIP, both in terms of its benefits and potential risks. Perhaps more importantly, our objective is to reframe the thinking within enterprises to view VoIP security more as a business risk than just a risk contained within the IT sphere. One need look no further than the recent vulnerability updates made by Cisco for Call Manager as evidence that these risks are more real than perceived. A key reason for this view is that VoIP along with UC provides significant business value that goes beyond reducing telephony costs. When tied to business processes, these applications can transform your operations by improving productivity, shortening decision timeframes, curtailing travel, and improving customer satisfaction. However, for these benefits to be realized, the underlying network environment must be secure, and in most enterprises this is simply not the case with VoIP. Whether or not your business has experienced a VoIP security breach, the associated threats and vulnerabilities are real and becoming more sophisticated so as to remain a step ahead of today s security frameworks. In fact, your network may have already been compromised this way without your being aware, and your activity may be quietly being monitored by hackers until the right moment when they detect a VoIP-enabled vulnerability. A key take away from this paper is that being compliant does not mean being secure, so do not assume that a clean bill of health from your latest IT security audit makes your business immune from these threats. Building on that, our intention is to broaden your understanding of the issues, as you will need a core knowledge base to develop an effective security plan and adopt appropriate solutions to protect the network, your business and be compliant. Introduction The adoption of VoIP by enterprises has been underway for some time, and as its value is being realized, this trend is accelerating. While this is good news for VoIP vendors and service providers, the related network security implications have received little consideration. Having closely tracked VoIP since 2001, J Arnold & Associates is attuned to VoIP s inherent vulnerabilities which make it a target for a growing array of security threats. Our view is that the associated risks to both the business and the network are not properly understood either. VoIP Security More Than Just IT Risk J Arnold & Associates Page 3

4 To validate this, we have undertaken independent research across the market, including senior enterprise IT personnel, executive management, audit practitioners, security vendors, information security consultants and service providers. This industry-based perspective has provided a balanced base of learning upon which this white paper was written. In-depth personal interviews were conducted by J Arnold & Associates during June-July 2013, and while the results are qualitative, the sources are highly-informed and we believe that collectively, they accurately reflect the broad state of thinking about VoIP security. Our overall objective is to educate the market about the realities of VoIP security, and how under present conditions, enterprises will not derive full benefit from VoIP as well as from the broader scope of IP communications that are now being integrated under the banner of Unified Communications. When the vulnerabilities posed by VoIP are properly understood, enterprises will be better able to manage the threats and safely exploit VoIP for its business value. This will also help ensure compliance with relevant information security as well as control and privacy standards. This paper begins with an analysis of six elements that were distilled from the research, and explains their importance as well as the role each can play in improving the overall understanding of VoIP security. Following this we present our prescriptive action plan and possible solutions enterprises can take to move down that path. Today s Changing Information and Communications Technology Security Landscape Opportunities and Risks Posed by VoIP There is good reason why VoIP has transformed the telecom industry for the better, and that impact is registering now with enterprises. Just as there is more to VoIP than cost savings, there is more to IP communications than VoIP. Businesses can easily justify the move to VoIP on economic grounds, not just for lower telephony costs but also streamlined network operations. Converging voice and data on to this streamlined network environment creates new value that Unified Communications is just starting to address, especially when tied to CEBP Communications Enabled Business Processes. This adds a layer of strategic value to VoIP as well as the broader suite of IP communications supported by UC, all of which are now running over enterprise data networks. Legacy telephony is being displaced largely because it stopped evolving and could not match the business value and innovation provided by VoIP. From its modest roots as a hobby technology, VoIP has matured considerably, and riding the wave of the broadband revolution, it is now poised to become the standard for business telephony. VoIP s ascendancy has been slow and enterprises are only just beginning to tap its potential, not just because it is relatively new, but also due to some realities that are not well understood. Legacy VoIP Security More Than Just IT Risk J Arnold & Associates Page 4

5 telephony took many decades to perfect and VoIP is not yet fully standardized as a technology. More importantly, with telephony now moving over to the data network, it no longer has the protection offered by the dedicated voice network used to support your legacy PBX infrastructure. These changes add up to new opportunities that legacy telephony could never deliver, but along with that come new risks as enterprises migrate to IP-based communications. With VoIP, telephony becomes a data application, and without appropriate measures in place several risks become very real, particularly business risk, technology risk, financial risk, network risk, security risk and compliance risk. Our industry-wide research supports the main message of this white paper, being that the vulnerabilities and threats (i.e. the risks) are not well understood and if not addressed, the benefits of VoIP will not be fully realized and indeed may cause significant operational, financial and regulatory problems. While the mainstream media has created awareness about the threats posed by the Internet to the general public, very little is heard about what can and does happen in the business world. Large scale breaches and exposes such as WikiLeaks, Stuxnet, the recent actions of Bradley Manning, Edward Snowden and others are becoming part of the everyday news landscape, raising fundamental questions about privacy and information security on the Web. Not only are these happening with greater frequency, but the growing sophistication of attacks means they will occur without warning, with rapid impact, on a larger scale and with increasingly sensitive targets. Since a great deal of IP communications touches the Internet especially VoIP enterprises can be just as vulnerable as consumers who unwittingly open an containing malware or government agencies with lax controls over data access. VoIP has been subject to an ever-expanding class of security threats since its inception, many of which are targeted specifically at enterprises. This white paper is not intended for a technical audience, but to help illustrate this, a summary of common enterprise VoIP security threats is presented in the Appendix. Figure 1 below illustrates our view of this at a high level, with typical VoIP-based vulnerabilities flagged by red triangles. The key message is to show the mix of voice-enabled endpoints that provide pathways into the network that did not exist when telephony operated separately from the LAN. In short, VoIP poses unique security challenges that do not apply to other data streams or modes of IP communications. As Figure 1 shows, most of the vulnerabilities are at the network perimeter, and given the variety of possible entry points, effectively securing VoIP is a complex challenge. In addition to conventional threats that have long existed with IP PBXs toll fraud, message tampering, eavesdropping, etc. VoIP exposes the network to new threats, several of which can be debilitating for your entire business, such as Denial of Service attacks, data theft, identity spoofing, Quality of Service modification and hacking. VoIP Security More Than Just IT Risk J Arnold & Associates Page 5

6 Figure 1 VoIP Vulnerabilities in the Enterprise Network Environment Risk Points for Potential Vulnerability / Exposure of Confidential Information Generation Usage, Maintenance, Collection Communication and Storage Customer Customer Contact Center #1 PSTN Internet/IP Service Provider Contact Center #3 Agents Contact Center #2 IP-PBX Web Application Servers (HTML, VXML, , and Chat) IP-PBX Web Application Servers (HTML, VXML, , and Chat) Agents Contact Center #4 Agents ACD Voic ACD Voic Agents IVR CRM/WFMS IVR CRM/WFMS Call Recorder Hub #1 CTI & Reporting Server Call Recorder Hub #2 CTI & Reporting Server Internet/IP Service Provider Offshore Center #1 Offshore Center #2 Telecommuter Unified Communication Endpoints Branch Office Agents Agents Realities and Challenges To properly assess the nature and scope of the risks posed by VoIP, six elements need to be considered. These elements have been summarized from our research, and represent distinct touch points that must be understood to effectively mitigate risk and enable VoIP to provide full value to the business. Key realities and challenges for each are summarized as follows. Element #1 - VoIP technology As a technology, VoIP is not mature or standardized enough to be effectively incorporated into ICT frameworks that drive compliance for network security. Essentially this means that security compliance for VoIP is voluntary rather mandatory, leaving it out of scope for most security audits. VoIP is a weak link in the data network for security vulnerabilities, making it an attractive point of entry for hackers. While VoIP is often associated with telephony, the IP PBX or associated voice traffic are not typically the targets; rather, they provide access to corporate information or the LAN since VoIP runs over the same network as all the other data applications used to drive the business. IT security breaches attributable to VoIP are not yet widespread, but that is changing as VoIP adoption grows and hackers prey on vulnerabilities created by a lack of understanding of the risks and subsequent lack of best practices to address the threats and protect the network. VoIP is much more than telephony, and when the broader scope of IP communications is considered, the operational VoIP Security More Than Just IT Risk J Arnold & Associates Page 6

7 benefits and strategic value are compelling. While VoIP has inherent value to reduce telephony costs, enterprises typically use it as a stepping stone to Unified Communications and the ability to support real-time multichannel interactions. These capabilities can have a transformative impact on operations, processes and customer experiences, but also mean that the impact of VoIP s security vulnerabilities go well beyond the IP PBX to other applications such as soft phones, video chat, Web-based VoIP, smart phones and tablets and extend beyond the office to both home-based and remote workers. Element #2 the hacking community For lack of a better word, this is how perpetrators of IT security threats are labeled, but that can be misleading. This community is very diverse, ranging from hobbyists working alone, sophisticated criminal operations, up to state-sponsored cyber-espionage cells. Since VoIP still lacks standardization, this places the onus on organizations to defend their network as best as possible, and given the diversity of the hacker community, the task is very challenging. Since its inception, the Internet has been rife with security vulnerabilities and privacy exposures making trust difficult to establish. The anonymous and porous nature of the Web is tailor-made for hackers, and their impact is being felt by everyone with increasing regularity and severity. While this raises the FUD factor across the general population, enterprises must be particularly alert with VoIP since a great deal of IP PBX traffic traverses the public Internet, creating a new security vulnerability that did not exist when legacy telephony ran over a dedicated voice network. A key challenge is the fact that the motives of hackers are as varied as the community itself. Some will target VoIP specifically for toll fraud, but more likely this will be their point of entry for other forms of malicious activity such as disrupting operations, identity theft, financial theft, corporate espionage or supporting political agendas. This makes VoIP more of a means to an end, and it will be futile to build a security plan to only address specific motives or types of hackers. The greatest challenge shown in our research is simply that this community is usually at least one step ahead of what the enterprise can defend. While VoIP may not be very attractive financially beyond toll fraud, hackers are looking for other ways to monetize corporate data, and when they do their attacks will become more brazen and targeted. Since VoIP currently poses limited financial risk, security measures are limited as well, and if this continues, IT will only have reactive after-the-fact options when more serious threats strike. Our research indicates that the coming storm in network security threats should not be underestimated. Not only can hackers cause financial loss by accessing corporate data and bank accounts through a VoIP breach, but some would not hesitate to use the same breach to launch DDoS Denial of Service attacks. By constantly flooding your network with messages through that breach, they can disrupt or even shut down operations, and much like kidnapping, will only stop once they have extracted blackmail payments from you. Even this is no guarantee, as once that breach is fixed, hackers may well keep pinging your network to find new points of entry, because they know VoIP can be highly vulnerable if not properly secured. Related to this is the growing complexity of enterprise networks, making it virtually impossible to plug every hole in the dike. Sophisticated hackers can always find a point of entry, sometimes with minimal effort, especially if basic security measures for VoIP are not followed. Just because you have not experienced a VoIP security breach does not mean the network has not been compromised. Hackers may well be monitoring the network without your knowledge and just waiting for a port to be left open, enabling them to go about their business with impunity, or have already penetrated and compromised your network already and are waiting for the right time. Element #3 - enterprise IT Regardless of current threat levels both real and perceived the value proposition for IT security is challenging to sell to management. Enterprise IT needs to protect the network and meet compliance requirements at a reasonable cost, but also balance this against management s needs for employees to be as productive as possible. Onerous security measures may make the network more secure, but are just as likely to make UC applications less user-friendly for today s knowledge workers and customers. If this prevents IP communications tools such as VoIP from delivering full value to the business, the ROI for VoIP security solutions will be difficult to demonstrate. Enterprise IT in general faces both a knowledge gap and higher priorities when it comes to VoIP security. Many IT departments are still rooted in the legacy world and think of VoIP as telephony rather than a data application. Legacy telephony posed few security risks, but VoIP is the exact opposite if left unchecked. Our research shows that this level of understanding varies widely by industry, and where it is low, there is a tendency to ignore the threats and simply hope no major breaches occur. Without this core understanding, IT will not see that the security vulnerabilities in their network will increasingly become breaches via VoIP along with the broader suite of IP communications supported by UC. In terms of priorities, a complementary issue arises from the fact that CIOs have security compliance obligations that take attention and budget away from the actual threats aimed at their network. Since VoIP is only nominally contained in the compliance envelope, it will typically only get their attention after the fact when it has become the pathway for the latest VoIP Security More Than Just IT Risk J Arnold & Associates Page 7

8 breach. As do more with less becomes the new normal for enterprise IT, resources are primarily consumed by fire fighting and keeping the network operational for every day needs. This leaves little for being proactive and focusing on prevention and with that, unfortunately, comes an acceptance for a base level of compromise on network security. With hackers being one step ahead of all but the most visionary IT teams, the aforementioned knowledge gap truly elevates the level of risk with VoIP. To effectively manage these risks, IT needs to think differently and adopt best practices for prevention. The workplace is changing in ways that pose new challenges for IT, and many of these involve IP communications. One key trend is the decentralization of the workplace, where employees are increasingly working offsite, such as from home, their cars, airplanes, hotels, client sites, etc. These scenarios provide one of the strongest use cases for Unified Communications, allowing businesses to adopt virtual models, optimize office space and be more responsive to customers. The IT challenge, however, is one of enabling all this in a secure environment. As endpoints become more distant from the LAN, the harder it is to control access, plus, a great deal of this VoIP and UC traffic will be over the public Internet and often across unsecure WiFi connections. Offsite worker productivity depends on these factors, but the associated network risks must be understood and addressed to make this worthwhile. Moving offsite to onsite, BYOD Bring Your Own Device is another trend with similar implications. The main difference is that employees are using these devices, applications and networks to be more productive at the office. Of course, they are also using them offsite, but the main issue is that by virtue of owning these devices, employees feel entitled to use them as they see fit. This often means they re not used with consideration to how the enterprise as a whole might be impacted. There are many aspects around this, but the key IT challenge lie in developing security plan that addresses the risks without looking like Big Brother. Currently, many IT departments are having BYOD forced upon them and by developing policies on the fly, they are sure to miss many threats that a proactive plan would anticipate. On a strategic level, there is a distinct IT challenge not just in understanding the threats well enough around VoIP to develop a sound security plan, but also to implement it effectively. Data breach reports consistently show how vulnerable IP PBXs are, and if that remains problematic, IT has a long way to go in addressing the broader scope of IP communications, of which VoIP is just one application. Presuming IT can get there, the next challenge calls for implementation in a way that does not draw undue attention. This must be done carefully and perhaps in stealth mode, otherwise employees may get anxious about having been targeted by hackers. There is also the Big Brother aspect to consider as IT does not want to create a climate of distrust that may be implied by a heavy-handed security plan. Furthermore, any such anxiety is sure to be detected by hackers, raising a red flag that your network is tightening up. Some will choose to strike immediately before the measures are in effect, and others will view this as an invitation to test your shield, typically in the form of APTs Advanced Persistent Threats. Element #4 - end users Employees play an important role around VoIP security since they control the endpoints that so often are the points of entry for attacks. Not only are they the drivers of internal threats to network security, but as end users, they are often the target of external threats. In terms of internal threats, there are two forms unintentional and intentional. The former is a mix of accidental actions that invoke threats such as forwarding s with sensitive data to a group list that may include inappropriate contacts - or unwitting actions, such as opening a voice message embedded with malware. Intentional internal threats arise from disgruntled employees who may use VoIP as a vehicle to disrupt operations, engage in fraud, share sensitive data with competitors, etc. In terms of external threats, end users pose a major security challenge by serving as easy targets for hackers. Despite the shortcomings described herein of IT security, on a broad scale it serves as a fairly effective deterrent. Rather than trying to bridge this large security moat, many hackers simply find it easier to gain access by targeting individuals with a low protection threshold. With so much personal information posted online now, hackers often use social engineering to lead them to weak points for network access such as the IP PBX. Even the best IT security regimes will be undermined by end users if too much is asked of them. Most people have trouble managing all their passwords and user names, and if authentication for network access requires too many steps, they may not bother using the application or revert to the default settings. While the path of least resistance seems easier, this makes them easy marks for hackers. By nature, people will make the effort to protect things of value, and for this reason, employees are fairly diligent updating their credentials. Most, however, do not see VoIP the same way, and nor do they view their desk phone as a security risk. Employees are very much part of the solution for VoIP security, and IT must recognize the need to make this as simple and transparent as possible. Related to the above is the simple fact that end users are not the experts when it comes to properly securing IP communications and endpoints. They may be familiar with the applications and quite tech savvy, but this is usually in the context of personal usage. With BYOD, employees may think they are using their mobile devices responsibly, but not on an enterprise-wide level and this is where they may be exposing the business to many forms of risk. IT has a broader VoIP Security More Than Just IT Risk J Arnold & Associates Page 8

9 mandate, and getting employees to understand that is another aspect of where education is needed to better manage VoIP security. Element #5 - executives First and foremost, our research indicates that senior executives view network security in financial terms. This reality means that so long as VoIP poses little financial risk, it will remain a low priority for them in supporting IT s needs. Toll fraud is a common form of financial risk with VoIP, but is too minuscule to change their thinking, and other forms happen too infrequently, at least for now. Related to this, executives also see security as the domain of IT, impacting the network but not the business itself. Given how embedded communications technologies are becoming in business processes, and the very real potential for network threats to disrupt operations, this mindset is out of synch with current realities. Aside from network risk, these threats clearly represent business and financial risk, and like end users, IT needs to better educate this stakeholder group about the risks posed by VoIP and IP communications in general. Most management teams will be followers rather than leaders when it comes to network security. Rather than trying to understand and address specific types of risk posed by VoIP, they will be more likely to invest in broader security efforts that keep them on par with their industry peers. This will lead them to support security initiatives that are easily measured within existing compliance frameworks, rather than focus on VoIP, where they have little guidance to follow from the regulatory and audit community. Furthermore, management has little incentive to improve security beyond their peers, and unless someone suffers a serious breach or takes a leadership position with VoIP for competitive advantage, they will not likely pay it much heed. Executives are also end users, and it is worth noting they can be one of the greatest enablers of VoIP security threats. Aside from being at the forefront of BYOD adoption, their rank provides them access to the most sensitive corporate data, wherever they are and whenever they need it. Add to this their general disregard or lack of inclination to employ even basic security precautions, and you have an extremely attractive target for hackers. Element #6 the audit and compliance community In terms of VoIP, ensuring that minimal IT compliance requirements have been met will likely create a false sense of security. Most known VoIP threats are not specifically addressed in business risk or information technology risk frameworks (such as COBIT) or security implementation standards (such as ISO27002), so they may not be specifically addressed during the security audit process. Perhaps more concerning is that other vulnerabilities related to IP communications are not yet known or have not even materialized yet. Hackers will target your network for a variety of reasons, and knowing that VoIP can be a weak link, they will continue devising new threats, making it impossible for any security system to be bullet-proof. As such, one of the strongest conclusions from our research is that being compliant does not necessarily mean being secure. Related to this, existing security standards are effective at addressing threats in mature, standards-based spaces such as PCI, but less so with VoIP, which is much newer on the security horizon. One reason is that VoIP has not yet become standardized, which makes it difficult to understand its role in supporting business processes, along with prescribing specific requirements to make it secure. As a result, VoIP has not been part of the security agenda or the audit mandate. Given how rapidly VoIP traffic is growing on enterprise networks, this is not a tenable position, and presents a form of risk that was not present with legacy telephony. As a result the above realities, the audit community tends to view VoIP as a PBX issue where it will only have a localized impact on the telephony system. Not only does this limit the focus to one type of network endpoint desk phones but also, VoIP is just one mode in the spectrum of IP communications. When enterprises deploy Unified Communications, other modes and applications such as video, mobility and conferencing create or inherit the same vulnerabilities, meaning that security exposures now extend well beyond the phone system and garden variety PBX-based toll fraud. While UC can truly enhance productivity and business processes, its absence from the risk agenda contributes to the aforementioned false sense of security. Another challenge facing this community is finding the right balance of inclusion with VoIP relative to the risks posed to the enterprise. Since VoIP is not well understood and lacks standardization, both audit practitioners and IT executives have difficulty measuring the risks and from there providing guidance on the appropriate level of effort needed to manage them. In the current environment this reality will likely persist as compliance requirements become more demanding, expensive and resource-intensive. Auditors are conscious of the need to keep the compliance process manageable without impinging on operational effectiveness, and will be more comfortable focusing on areas of risk that are well understood and have a measureable impact on the business. VoIP Security More Than Just IT Risk J Arnold & Associates Page 9

10 The overall implication for the audit community is that by viewing VoIP as a PBX issue, the associated risk is nominal, making it a low priority or non-issue in terms security compliance. Unfortunately, enterprises will likely need to experience some large scale and damaging security breaches caused by VoIP vulnerabilities to get this form of risk on the compliance agenda. The audit community can certainly play a proactive role here by including VoIP in IT and network infrastructure audits and assisting IT to connect the dots between VoIP and business value. For now, though, our research suggests this is a missed opportunity. Implications These six elements present a practical representation of the learning from our research; the various stakeholders and communities have distinct challenges, realities and interests when it comes to VoIP security. Each needs to be understood on its own terms, and from there the interrelationships must also be considered. An effective response to VoIP security requires that all six elements be addressed and engaged at some point along the way. To gauge the bigger picture, strategic level issues around VoIP security, consider the following: Your home To ensure family safety and optimize the enjoyment everyone gets from that environment, you deploy a variety of security measures, such as deadbolts, steel doors, window bars, alarm systems, video surveillance, motion sensors, etc. Yet, most people never feel 100% safe, and intruders keep devising new ways to bypass these deterrents, such as entering through the roof or ductwork or even using brute force home invasions. Critical Infrastructure Think here about what the Department of Homeland Security focuses on control systems that keep airports running, financial markets open, utilities operating, etc. On a local level, this applies to 911 and the associated emergency services police, fire and hospitals. As important as home security is to your family, these services are equally vital to the government and society at large. They simply cannot be compromised, and with so much at risk, appropriate measures have been taken to ensure security and 24/7 uptime. In both environments, known threats have been addressed quite well, but new tools are constantly being adopted as unknown vulnerabilities and threats become better understood. Neither environment can be 100% secure 100% of the time, but the threats are taken seriously and the high levels of risk that would come with a breach dictate the investment in security. They may not totally understand the risks posed by VoIP, but awareness of its potential is growing, and with that will come a willingness to add VoIP to their overall security regimes. Enterprise networks are of a different mindset when it comes to VoIP security. Other forms of data security may be well addressed by enterprise IT, and compliance requirements have a lot to do with that. When it comes to VoIP, however, most enterprises are either lacking in the understanding referred to above, or will minimize the risk potential for a variety of reasons. The comparisons are presented here because all three environments use VoIP to varying degrees, and this creates vulnerabilities that were not present with legacy telephony. Without compliance frameworks requiring VoIP to meet certain security standards, enterprises must first understand the VoIP Security More Than Just IT Risk J Arnold & Associates Page 10

11 associated vulnerabilities and threats and then start thinking about the risks like these other environments do. This takes us back to the fact the VoIP is relatively new and not yet standardized. Security and safety are rarely first principles guiding innovation, and VoIP is no exception. VoIP emerged in 1995 when the Internet was in its infancy and the limitations of dial-up service pretty much ruled out malicious activity, so there was little need to consider security then. The automobile industry provides a telling parallel. Cars did not become truly mainstream until the highway system was built, and seatbelts were not mandatory in the U.S. until For the better part of the first 70 years of automobiles, the risk factor was not deemed high enough relative to the inconvenience of using them. Today this would be unthinkable, but it took many decades for the auto industry to adopt safety standards to address both a very real risk and a growing set of threats as cars become faster and carry more passengers. VoIP is no different, and in time will become fully standardized. The threats posed today may be relatively minor, but just as automobile risk levels elevate with drunk drivers, they rise for enterprises with VoIP as more people use it without regard for security, and as long as it remains a low priority for IT, executives and the audit community. The Way Forward While VoIP holds both promise and risk, there are effective solutions that speak directly to the problems but will not compromise its value to the business. However, before those solutions can be implemented, we believe a change in thinking is needed, not just within IT, but among the other stakeholders addressed in this paper. Education and awareness of the basic problems are good starting points, but you must also understand how and why thinking needs to change. One Path Forward, but backwards as well For those who see no such need to change, there are three solutions that would effectively mitigate VoIP security risks. 1. Do not migrate to VoIP, or shelve your VoIP deployment and revert back to TDM. This would be a drastic and disruptive measure and almost impossible to get support for. The higher costs of TDM service and supporting a dedicated voice network alone would rule this out, not to mention the phasing out of support for legacy systems from vendors. Even more important is taking a large step backwards in communications efficiency and losing all the benefits associated with VoIP and its stepup cousin, UC. On the other hand, the risks around VoIP effectively disappear, but this would be a heavy-handed, short-sighted rejection of technology that is serving businesses very well. 2. Run all VoIP and IP communications traffic over a segregated network. This would certainly solve the problem, but it defeats the purpose of network convergence. Extending this across the business will not be practical, especially if operations are highly decentralized. Network-wise, this would also take VoIP Security More Than Just IT Risk J Arnold & Associates Page 11

12 you back to the TDM model, making it very difficult for IT to add value to business processes with today s communications tools. 3. Only run this traffic over a VPN and have VoIP fully encrypted. This again provides a highly secure approach, but is also not practical. IT will not be able cost justify such an extensive use of VPN, especially when better solutions are available, namely those outlined in the next section. Encryption will also be expensive on this scale, but equally concerning would be the potential latency that can degrade the VoIP experience. Thinking Differently About VoIP Security Most businesses are forward-thinking enough to seek better solutions so they can securely benefit from all that VoIP has to offer. That thinking, however, must be aligned with the interests of the various stakeholders into a shared vision for VoIP security. To do that, here are five ways that businesses need to think differently about VoIP security: Focus on prevention, not treatment Think about VoIP as a form of business risk, not technology risk Think about how VoIP benefits the business View security as an integral part of business processes Recognize that threats are real, not just perceived VoIP vulnerabilities and threats evolve too quickly for IT to keep on top of everything. Efforts are better applied in understanding known vulnerabilities and developing effective solutions for them. Unknown vulnerabilities require a different response, and when both are in place, IT will be much better prepared for VoIP security threats. However, this can only happen with a basic change in thinking about how to respond to these vulnerabilities and threats. At face value, VoIP s virtue comes from lowering the cost of telephony and adding some new features. However, with voice service becoming a commodity, there is little strategic value attached to VoIP, and is viewed as solely in the realm of IT. Management needs to see how VoIP touches all aspects of operations and can add value to business processes. In that light, when VoIP becomes the enabler of security threats, there are both technology risks and business risks, with the latter being far more damaging in the wrong hands. This message applies not just to management, but to IT and the audit community as well. Nobody will question the need to keep the IP PBX secure and toll fraud in check, but there is greater value in securing VoIP to ensure business continuity and streamline business processes. This has distinct implications for each stakeholder group, but only if they view VoIP as being more than low cost telephony. Too often, network security has been ad hoc or an afterthought following the deployment of new technology. VoIP - and especially UC - can add significant value here, but only with effective security behind it. While compliance frameworks are often built around supporting business processes, they hardly touch on communications technologies, and bridging that gap is another example of how we believe enterprise thinking needs to change around VoIP security. There may be truth to both states of mind about VoIP, but taking the ostrich approach and hoping nothing bad happens is just a blind denial of reality. Even worse is a dismissive approach that does not take these threats seriously or the belief that cursory measures will be sufficient. Our research also shows a tacit acceptance in some cases where breaches are tolerated, but not at a level where the requisite security measures are deemed worthwhile. Even though fear is a powerful agent of change, we are not advocating this as the driver for a rethink about VoIP security. Taking ownership and responsibility for VoIP security is a far better response, especially when built on a foundation of knowledge. The business case becomes even stronger if the financial impact of these risks can be quantified and then measured against the investment needed in proper VoIP security. However, this can only begin when there is acceptance that a problem in fact, exists. VoIP Security More Than Just IT Risk J Arnold & Associates Page 12

13 VoIP Security Solutions Given that VoIP is not well understood as a technology and how the threat landscape is constantly shifting, you need to start from the position this is an ongoing challenge, and that the risks will only intensify as adoption grows. From there you must determine where VoIP fits in your overall network and security plan and who will drive these plans. If IT takes a PBX-centric approach to VoIP security, the plan will not be comprehensive enough to provide full value to the business, and compliance frameworks will be of little help. If enterprise IT adopts the thinking advocated herein about VoIP security, they will have an easier time identifying the best courses of action. VoIP security is complex and the various solutions will require careful evaluation. Within the scope of this white paper, we see two basic types of solutions that can serve enterprises well. Solution 1 managed security service This follows the cloud model that enterprises are rapidly adopting for communications along with other business applications. The notion of SaaS Security as a Service has now come of age, and can go a long way to making VoIP and UC secure. By providing constant monitoring much like what consumers do with anti-virus protection from the likes of McAfee or Norton, IT is relieved of the constant pressure to monitor threats and update their security coverage. There is an attractive business opportunity here for service providers, not just to tap new revenue streams, but also to make it easier for enterprise customers to adopt a fuller range of UC applications that would also be hosted by them. The limitation, however, arises from their limited experience with VoIP security as well as long term commitment to supporting it. This path can certainly address many VoIP security needs, but not likely all of them. Furthermore, enterprises would have to rely on and even be locked in with a provider for updates and new security applications. Unless the provider is prepared to deliver custom coverage to your business, their offering may or may not cover your needs. Another consideration is that the provider is offering this to all their customers, making it difficult for you to differentiate around VoIP security. Solution 2 -standalone VoIP audit application Purpose-built solutions are generally preferable for complex needs, and that certainly applies here. Finding the right one is challenging however, as the range of offerings is broad. Some will be part of a session border controller solution, others will be built into a data security platform, while others will be specifically designed for VoIP. Given the lack of standardization around VoIP, there is a lot of overlap here, so true direct comparisons are difficult to make. The sponsor of this white paper, VoIPshield Systems, is a prime example of the last type, as their business is 100% focused on this problem set. Vendors like this will have far more comprehensive coverage than a managed service, but require greater effort from the enterprise to assess and manage directly. VoIP Security More Than Just IT Risk J Arnold & Associates Page 13

14 We feel these vendors offer the best solution, especially for enterprises prepared to take a proactive stance with VoIP security. Our research indicates these businesses are in the minority, and for that reason, purpose built vendors such as VoIPshield Systems have had limited traction to date. This white paper hopes to change that, but it is not clear whether these solutions will find a market in their current state, or take their form as a VoIP security solution integrated within a broader network security offering from a vendor with an established enterprise footprint. J Arnold & Associates, an independent telecom analyst practice, produced this white paper, which was sponsored by VoIPshield. The contents herein reflect our conclusions drawn from ongoing research about VoIP security and specific research for this white paper. For more information please contact us by VoIP Security More Than Just IT Risk J Arnold & Associates Page 14

15 Appendix Summary of VoIP Vulnerabilities and Threats This Appendix summarizes common threats and vulnerabilities that can be enabled by VoIP as well as the broader scope of IP communications. They have been grouped into two basic types, as per a taxonomy developed by ISACA. Note that this summary is a high level review of common threat types, and for each a variety of variations exist. The list is far from exhaustive, and beyond this lays the realm of unknown threats, some of which exist but have not yet made an impact, while others are yet to be developed. Type of Risk Threats Disruption of VoIP Data and Service VoIP Control Packet Flood VoIP Call Data Flood TCP/UDP/ICMP Packet Flood VoIP Implementation DoS Exploit OS/Protocol Implementation DoS Exploit VoIP Protocol DoS Exploit Wireless DoS Attack Network Service DoS Attacks VoIP Application DoS Attacks VoIP Endpoint PIN Change VoIP Packet Replay VoIP Packet Injection VoIP Packet Modification QoS Modification VLAN Modification VoIP Data and Service Theft VoIP Social Engineering Rogue VoIP Device Connection ARP Cache Poisoning VoIP Security More Than Just IT Risk J Arnold & Associates Page 15

16 VoIP Call Hijacking Network Eavesdropping VoIP Application Data Theft Address Spoofing VoIP Call Eavesdropping VoIP Control Eavesdropping VoIP Toll Fraud VoIP Voice Mail Hacks Source: ISACA, VoIP Audit/Assurance Program, Appendix 1 VoIP Threat Taxonomy, 2012 VoIP Security More Than Just IT Risk J Arnold & Associates Page 16

Key Considerations for Choosing SIP Phones

Key Considerations for Choosing SIP Phones Key Considerations for Choosing SIP Phones A Decision-Making Primer for Businesses Migrating to VoIP Executive Summary When businesses consider VoIP, they usually focus on cost savings and the challenges

More information

Migrating Your Business to VoIP Five Key Success Factors

Migrating Your Business to VoIP Five Key Success Factors White Paper Migrating Your Business to VoIP Five Key Success Factors Contents Executive Summary....2 Five Key Success Factors....3 Success factor #1 - recognize this is a journey....3 Success factor #2

More information


ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of

More information

Hosted PBX and Beyond

Hosted PBX and Beyond Hosted PBX and Beyond A New Value Proposition for Service Providers White Paper J Arnold & Associates, May 2011 Hosted PBX and Beyond - a New Value Proposition for Service Providers Table of Contents Executive

More information

Cyber-Security Essentials

Cyber-Security Essentials Cyber-Security Essentials for State and Local Government Best Practices in Policy and Governance Operational Best Practices Planning for the Worst Case Produced by with content expertise provided by For

More information

BRINGING VOIP TO SMBS. Meeting rising expectations and making businesses more competitive

BRINGING VOIP TO SMBS. Meeting rising expectations and making businesses more competitive BRINGING VOIP TO SMBS Meeting rising expectations and making businesses more competitive CONTENTS Executive Summary 2 Part 1 Paths to VoIP 4 Part 2 Why VoIP Now? 5 Part 3 Evaluating VoIP Offerings 8 Part

More information


BELGIAN CYBER SECURITY GUIDE PROTECT YOUR INFORMATION BELGIAN CYBER SECURITY GUIDE PROTECT YOUR INFORMATION This Guide and the accompanying documents have been produced jointly by ICC Belgium, FEB, EY, Microsoft, L-SEC, B-CCENTRE and ISACA Belgium. All texts,

More information

Convergence of Social, Mobile and Cloud: 7 Steps to Ensure Success

Convergence of Social, Mobile and Cloud: 7 Steps to Ensure Success Convergence of Social, Mobile and Cloud: 7 Steps to Ensure Success June, 2013 Contents Executive Overview...4 Business Innovation & Transformation...5 Roadmap for Social, Mobile and Cloud Solutions...7

More information

IP Phone: Top 10 Considerations Buyer s Guide. June 2013

IP Phone: Top 10 Considerations Buyer s Guide. June 2013 IP Phone: Top 10 Considerations Buyer s Guide June 2013 Ziff Davis Research All Rights Reserved 2013 Table of Contents Executive Summary.... p. 3 Top 10 Considerations.... p. 4 Consideration #1 - what

More information

Cyber Security Incident Response: Are we as prepared as we think?

Cyber Security Incident Response: Are we as prepared as we think? Cyber Security Incident Response: Are we as prepared as we think? Sponsored by Lancope Independently conducted by Ponemon Institute LLC Publication Date: January 2014 Ponemon Institute Research Report

More information

Mary E. Galligan Kelly Rau

Mary E. Galligan Kelly Rau C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n G o v e r n a n c e a n d I n t e r n a l C o n t r o l C O S O I N T H E C Y B E R A G

More information


SECURITY SPECIAL REPORT SECURITY SPECIAL REPORT New IP Telephony Solutions for the Government Enterprise By Marc Robins Table of Contents VoIP and IP Telephony Defined...2 Primary Advantages...2 Cost Savings...2 Management and

More information

TELSTRA CYBER SECURITY REPORT 2014. Security insights, trends and impact to Australian organisations

TELSTRA CYBER SECURITY REPORT 2014. Security insights, trends and impact to Australian organisations TELSTRA CYBER SECURITY REPORT 2014 Security insights, trends and impact to Australian organisations EXECUTIVE SUMMARY The internet presents a world of social connectivity, economic growth and endless opportunities

More information

Mobilizing the Enterprise

Mobilizing the Enterprise THE WHITE BOOK FOR... Mobilizing the Enterprise The definitive guide to the mobility revolution THE WHITE BOOK FOR... Mobilizing the Enterprise Contents Acknowledgments 4 Preface 5 1: What is the scope

More information

How to Decide to Use the Internet to Deliver Government Programs and Services

How to Decide to Use the Internet to Deliver Government Programs and Services How to Decide to Use the Internet to Deliver Government Programs and Services 1 Internet Delivery Decisions A Government Program Manager s Guide How to Decide to Use the Internet to Deliver Government

More information

Why Your Business is Not Too Small for VoIP

Why Your Business is Not Too Small for VoIP White Paper Why Your Business is Not Too Small for VoIP Executive Summary If you re a small business, you may think that larger businesses have all the advantages. That may be true for things like purchasing

More information

SIP Trunking Benefits and Best Practices

SIP Trunking Benefits and Best Practices SIP Trunking Benefits and Best Practices White Paper Janne Magnusson Vice President, Product Management Ingate Systems Abstract 1 1 What is SIP trunking 1 2 The benefits of SIP trunking 1 2.1 Calculating

More information

Information security awareness initiatives: Current practice and the measurement of success

Information security awareness initiatives: Current practice and the measurement of success Information security awareness initiatives: Current practice and the measurement of success July 2007 Preface The European Network and Information Security Agency (ENISA) is a European Union Agency created

More information

Handling Inactive Data Efficiently

Handling Inactive Data Efficiently Issue 4 Handling Inactive Data Efficiently 1 Editor s Note 3 Does this mean long term backup? NOTE FROM THE EDITOR S DESK: 4 Key benefits of archiving the data? 5 Does archiving file servers help? 6 Managing

More information

The Cyber Security Challenge

The Cyber Security Challenge AUDIT COMMITTEE INSTITUTE Global Boardroom Insights The Cyber Security Challenge kpmg.com/globalaci About KPMG s Audit Committee Institutes Sponsored by more than 30 member firms around the world, KPMG

More information


IP TELEPHONY POCKET GUIDE IP TELEPHONY POCKET GUIDE BY BARRY CASTLE 2nd Edition September 2004 ShoreTel, Inc. 960 Stewart Drive Sunnyvale, CA 94085 408.331.3300 1.800.425.9385 www.shoretel.com info@shoretel.com TABLE OF CONTENTS

More information

An introduction and guide to buying Cloud Services

An introduction and guide to buying Cloud Services An introduction and guide to buying Cloud Services DEFINITION Cloud Computing definition Cloud Computing is a term that relates to the IT infrastructure and environment required to develop/ host/run IT

More information

White Paper. Practical Disaster Recovery Planning. A Step-by-Step Guide

White Paper. Practical Disaster Recovery Planning. A Step-by-Step Guide White Paper Practical Disaster Recovery Planning A Step-by-Step Guide January 2007 Table of Contents Purpose of the Guide...3 Our Approach...3 Step 1. Develop the Planning Policy Statement...4 Step 2.

More information

Software-as-a-Service (SaaS) and Physical Security Management for Federal Systems. Adapting to the forces of HSPD 12, Convergence, and FISMA

Software-as-a-Service (SaaS) and Physical Security Management for Federal Systems. Adapting to the forces of HSPD 12, Convergence, and FISMA Software-as-a-Service (SaaS) and Physical Security Management for Federal Systems Adapting to the forces of HSPD 12, Convergence, and FISMA April 18, 2008 1 Abstract Working to meet the requirements of

More information


BUILDING A BUSINESS CASE 0929FMi.book Page 29 Friday, January 30, 2004 10:34 AM CHAPTER 2 BUILDING A BUSINESS CASE FOR VOIP To leap or to hide Trust evidence to decide; Faith makes risky guide. James Coggins Taking Charge of Your

More information

Take It or Leave It: Moving Your Business VoIP System

Take It or Leave It: Moving Your Business VoIP System White Paper or : Moving Your Business VoIP System Contents Executive Summary....2 Five Considerations for Moving Your Business VoIP Phone System....2 Consideration #1 circumstances around your move....2

More information



More information

Vodafone M2M Barometer 2015

Vodafone M2M Barometer 2015 Vodafone M2M Barometer 2015 Detailed insight into how Machine-to-Machine communications and the Internet of Things are driving business transformation around the world m2m.vodafone.com Vodafone Power to

More information

Digital identities and the open business

Digital identities and the open business Identity and access management as a driver for business growth February 2013 Identity and access management (IAM) systems are today used by the majority of European enterprises. Many of these are still

More information

VoIP Security. Rest of Us! A Reference. for the. Leader in IP technology. Realize VoIP benefits and stay secure! Peter H. Gregory, CISA, CISSP

VoIP Security. Rest of Us! A Reference. for the. Leader in IP technology. Realize VoIP benefits and stay secure! Peter H. Gregory, CISA, CISSP Compliments of Avaya Leader in IP technology VoIP Security Avaya Limited Edition A Reference for the Rest of Us! FREE etips at dummies.com Realize VoIP benefits and stay secure! Peter H. Gregory, CISA,

More information