Securing against VoIP Based Exploits

A recent article by Marcia Savage Link Here, cites an (ISC)2 study conducted by Frost and Sullivan. 51% of 7,548 information security pros word wide said “internal employees pose the biggest threat to their organizations.” This is a significant number, but the industry should be more worried about the insider — especially the malicious insider. These internal threats are divided into two categories: 1) employees who do foolish things (leave their laptop in a taxi cab) 2) employees who are malicious (they look to earn extra money, or just want to harm their employer). The foolish employees are easier to deal with: first, educate them, give them some tools (disk encryption), then, fire them if they can’t protect the companies assets. The malicious employees are the ones that have motive to do great damage, the knowledge to inflict the most damage or steal the most valuable, and the access to perpetrate their misdeed. Here is where focus must be placed because it is here where the greatest damage to the enterprise can occur.

The Aberdeen Group claims that Best-in-Class companies using “Trusted Computing” (this is, of course, not considering VoIP):
+ have achieved reductions in the number of security incidents at rate 5x higher than that of the Industry Average.
+ have contained deployment costs of security solutions by a factor of 3x compared to the Industry Average.
+ have achieved reductions in the number of failed audits at a rate of 10x higher than that of the Industry Average.

The results are significant and desirable, plus the whole concept of Trusted Computing … allowing untrusted software into an network or computer while still providing reliable and secure computing and communication seems to be the only way to deal with the onslaught of threats. After all, as soon as a network is hardened against known threats … new threats are born. So, even diligent well conceived security strategies should have an element of untrust. The thinking then goes: embrace the untrust and focus on securing the things that can and must be secured. Seems like a simpler (more honest) way to think about security to me.

How does this play into VoIP. 1) pushing encryption into endpoint hardware to provide privacy for the network. 2) pushing authentication into hardware into the call managers and SBCs to thwart phreaking. 3) pushing data leakage solutions into hardware on the endpoints. Such initiatives will leave the VoIP network more secure and more robust against attack and abuse.

The IT Security and VoIP industries have met and what has emerged, while valuable and necessary, is not imaginative or robust. The whole area of “VoIP Security” has focused on protecting VoIP as an enterprise asset. And, yes VoIP is an important enterprise asset and it is worthy of protection, but there is more to worry over. SBC (Session Border Controller) vendors such as Acme Packet have focused on ensuring that only authorized VoIP users can place and receive calls to address DOS/DDOS attacks and Phreaking exploits. As you know, DOS and DDOS attacks are not unique to VoIP while VoIP can be harmed with lower levels of DOS/DDOS attacks because of VoIP’s sensitivity to latency and jitter. Phreaking is also not new, the TDM technology PBXs suffered from the same threat. So, SBCs are somewhat cool technology that solve yesterday’s (albeit still today’s) problems. Let’s stretch beyond well known threats and more into the domain of new threats that come with the new technology. This is what this blog is dedicated to addressing.