McAfee’s report: Unsecured Economies: Protecting Vital Information, January 2009 was cited in the Whitehouse’s Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure, May 2009, and summarized as “losses from intellectual property to data theft in 2008 range as high as $1 trillion.” Wow! With all the focus on protecting PII or credit card information, there is an even larger issue that dwarfs them all. This issue is the core essence of any firm — it’s intellectual property, its competitive edge, what makes it different from any of its competitors.

One area firms repeatedly overlook as they converge networks, services and devices onto a single network is VoIP. Because VoIP traffic bypasses firewalls, VoIP is a prime exit path from an enterprise. The VoIP firewalls simply tunneling voice media on through without any security treatment even though the media traffic accounts for more than 97% of the network traffic through a VoIP System. Additionally, though VoIP media gateway’s long were considered a security control to prevent embedded data transmissions they almost always pass media channel information through intact. And, these media gateways are pervasively spread through the IT infrastructure in places when IT security equipment simply does not reach. There simply can’t can’t be a more dangerous place in an enterprise network today.

A transmission is a transmission is a transmission and it can be used against you! Remember on September 12, 2001 a lot of folks were saying, “We never thought that people would fly airplanes into buildings.” In the future, I’d like to expect a lot of folks like Jarrod would be saying, “We never though that people would transmit data instead of voice through a VoIP system.” But, it won’t likely happen. People will transmit data through VoIP and steal valuable information. It’s just that no one will notice because they never bothered to look. They will know that they have a problem only when the data that can only have originated from them comes to the surface after their business and their customers and their business partners have suffered damage.

Companies that do take this threat of the malicious insider seriously, deploy data loss prevention (DLP) solutions from vendors such as McAfee, Symantec, Websense, Trendmicro, Cisco. These DLP solutions have three core functions: Discovery, Endpoint Protection, and Network Protection. Discovery includes automatic or manual classification of electronic data held within the company. Endpoint Protection provides the ability to prohibit writing to USB sticks, CDRW drives, cut-and-paste operations, print screen requests, etc. The prohibitions are usually enforced using the classification of the data determined by Discovery. Network Protection provides the ability to stop the transmission of protected data via a number of TCP/IP or UDP/IP protocols. Usually, SMTP, HTTP, HTTPS, FTP, SMS, and chat protocols are protected.

The problem most of these companies miss is that they remain vulnerable to data loss if they have deployed VoIP (and almost everyone has a least some VoIP deployed today). Here is why: VoIP is not just another data application. It is different and demanding. VoIP requires low-latency (packets must get through the network fast) and low-jitter (the transmission of the packets must be very consistent) or the result is really bad quality voice service. The DLP Vendors mentioned use packet inspection technolgy. Packet inspection requires each packet to be stopped, opened, examined, analyzed and then passed through if appropriate. As you can imagine, this slows down packets and disrupts the consistency of the transmission of the packets and would ruin voice quality. Additionally, VoIP must use encryption to provide private phone calls (who can afford to have people listen to what they are saying). This encryption, hides the content and makes a packet inspection based solution impractical. The encrypted packets can’t be opened for inspection!

A robust data loss prevention solution must include products to guard against data theft through a VoIP network. The big DLP vendors must provide a solution to data loss over VoIP otherwise HIPAA, SOX, FERPA, GLBA and PCI DSS compliance is lost!

Just look at the post I referenced yesterday from Peter Nesbet with respect to VoIP Security. It reflects an attitude that nothing is different, nothing bad can happened. I believe that VoIP could likely be the means attackers use to reach succeed in a cyber 9/11 attack. Because people trust voice, because they believe the usual defenses will keep them safe, and because they never considered VoIP as a weapon, it could a likely cause of a significant cyber security event. 9/11 was about terrorists using commercial airplanes as a weapon and no one (except the terrorists) had considered commercial airplanes that way. As a result, the attack produced the results the terrorists wished to achieve. Not thinking about VoIP as a potential weapon will lead us closer to the day of a successful large-scale cyber attack.

Nothing can be further from the truth. First, VoIP is dramatically different. VoIP must need stringent latency (the time to get a packet through a network) and jitter (the variance in the time between packets) to requirements to provide acceptable quality of service. This means the standard firewall techniques of filtering packets don’t work well unless special purpose hardware is used. Second, VoIP opens your voice up to interception … people can monitor your phone calls easily … unless you (and the party you call) use encrypted VoIP. Once the VoIP traffic is encrypted, you can send anything over the VoIP connections and bypass data loss protection systems, and bypass virus/malware scanners because these systems have to see inside the packets. And, encryption makes that impossible.

VoIP is very insecure precisely because of attitudes like Peter’s. I demonstrate how easy it is to spoof caller id and to divert called numbers to different parties in a VoIP Security course I offer. These are things that people absolutely trust … which makes it an especially vulnerable area!

The results are significant and desirable, plus the whole concept of Trusted Computing … allowing untrusted software into an network or computer while still providing reliable and secure computing and communication seems to be the only way to deal with the onslaught of threats. After all, as soon as a network is hardened against known threats … new threats are born. So, even diligent well conceived security strategies should have an element of untrust. The thinking then goes: embrace the untrust and focus on securing the things that can and must be secured. Seems like a simpler (more honest) way to think about security to me.

How does this play into VoIP. 1) pushing encryption into endpoint hardware to provide privacy for the network. 2) pushing authentication into hardware into the call managers and SBCs to thwart phreaking. 3) pushing data leakage solutions into hardware on the endpoints. Such initiatives will leave the VoIP network more secure and more robust against attack and abuse.