KPMG issues stark warning over VoIP

KPMG has released a new whitepaper warning businesses to consider the risks involved in implementing voice over IP (VoIP).

The new whitepaper entitled "Voice-over-IP -- decipher and decide" warns that organisations who that fail to fully understand and address risks associated with VoIP could find their security compromised.

Although there is extensive information available from numerous sources regarding the benefits of VoIP and IP Telephony, there is a "distinct absence of information detailing the risks and associated risk management practices," KPMG said.

KPMG said that the introduction of VoIP means that voice traffic needs to be treated in the same context as data for security purposes, since it will share a common medium.

"The increased technical complexity of integrating voice and data into one network further increases an organisation's dependence on network availability. Many organisations fail to recognise that with this increased technical complexity comes increased security and availability risks that must be appropriately assessed, and the necessary risk management measures applied."

"As hardware PABX systems are replaced with computers and network hardware running common operating systems, networks will become increasingly vulnerable to common threats such as viruses and denial of service [DoS] attacks. Exposures that were experienced with traditional systems are more prevalent with VoIP and IP Telephony, as networking awareness is more widespread. Each entry point to a network is a potential point of attack and therefore risk management is essential."

DoS attacks can occur when a network or device is overloaded with meaningless traffic or sent a specific command that will disable it, rendering the network unavailable. One example of a DoS attack is repeatedly sending a hang-up command to each handset, which is difficult to detect or prevent.

"As voice is sharing a network with traditional data, it is susceptible to the DoS techniques that have been applied against data networks for many years. A malfunctioning or manipulated handset has the ability to cause a DoS attack by flooding the network with traffic."

KPMG added that VoIP is also susceptible to viruses and therefore requires an appropriate management framework. Depending on the telephone handset operating system, handsets might also require virus protection.

KPMG also stated possible confidentiality problems that businesses will face when changing to VoIP.

"In the event that voice traffic is carried over an external network -- such as the Internet -- eavesdropping would be a risk. An example of the potential implication of not encrypting is having a user's phone banking details -- account number or pin tones -- intercepted across the network."

The paper said that encryption can minimise the threat of VoIP eavesdropping. However, a risk assessment is needed based on the sensitivity of calls and the level of control over the network infrastructure.

"Traditional telephony operating over a dedicated PSTN network does not require encryption. A confidentiality breach in the traditional network generally requires physical connection to the network to eavesdrop on conversations from selected lines. This can be complex in large networks."

KPMG emphasised that the implementation of VoIP and IP telephony "must be driven by the organisation's business strategy and not technology imperatives".

"Business benefits can be achieved from the adoption of VoIP and IP Telephony if the decision to implement is business driven rather than technology driven. Project success is dependent on having a clear understanding of the business needs and strategic organisational goals that can be satisfied by new IP Telephony applications."

KPMG said that based on their discussions with a number of clients, many organisations in the Asia Pacific region only consider implementing VoIP when traditional PABX systems have reached the end of their life.

"As a result, organisations' preparedness for these new technologies is inadequate. Without adequate risk management, VoIP implementations can result in reputation damage, a negative impact on customer service or affect the bottom line. The overriding risk is that the implementation of VoIP and IP Telephony will not meet the requirements of the business. Organisations need to understand the impacts that these technologies have on their business processes, and then match them to the business strategy."

KPMG also questioned the integrity of VoIP in the whitepaper.

"VoIP packets travel independently of one another, and like data packets are vulnerable to loss. This does not generally pose a problem for data packets, however, this may have implications for VoIP communication. Out-of-sequence or lost data packets can result in degraded voice quality. With voice and data now sharing the same medium, the risks associated with availability increase and require appropriate assessment by management."

The paper advised organisations to assess and understand the business benefits and opportunities that VoIP brings to their individual businesses.

KPMG said that organisations should "familiarise themselves with the appropriate processes to identify technologies, suppliers and implementation requirements" as well as the maintenance and operational requirements. The organisation should also "assess the security and availability risks relative to the business' risk profile and how these will be dealt with".