commentary Voice over IP is growing rapidly in popularity -- is your network ready to deal with the security issues?
Telephony fraud in a PABX environment is not uncommon. In the midst of the HP/Compaq merger a couple of years ago, a voicemail left by HP CEO Carly Fiorina to CFO Bob Wayman was leaked to the media. At the time, it threatened to influence the results of the deal. Also in the US, NASA and the Drug Enforcement Agency were hacked at a cost of millions of dollars in toll fraud. Scotland Yard was forced to pay AU$1.29 million in unauthorised international calls in 2002. These are a few high-profile examples showing that even mature products like PABXs have vulnerabilities that can be exploited -- by external hackers or by employees. Within Australia, toll fraud remains a frequent occurrence, with hackers employing a range of techniques to identify and exploit PABX vulnerabilities. Globally, toll fraud is a multi-billion-dollar problem.
So, what will be the security impact of IP telephony? Depending on which research analysts you believe, 2004 or 2005 will be the year in which sales of IP telephony exceed those of TDM-based telephony. Voice is rapidly becoming an application on a converged (IP-based) network. And the security of data network as we know it makes PABXs look like Fort Knox. According to the latest (2004) CSI/FBI Computer Crime and Security Survey, 494 participants reported losses of US$141,496,560 from some form of computer crime. The greatest cost was from Denial of Service, followed by theft of intellectual property. Add voice to the network and the potential cost from Denial of Service (loss of telephony) and intellectual property theft (access to internal voicemail) becomes even more significant.
So what are the threats to VoIP? Firstly, (depending on the vendor) the PABX is replaced with a call or signalling server that sits on the data network. These may be based on an operating system that has vulnerabilities -- keeping servers patched can be a full-time job. The Internet Storm Center (part of the SANS Institute) found an unpatched PC "Survival Time" was just 16 minutes in 2004 (down from 40 minutes in 2003). More than 2600 vulnerabilities were discovered in 2003 -- an average of seven a day. A compromised server could yield an attacker the pattern and details of all incoming and outgoing calls. The voice conversations themselves could be captured and re-assembled by hackers using readily available tools. The biggest threat is to availability -- Denial of Service attacks that overload key points of the network or the signalling servers, disrupting voice and data communications.
There's not much evidence yet of IP telephony fraud, but it exists. One carrier utilising VoIP lost AU$100,000 per day as a result of 20,000 calls at an average cost of AU$5 each being placed fraudulently. As more enterprises implement VoIP and carriers begin offering these services, the potential for fraud will increase.
The upside is that having "all the eggs in one basket" drives a greater need for (and the ROI to justify) spending more on security. An increased focus on securing a single converged infrastructure will ultimately lead to better protection of both the data behind the firewall and the voice and data carried by the network. The CSI/FBI survey has seen a dramatic decrease in the cost of computer crime compared to 2003, and during the last six years the frequency of successful attacks declined.
Without going into the detail of how to secure a converged network, achieving the same level of security within a converged environment compared to PABX is possible. Vendors are taking VoIP security seriously: Cisco recently announced the incorporation of encryption technology from the phone handset. All elements of the network need to be secured -- call servers, routers, switches, and PCs -- with attention to configuration and regular assessments.
Get this right, and you'll enjoy the benefits of IP Telephony as well as a secure data and voice environment. Ignore security, and you may be one of the many examples of VoIP fraud that will gain greater exposure in the next 12-18 months.
Oliver Descoeudres is marketing manager at network IP/Internet network infrastructure builder and solutions provider NetStar Australia. He can be contacted at firstname.lastname@example.org or on 02 9805 9759.
This article was first published in Technology & Business magazine.
Click here for subscription information.