VoIP security often overlooked by enterprises
The security of voice-over-IP infrastructure is often overlooked by enterprises, yet hackers can successfully exploit unprotected IP networks, warns Jon Arnold, principal with J Arnold & Associates.
As more and more enterprises deploy VoIP and associated unified communications platforms, hackers are becoming more interested in exploiting their vulnerabilities.
"VoIP is the weak link in the IT security perimeter," Arnold tells FierceITSecurity. "VoIP is not well understood because people think of it as telephony; they don't think of it as data. That is the fundamental issue here," he adds.
"There is a threat to your telephony environment. Toll fraud is probably the often cited example of that, which entails getting into the PBX to take advantage of the PBX itself ... The more sophisticated hackers are after the corporate data. They are not after the phone system; that is simply the entry point for the data network," Arnold explains.
In addition to data theft, attackers can use VoIP vulnerabilities to launch denial of service attacks that could result in the shutdown of call centers, as well as the sending of phishing emails to customers, Arnold adds.
While session border controllers can provide security for the VoIP infrastructure, "there are so many security holes that can be opened up simply through basic human error. When you are talking about sophisticated hackers, they just need one port to get into the network and they know where to go from there to get access to the corporate data," Arnold relates.
In a whitepaper he prepared, Arnold cautions that IT security audits often don't pick up vulnerabilities in the VoIP infrastructure. Many security auditors do not fully understand VoIP, so it is often not included in the audit planning.
"The audit community is process oriented. They are good at working with known threats posed to networks when they are doing security audits ... When it comes to VoIP, that is a fairly new technology that hasn't found its way into their world much ...They are not trained or required to go beyond what is specified in the audit," Arnold cautions.
- see the whitepaper (reg. req.)