Warning: VoIP brings new security threats

By Charlie Russo, News Writer 07 Jun 2005 | SearchSMB.com

Digg This!     StumbleUpon     Del.icio.us

As they adopt Voice over Internet Protocol (VoIP), companies should beware that the technology will draw more attention from hackers, spammers and other threats. Industry experts said investing in VoIP today could be opening the door for trouble tomorrow -- unless users are prepared.

VoIP technology allows users to route voice calls through the Internet. This can reduce costs by eliminating toll charges, among other possible benefits. But ripping out an existing phone system and replacing it with VoIP ties the phone system into the data network, exposing the phones to the same kinds of security risks as the data network. The spamming, phishing and denial-of-service attacks that keep network administrators tossing and turning in bed at night could also affect VoIP phones.

Without a large IT staff and backup systems of larger companies, SMBs might be at even more risk.

VoIP by the numbers

IT research firm Info-Tech Research Group estimates that 50% of small and midsized businesses will adopt VoIP technology within the next three years, up from 23% now. Lower prices, easier implementation and smaller security risks will drive the growth, said George Goodall, a research analyst at Ontario, Canada-based Info-Tech.

"The risks will increase, but the benefits will outweigh the risks," Goodall said. "It's going to get a lot more attention, a lot more development attention and be supported more ubiquitously."

To stave off a new set of threats, a group of VoIP industry leaders this year formed the VoIP Security Alliance. The group intends to help organizations understand and prevent VoIP security risks through research and education. Members include 3Com Corp., Alcatel, Avaya Inc., Columbia University, Ernst & Young and Symantec Corp.

Knowing that security measures historically lag behind IT advances, the group's short-term goal is to develop a dictionary and taxonomy of threats and document security requirements for VoIP networks, according to its Web site.

Because VoIP connects through the Internet, it requires the same safeguards as a data network, like identity management, encryption, patch management, traffic segregation, intrusion detection and antivirus measures, said Jeffery Stutzman, director of threat and vulnerability services for PricewaterhouseCoopers LLP. Chief information officers then have to think about managing the lifecycles of these safeguards, which Stutzman estimated to be two to three years.

Easy does it

Short-staffed SMBs should be aware that they could have trouble fitting the skills of employees dedicated to either the data network or the phone system to a new, converged VoIP system, Stutzman said.

Goodall advises SMBs to implement VoIP in stages, possibly starting with internal company use over a LAN as a way of testing the waters, when a new office branch opens or instead of performing costly repairs. This will help minimize security risks.

"Hedge your risks, install inside the organization first," Goodall said. "Use it for a PBX [private branch exchange] overlay or augmentation. Expand your system, play around a little bit before you go for a full forklift upgrade."

For example, most companies would never notice an e-mail delayed by five seconds because of an overloaded network, but phone conversations delayed by five seconds could spell disaster for business. Businesses can be caught by surprise this way if they move too quickly, Goodall said.

"We learned a lot of lessons from traditional IP, so VoIP will piggyback on that," Goodall said. "The same sort of rigor is going in to VoIP."

Lower costs drives VoIP choice

John Lovejoy, CIO of Santa Clara, Calif.-based industrial laser manufacturer Coherent Inc., has taken a baby-steps approach to implementing VoIP.

His company opened a new 18-person office in Ely, England, earlier this year. The combination of potential cost savings, his views of the future direction of phone technology and the opportunity to test drive a new technology without having to replace legacy systems gave him the perfect opportunity to try it out.

He is also pleased that the trial period gives him a better sense of what to expect if he plans a companywide rollout for all 2,400 employees.

Switching to VoIP can cost a lot in terms of new hardware expenditures, Lovejoy said, so companies shouldn't expect a large savings right out of the gate. Instead, reduced maintenance costs and streamlined systems will lead to savings over time, he said.

This story originally appeared on our sister site SearchSMB.com.

Tags: VoIP and unified messaging management,  Enterprise information security management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT VoIP and unified messaging management Data centers and virtualization management guides for CIOs When IT disaster recovery plan is put to the test, VoIP becomes savior VoIP services for CIOs IT telephony, VoIP deployment staffing solutions for CIOs VoIP security and converged networks: A Special Report for CIOs Agile technologies like SOA, Web 2.0 key to CIO success VoIP savings seen in productivity and long-distance charges VoIP vulnerabilities: Why firewall protection is not enough Ten strategic technologies to watch in 2008 Information technology spending: SOA, virtualization still hot Enterprise information security management Information security and risk management guides for CIOs Talking swine flu and Conficker with the CIO of the CDC Network access control: Security advice for enterprise CIOs Evaluating network access control: NAC policy enforcement matters Enterprise risk management quiz for CIOs Network access control now addresses multiple needs Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary