Worried your VoIP network is not secure? Take a look how to protect your business from three of the most serious threats to your IP telephony services. Businesses of all sizes adopting IP telephony need to seriously consider its security implications. But while a number of threats exist, three stand out as the most dangerous, particularly to smaller organisations: denial of service, spit and fraud.
Denial of Service:
The most serious threat to VoIP is a distributed denial of service attack. It can affect any internet-connected device and works by flooding networks with spurious traffic or server requests. The attack is generated by machines that have been compromised by a virus or other malware and the massive increase in traffic means the affected servers are unable to process any valid requests and the whole system grinds to a halt. Even small denial of service attacks measure around 2Gbps with large ones in the 17Gbps range. A survey reviles that 7 per cent of PCs on the internet are compromised and in some area 6.8 million machines have been used to send spam.
While few denial of service attacks currently specifically target VoIP systems, the real-time nature of voice traffic means they have a massive impact. Users immediately detect a drop-off in service quality and ultimately their IP handsets stop working. Denial of service would be an extremely effective tool for hackers wanting to bring down an organisation's entire communications system.
Defending networks against denial of service attacks is extremely difficult but enterprises can at least stop their machines from becoming part of the problem. Businesses should use antivirus software and it keep up-to-date, install a firewall and configure it to restrict traffic coming into and leaving the organisation, and use anti-spam tools to cut down on the volume of emailed malware.
Good network practice, such as changing login defaults and using firewalls, can help mitigate the impact of these attacks. In many cases hiring a consultant to do a VoIP-focused security audit will be money very well spent.
Businesses need to look carefully at their VoIP infrastructure and make sure that all unnecessary applications are removed. A good example is the web servers that are built into IP handsets to make them easy to manage remotely. If these are not configured properly then companies may find these actually indexed by Google on the internet. Other applications to be removed include telnet and FTP.
Stopping spit
While the above network vulnerabilities present a very real and present danger to businesses deploying VoIP, media attention has lingered on the potential danger of spam over internet telephony, or spit.
Spam has been a hot topic for several years and unsolicited commercial and malicious email spam now makes up the majority of email worldwide. In Europe in 2006, according to analysts, 16 billion spam messages were sent each day, representing 62 per cent of all European email messages - and this figure will increase to 37 billion spam emails a day by 2010.
The palpable fear is that VoIP will suffer the same fate. Certainly spammers wield enough power and would be enthusiastic adopters of a new voice channel to spread their message. If VoIP suffered the same fate as email, enterprise IP telephony would become unusable.
The problem with VoIP spam is that email anti-spam methods will not work. The potential threat posed by spit is driving vendors to develop alternative anti-spam solutions. NEC has announced a modular tool called VoIP Seal that uses a combination of methods to identify spit. When a call comes in, the system checks to see if the call is potentially a spam call by checking whether it comes from a suspect source.
If it is a suspect call, it is forwarded to an automated system that uses a 'Turing test' to identify whether a caller is a human or a machine. This involves playing an announcement and detecting whether the caller tries to speak over it, for example. Other approaches would be to only allow particular callers through by having the system determine the caller's identity but this could fall victim to spoofing.
Despite the potentially dire consequences there is not much evidence of any actual spit attacks. The main reason for this is that most IP telephony systems are still islands in the sea of public switched telephone network. The vast majority of VoIP calls will pass through the PSTN at some stage because most IP telephony networks are not yet directly interconnected. Forewarned, however, is forearmed, and businesses will need to prepare to extend their anti-spam efforts into voice.
Fighting fraud
One area where malware can pose a serious problem for VoIP users is fraud. The biggest concern for business is probably going to be premium-rate fraud, where a criminal hacks into the VoIP system and makes calls to a premium rate number.
This fraud is not new and PBXs have always been vulnerable to these hacks. The difference is that few people could hack into PBXs, compared to the hordes actively breaking into IP systems.
Though they are likely to be more of a menace to consumers than to businesses, fraud techniques honed in email phishing could be used in voice calls. There is the potential for massive fraud in the early days of voice phishing simply because users still trust telephone messages more than emails. There have already been some clever phishing attacks that use a combination of email and voice to lend credibility to the scam.
One example is an email purporting to be from PayPal that asks users to call a number to verify their account details. There's nothing new about this fraud apart from the use of telephony. Unfortunately the fraudsters are able to make the automated service completely convincing by simply recording the real one. The only way that users can determine that it is fraudulent is by checking the number of they are calling with the real PayPal number. While the security threats for VoIP are real, if businesses take the proper precautions they can be assured their voice communications will be safe.
No comments:
Post a Comment