Content

Debate» Voice over IP networks pose a security threat to enterprises and their users

,

FOR - David Endler, chairman, VoIP Security Alliance

VoIP networks are affected by the same security vulnerabilities that traditional data networks are plagued with today.

One of the biggest challenges is simply keeping the infrastructure completely patched. The trend of shrinking vulnerability-to-exploit timelines further exacerbates the problem.

VoIP devices such as phones, call processors, gateways and proxy servers inherit the same vulnerabilities of the OS or firmware they run. Many call processors are typically installed on Windows or Linux. There are hundreds of remotely exploitable vulnerabilities in flavors of Windows and Linux for which there are "point-and-shoot" exploit tools freely available.

There are doubtless also an abundance of vulnerabilities yet to be discovered in vendors' implementations of VoIP protocols such as SIP and RTP.

Granted, attacks directed specifically against VoIP deployments have been largely unheard of due to VoIP's early adoption. But history shows us that once the use of a killer app such as VoIP increases, so will its allure to hackers.

AGAINST - Teney Takahashi, market analyst, Radicati Group

All IP-based communication systems have vulnerabilities. Unauthorized parties can hack into an unprotected system and capture IP voice data, or even launch a DoS attack.

However, while VoIP systems are theoretically vulnerable, we have seen few real-world exploitations of these weaknesses. Today, hackers and virus writers play a numbers game that is almost always motivated by profit.

There are simply not enough VoIP systems deployed worldwide to make the development of VoIP-targeting malware profitable, especially when compared to the many vulnerable Windows-based systems still active today.

While we don't expect VoIP systems to remain sheltered from attack, most corporations face a range of more urgent security weaknesses. Email and IM networks are highly susceptible to viruses, worms and spam, online databases and e-commerce sites are frequently attacked by hackers, and spyware is proliferating. Even lost backup tapes present more of a clear and present danger to enterprises than the potential for VoIP-based attacks.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.