IP voice security: are you susceptible or strong?

Undoubtedly, corporations are realising the benefits of IP voice systems. Voice over internet protocol (VoIP) can bring substantial cost savings and productivity enhancements to a business by transforming its circuit-switched networks to IP packet switching networks and running voice and data applications over a single infrastructure. However, businesses need to be aware that there are potential risks involved, they need to take some necessary steps to protect their interests.

When voice and data are merged onto a single network, voice becomes an application on the network and is, therefore, exposed to the same threats as data applications. These threats include infrastructure and application-based attacks, denial-of-service (DoS) attacks, eavesdropping, toll fraud and protocol-specific attacks. However, with the right procedures in place, VoIP security risks and threats can be managed and mitigated—maximising the benefits of VoIP while minimising exposure.

Infrastructure and application-based attacks

In VoIP, voice is essentially an application on the data network, fine-tuned to maintain voice-quality performance. VoIP equipment and end-point devices such as IP phones are becoming standardised and commoditised just like other data components such as PCs—meaning that VoIP is just as vulnerable to cyber-attacks. Hackers can exploit voice devices and disrupt the network from normal service and/or perform criminal actions such as data theft.

IT managers need to maintain current patch levels on all IT and network equipment and applications, and have appropriate anti-virus software installed and up-to-date. Virtual local area networks (VLANs) can also be implemented and used to protect voice traffic from data network attacks. By implementing application gateways between trusted and untrusted zones of the network, a VLAN will complement the protection offered by corporate firewalls.

Denial-of-service (DoS) attacks

A DoS attack occurs when someone deliberately floods a particular network with so much illegitimate traffic that it blocks legitimate traffic. Obviously, if your voice traffic is being transmitted over the same network, a DoS attack will have significant impact on business operations.

DoS attacks are difficult to stop and prevent, but proper intrusion prevention practices, special network devices and proper patch updates can minimise the risk of exposure. In order to prevent data network problems from affecting voice traffic, voice and data traffic should logically be separated from administrative traffic. Traffic shaping can also provide another layer of protection and control for the network.

Eavesdropping

Intercepting data traffic is a trivial endeavour for most hackers so it stands to reason that with voice and data convergence, the same can be said for voice traffic over the network. Many tools are freely available to collect packets associated with VoIP conversations and reassemble them for illicit purposes. Two measures that can be taken to prevent eavesdropping include isolating VoIP traffic using virtual private networks (VPNs) and applying encryption on voice packets. However, IT managers need to carefully evaluate the use of encryption of VoIP as it can increase latency in the network. Encryption of voice data could be selectively applied based on business requirements, for example, encryption and decryption can be used only for those conversations over untrusted networks. When choosing a managed service provider, companies should ensure that appropriate security protocols are actively used by the potential provider to ensure secure conversations within the network.

Toll fraud

Just as with traditional voice systems, toll fraud cannot be ignored when considering VoIP systems. Using toll fraud, attackers gain unauthorised access to a private branch exchange (PBX) call-control system to make long-distance or international calls, which can mean significant financial impact to the business. Poor implementation of authentication processes could allow calls from unauthorised IP phones and/or allow unauthorised use of the VoIP network. Companies need to impose proper control for access to VoIP systems, including gateways and switches, in order to avoid the occurrence or toll fraud. Centralisation of management and configuration control is also recommended.

Protocol-specific threats

Since VoIP was developed on an open standard, the protocols that support communications are well known and thus vulnerable to probing for their weaknesses and security flaws. Session initiation protocol (SIP) is gaining popularity – SIP is a session and call-control protocol, components of which are used by standards-based IP PBX and IP telephony systems. In addition to the standard IP vulnerabilities, SIP brings additional risks.

SIP is a text-based protocol, like the common HTTP and SMTP. Therefore attackers can easily monitor and analyse traffic and then transition into various application-level attacks. Attacks can include impersonation of registration for system access, unauthorised access to corporate directory information, taking control of calls to disrupt business and also placing unsolicited calls and voice messages. Obviously, in a malicious attack, this could be highly detrimental to a business. It managers need to be aware of these vulnerabilities and thus implement strong authentication and authorisation processes.

IP voice security

While convergence and VoIP implementations are fast becoming mainstream among multinational corporations, they are, at the same time, posing serious security challenges. Whether you are planning to build your own converged network or utilise the services of a managed service provider, the primary goal should be the implementation of VoIP security that is properly built and validated, with ongoing management support. Security has to be managed through proactive monitoring, event management, remediation and regular follow-up to ensure a stable and reliable corporate communications infrastructure. However, with the right security in place, VoIP can be a valuable asset to a company.

Original Publication

Security complexity threatens enterprises

Information security is one of the biggest challenges facing enterprises this year. Being hacked by criminals is becoming depressingly familiar for a many businesses. A roll call of prominent brands has succumbed to what is an unprecedented number of attacks. Increasing threats, regulations and complexity have catapulted network security up the corporate agenda. Considering billions are being spent on cyber security each year, why are businesses continuing to fall victim to cyber attacks?

The changing dynamics of the workplace have led to increasing complexity of enterprise security. Employees bringing their own devices to work, escalating the growth of data and need for corresponding protection. The proliferation of new cyber threats, daily, and the sheer number of security solutions available make a chief information security officer’s job a formidable challenge. These are issues that need to be examined in greater detail.

Employees and BYOD

The consumerisation of technology has been one the biggest trends in recent years—one that shows no sign of abating. Consumerisation has brought a whole new range of devices into the workplace, often as part of a sanctioned Bring Your Own Device (BYOD) program. These additional devices can create security and management headaches for enterprises as they struggle to deal with the implications of securing corporate data. Employees using their own devices also create numerous additional access points to the network—leading to many more opportunities for cyber criminals to attack the enterprise network, as well as leading to greater potential for data leakage.

Data growth is rocketing

Exacerbating the impact is the explosion in data. Over the last five years, data on the internet has increased five-fold, to almost 2 zettabytes (billion terabytes) and this trend is likely to continue on an exponential scale in the foreseeable future. Video is one of the main culprits—in January 2012, YouTube reported that 60 hours of video were being uploaded every minute to the site, equating to more than 300,000 full-length feature films each week.

Aside from video, amidst this avalanche of data there is important confidential information such as legal documents, state secrets, company IP and healthcare data. The challenge for businesses is to identify what they are actually responsible for in this growing mass of information.

Compliance demands protection

Companies need to identify and protect confidential information—and not just to protect their own assets. An increasing raft of international regulations and legislation are demanding that enterprises show due care and diligence in protecting confidential information. This is an area that Australia is yet to cover in depth, but with the advent of more and more sensitive information going online—for example, healthcare—this will need to be addressed.

New threats daily

There are currently over 45 million different viruses in circulation, with over 2000 new ones appearing each day. The steady increase in threats, coupled with manyfold new vulnerabilities created by employees using their own devices for work purposes, means it is nearly inevitable that an enterprise’s defences will be overcome at some point. Businesses need to develop new methods and systems for protecting critical company information and sensitive customer data.

Solution overload, outsourcing and increasing cost pressures

The combination of rising threats in security, changing employee behaviour and increased regulation has led to myriad solutions being made available by vendors. The sheer scale and complexity on offer can make it confusing for businesses to know what to choose for optimum protection.

There is also an increasing disconnect between the budget available for security and the wide-ranging nature of the chief information security officer’s area of responsibility. Previously, security was only about being able to connect the network securely and safely. Now a CISO needs to be a business leader while also managing security policy, compliance, access and application security. Finding the right staff is also crucial, and the higher demand for IT specialists has created a skills shortage which is, in turn, driving the uptake of outsourced security services.

Businesses are looking to outsource their security needs to third party suppliers to utilise their specialist capabilities and knowledge which the business may lack internally. Managed security, from specialists, can better handle the complexities posed by increasing threats, regulation and costs, and can free up internal resources. It can also help simplify the business’s security controls, audit and reports—something that is vital for efficient compliance.

By taking complexity out of the equation, a business will be able to focus on developing its responses to security incidents, ensuring that its reputation does not suffer while also establishing itself as a leader in doing business securely. As we rapidly move into a mobile age, it is vital for business to adapt and grow with the times, or risk becoming a risk itself.

Original Publication

The six pillars of security operations

Six key points that should be considered when creating and developing a SOC

As mobilisation and bring-your-own-device (BYOD) becomes increasingly prevalent, business security has been propelled to the forefront of corporate strategy. The Security Operations Centre (SOC) is a key part of the enterprise security infrastructure – it enables an organisation to establish effective protection against security threats. There are six key points that should be considered when creating and developing a SOC that can effectively detect and counter any cyber threats in a timely manner.

1) Determine the correct policy.  

Security policy is the beating heart of an effective Security Operations Centre – it clearly defines the scope of protection and outlines the responsibilities of all relevant parties. The first step in designing a policy is to determine exactly what role you want the SOC to play. Will it simply observe, record and report on recurring attacks? Will it be actively involved in mitigating threats? Determining its role is crucial to ensuring your resources are not working against each other, but are instead working in harmony.

The second step is to agree on the scope of your SOC’s activities, such as whether it is restricted to the network only, or includes suspicious behaviour from user activity. An effective policy allows for the delegation of responsibility for certain actions within the SOC, maintaining close involvement among related parties who need to work together to accomplish a shared purpose.

2) Perform risk analysis

In a perfect world, there would be no risk and thus no need for security. But since the world is not perfect, risk is the main driver of security processes. A careful risk analysis can reveal critical issues – maybe issues you originally thought were insignificant, or perhaps vice versa. For example, attention may have previously been focused on your network monitoring, with anti-virus updates taking lesser precedence. This leaves your organisation more vulnerable due to anti-virus signatures not being updated.

A thorough risk analysis will enable you to pinpoint any threats and take corrective action. The results of the risk assessment should be used as the foundation of your security policy, with periodic reassessments. The SOC must meet the strategic needs of the business and it is usually appropriate to revise the risk analysis on an annual or biannual basis.

3) Define appropriate procedures

Procedures are vital – they will inform the actions you take in any security crisis. Implementing a clear set of procedures for your SOC will mean that all parties know, and understand, how to undertake their responsibilities properly in the event of an attack. If your current procedures need altering, if they do not meet best practice standards, changes should be agreed to by all parties involved.

It will also be valuable to provide instructions on how to best implement the procedure tools. Small but significant details about business operations should be stated clearly and used as reference in any incidents.

4) Focus on staffing

Staff are the life blood of any organisation, so your SOC staff are in a key position to prevent any threats disrupting your business. It is therefore essential to hire experienced staff such as incident responders, IDS analysts or knowledgeable forensics analysts with proper network experience. These people may not be easily found amongst job seekers and they may be expensive to hire, but the bottom line is – you get what you pay for. They are valuable resources who can search for a tiny detail in an ocean of data, and this ability makes them a good investment. It is too risky to have a security attack go unnoticed due to inexperienced staff.

5) Consider the organisational dynamics 

When you begin to implement your SOC, you need to define your organisational dynamics. There are three tiers you should consider, namely:

Tier 0: Core services where the security centre operational procedures run monitoring, prevention and mitigation of incoming attacks. Tier 0 is responsible for performing incident response, complete monitoring, and providing the patches and updates appropriate to the business needs of the organisation.

Tier 1: Internal customer base. This tier incorporates the other departments in your organisation which receive security protection. Protection and monitoring Tier 1 are daily duties.

Tier 2: External or business partners. When business is being conducted over the shared network, they are protected by your security operational procedures and monitored directly.

These three tiers require different levels of security. Tier 0 needs optimum protection and control over any incoming threats, while Tier 2 only needs minimum protection. Ideally, the critical assets in Tier 0 should be kept close to the core of the security operations centre.

6) Integrate the SOC in the organisation

It is necessary to integrate the SOC into your organisational information flow and activity. If there is any information that is valuable to the SOC, it needs to be passed on as every piece of information helps. Integration of information and effective communication strategies will enable the security operations manager to obtain information from within the organisation that may be relevant and applicable to detecting threats. Fully integrating the SOC into the organisation will enable a rapid response to any attacks.

These six pillars are vital to building a strong and effective security operations centre. By having a solid SOC, you can feel confident conducting daily business with minimal risk. In an increasingly online world, having the right defense in place is critical to business operational security.

Original Publication on CSO