What does this recent hacking show about the state of VoIP security?
It shows that VoIP as an application on the Internet is no different than any other application, like email, that has preceded it on the Internet in terms of attacks. Across the board, when you introduce a new application, there's a soft underbelly. With VoIP, its openness and ease of use open it up to attacks. What is it that draws hackers to VoIP?
You have to look at the psychology of hackers. They're motivated by three different things. They're motivated by just causing disruptions. They're motivated by the profit model. And they're motivated by extortion. It's either just for kicks or for profit. All three score very high on the list. All three counts are attractive to hackers.
VoIP is now just crossing the threshold from an obscure, nerdy tool on the Internet to a mainstream application. It's such a critical application that more and more hackers will take notice.
The phone system is money to a lot of enterprises and service providers. Taking it down in any way can cause a lot of damage. We should be more vigilant in securing VoIP systems
Very concerned, because there's evidence now that this is happening. One of the things people think is that VoIP is a complex application, and certainly it is. There is a level of expertise and knowledge that [hackers] need. But thinking that the complexity will stop them is a very naïve view. Hackers are very smart. Never underestimate the enemy.
[Stories about the arrest of the pair of hackers] blew the top off the myth that VoIP is immune to attacks because of its complexity. What should be an enterprise's first step toward protecting its VoIP system?
You should do an assessment about how vulnerable you really are. Assess your level of risk.
You need to start using specialized security products that protect VoIP applications and deploy those in your network.
You need to start using encryption techniques.
There are techniques in the tool box that differ from other Internet security tools. Is there any way to detect these attacks early, before there is a noticeable problem?
[Sipera has] done an incredible amount of research on VoIP and how it works. But we've looked at it through the prism [of] the eyes of a hacker.
We've come up with taxonomy of vulnerabilities that you could attack and exploit, and we focused on exploits that can't be caught by existing security solutions for data protection.
What we do is, we say to enterprises: "You already have a security system to protect your Web applications and to protect your data applications, but there are a host of vulnerabilities in your VoIP system that your security systems are oblivious to." VoIP is a very different application than any other application on the Internet. It's real-time and mission-critical. Attacks on VoIP can be more damaging than attacks on other applications. What's your advice for an enterprise that has rolled out or is considering rolling out VoIP?
I would tell them: "You're doing VoIP for all of the right reasons. It's a powerful collaboration and productivity tool. And it is cost effective.
"But you have to learn from history. Look at what has happened and anticipate that you'll be attacked. Realize that you have to take proactive steps."
There are very good solutions to protect you and make your VoIP system secure. Make security a Day 1 item as you deploy this application.
Let's say a new enterprise is starting and they're creating an intranet. It's a no-brainer that they're going to use a firewall to protect it. VoIP has not yet reached that point where security is a no-brainer.