Unified communications deployments continue to lack rigorous security, and enterprises that do secure their systems fail to recognize that internal threats are the greatest risk.
"I think there's a general unawareness of the need for security of unified communications and Voice over IP [VoIP]," said security expert Paul Henry, president and lead investigator for Forensics & Recovery LLC. "People are focused on cost savings, and they will not focus on security until they have an issue."
Enterprises have recognized the need for securing some aspects of unified communications (UC), such as instant messaging. There are several vendors doing brisk business selling security appliances for IM. However, other core components of a UC system, such as VoIP, remain highly vulnerable in many organizations.
"You have to fundamentally secure your network before you even consider VoIP," Henry said. "Then you need to take a hard look at your VoIP configuration. If you have any need for secure communications, you've got to do VoIP over encrypted tunnels."
Irwin Lazar, principal analyst with Nemertes Research, said that many enterprises are focused on protecting UC from outside threats when what they should really be doing is looking at internal threats.
"Our sense right now is that when we talk to enterprises about voice security, what they're worried about is the underlying network," Lazar said. "They're worried about denial-of-service attacks. They're worried about attacks on servers and so on. But they don't think or care about internal threats."
Lazar said that about 70% of attacks on networks in general are usually internal, yet enterprises are always reluctant to focus on protecting themselves from internal threats. They spend millions defending the perimeter with firewalls and other technologies when the perimeter is becoming more and more difficult to defend.
Lazar offered some basic best practices for securing UC:
- Make sure you're current with all security patches.
- Use testing tools such as those offered by Sipera Systems and VoIPShield to scan for vulnerabilities.
- Follow public organizations such as the VoIP Security Alliance.
- Do a risk assessment as part of a UC implementation.
"We do think that security should be deeply involved with unified communications from very early on," Lazar said. "But still, I don't sense a large awareness. The last time we looked at this was mid-2007. Less than 1% of companies told us they had an attack on their voice systems.
But he said that companies are becoming more aware of the need for security in one area of UC: unified messaging.
"Companies are concerned about the propagation of voicemails outside the organization," Lazar said. "So if I start putting voicemail in your inbox as .wav file attachments, and that was a sensitive voice message that could be sent outside the network or re-cut to make it sound as if I said something that I didn't say. And we have seen some instances where companies were moving forward with unified messaging. Then security came back and said, 'You should have told us about this three months ago. We would have told you we can't do it, because we can't take the chance of having our voicemails leaking outside the company.' So they put a halt on the unified messaging deployment."
Another major vulnerability in UC that insiders can take advantage of is VoIP eavesdropping.
"VoIP eavesdropping is a very old attack," said Jason Ostrom, director of Viper Lab, the research and consulting arm of UC security vendor Sipera Systems. "It's basically a man-in-the-middle attack. You plug into a port and you inject spoofed ARP [Address Resolution Protocol] packets into the network."
By flooding a local area network (LAN) with spoofed ARP packets, the insider can trick the network into redirecting voice packets through the attacker's PC. The attacker can then passively record conversations.
"The phones believe they're sending directly to each other, but the laptop running [the exploit] is silently intercepting that traffic and forwarding it on, unbeknownst to the user," Ostrom said.
With such a setup, a disgruntled employee could easily intercept phone calls between a CEO and the chairman of the board or between a CFO and human resources. The vulnerabilities exist for exploitation today. The industry is simply waiting for a high-profile incident to happen.
"People are saying voice eavesdropping is overhyped," Ostrom said. "I think it's very real. It just takes education and awareness. It can really happen, and most organizations don't have protections in place to detect when it's going on and to mitigate it.
With that in mind, Ostrom created UCSniff, an assessment tool that demonstrates VoIP vulnerabilities. He designed the application to combine VoIP eavesdropping techniques with the ability to tap into corporate directories so that the tool can target specific users and phone extensions within the organization. Ostrom created the tool so that enterprises could assess their existing UC systems for vulnerabilities or demonstrate vulnerabilities in a lab setting during a UC design and implementation phase.
Ostrom said UCSniff has been downloaded more than 1,000 times since it was released on SourceForge on November 7.
He said Viper Lab is working on a new version of UCSniff that will reveal video vulnerabilities, such as eavesdropping on video conferences. It may also feature some capabilities for examining vulnerabilities in session border controllers.
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor