Attacks against VoIP are on the rise and it is important that businesses know how to defend themselves, while also staying in compliance with regulators wanting proof that system security obeys the ever-changing regulations.

What are the threats?

Many businesses still lack even basic encryption protection against problems such as VoIP denial of service, eavesdropping attacks and toll fraud, according to industry experts. This is an issue that needs to be tackled urgently because of the risk that this may render them non-compliant with the burgeoning regulatory framework, including HIPPA (Health Insurance Portability & Accountability Act), PCI (Payment card standards), and the Sarbanes Oxley Act which are revised so often they are something of a moving target.

This issue has come to the forefront in recent years due to events involving product safety recalls, financial fraud and, sadly, disasters in environmental health & safety. US regulators and bodies in other jurisdictions have stepped up the fight by tightening their legislative control. Generally speaking, these regulations seek to protect personal information that could lead to instances of identity theft, compromised bank accounts, corporate phone toll fraud or the fraudulent usage of credit cards.

While VoIP is seldom directly addressed in these revised regulations, the rules still apply to this technology in many cases. For example, PCI standards lay down the requirement for the use of security and cryptography such as SSL/TLS / IPSEC in order to safeguard cardholder data while it is transmitted over public, open networks.

This means that VoIP calls which go across the open internet and include credit card details must be encrypted. Even though this would not apply to VoIP calls carried out on internal networks, experts fear that businesses may be obliged to validate that these calls as being encrypted. Depending on the language used in the regulations, this could be construed to refer to VoIP.

As an example, HIPAA has said that businesses need to take steps to make electronically managed health information secure. This may not be immediately associated with VoIP calls but it could impact recorded calls or digital voice mail storage, both of which are a part of most VoIP systems. In the same way, if an interactive voice system is used in navigating to protected information, then its use must be both monitored and documented.

Conversely, the US Federal Deposit Insurance Corporation (FDIC) now publishes specific guidelines for VoIP which seeks to protect any customer data which travels in IP voice-networks under the Graham Leach Billey regulations. The risks that are associated with the use of VoIP must be evaluated along with other periodic business risk assessments according to this advice. Any weaknesses must be corrected as soon as they are identified and another nine recommendations are listed for organisations to comply with.

One example of a real threat to security is described by a VoIP industry insider as follows. A client who suspected that eavesdropping was taking place decided to plant falsified information within VoIP calls to observe whether it was later referred to by the parties he suspected were listening. It transpired that the VoIP calls had been tapped by a third party which had access to the corporate network. There is another example often cited where the video communications of a CEO were illicitly accessed.

Voice termination – the future

Some business leaders try to educate themselves in order to keep in step with the regulations but this is notoriously difficult to do. Many others overlook VoIP completely, considering it to be ‘just’ an invulnerable phone system. As regulations become more complex, businesses will be forced to address their VoIP compliance head-on, possibly by investing in internal structures to monitor and implement them or by paying for the services of a third party expert.

The tasks can quickly become overwhelming for an average sized IT department, who as well as complying with the regulators’ demands and producing compliance reports every quarter, may also have security verification demanded as part of other contracts. Businesses that routinely record their VoIP calls will need to consider the regulations in terms of storing them, in the event that conversations should be illicitly accessed.

It is a good idea to respond to details of published attacks by comparing the systems involved with your own in order to scrutinise defences. Could you have stopped a similar attack occurring? If the answer is no, it will be necessary to take further action. However, the opportunity to learn from others’ misfortunes is limited because there is no incentive for companies to disclose if they have suffered a breach.

Here at IDT we are a businesses that can take advantage of the services of consultants and other specialists and have a proven track record in deploying VoIP solutions.