December, 2008

OCS 2007 R2 Coming Soon

Microsoft will be rolling out the latest incarnation of Office Communications Server soon. Rather than doing a live event or multiple live events across the country, Microsoft is doing the official unveiling of OCS 2007 R2 on February 3rd via the Web. You can register to attend the virtual event by clicking here.

OCS 2007 R2 has been much anticipated in the unified communications world. With R2, Microsoft adds a significant number of new features and capabilities. New call management features enable a receptionist or executive assistant to filter and route incoming calls. The desktop sharing and collaboration features will work across Windows, Mac, and Linux platforms. Organizations will be able to set up persistent, theme-based group chat rooms for better collaboration and communication between team members. The list goes on.

You can learn more about the upcoming release by visiting the What’s New in Office Communications Server 2007 R2 site. Even better, schedule some time on your calendar for February 3rd and attend the free launch event via the Web.

Protecting VoIP Against Three Common Threats

There are a number of way, theoretically, that a VoIP communications system could pose a security risk to an enterprise. Let’s face it, while the network administrators have been in the trenches fighting unauthorized access, malware infections, data compromise, and more on a daily basis for the last 10 years, the voice guys have been sitting on a pretty stable and secure platform. While there are huge benefits for an enterprise to migrate from traditional voice to VoIP, those benefits come with a convergence onto that data network that is constantly under attack. That means that the benefits and efficiency of VoIP come with an increase in the number of security threats as well.

That said, attackers are still working on refining how to compromise VoIP for gain. Many of the VoIP weaknesss are proprietary, meaning that they vary from vendor to vendor and make it more difficult for attackers to determine targets. However, there are three VoIP threats that are consistent across pretty much all VoIP implementations and two of the three are actually just new twists on old attacks that were used against traditional voice systems as well.

The three most common VoIP threats are voice spam (sometimes referred to as SPIT (Spam over Internet Telephony), toll fraud (or theft of service), and denial-of-service attacks. For more details about these threats and what you can do to protect your VoIP network against them, check out The Biggest VoIP Securiy Threats - and How to Stop Them.

Security Funding First To Go In Tough Economic Times

Let’s be honest - even in a good economy, when business is booming, security is still a reluctant after-thought in most cases. Why do we have Sarbanes-Oxley, HIPAA, GLBA, PCI DSS and other legislation and regulatory requirements? Because companies can’t be trusted to do the right thing of their own accord. Had they done that, the situations that sparked the creation of each of the various laws and guidelines would never have occurred.

Spending on security is like buying insurance. You spend money on health, auto, home, and life insurance (and perhaps others), but you hope to never use it. If you never get in a car accident in your life, that could be more than $50,000 you spend in your driving lifetime to protect yourself against something that never happens. You could buy two new cars outright with cash and just forget about the insurance.

Companies tend to look at security like that as well. There is no return on investment (ROI). There is no upside gain. Budget is being allocated and money is being spent to safeguard against a gamble that may never come to pass. All that money may just be wasted. Even before there were laws demanding a baseline minimum of security controls, many companies waited to address security until after an incident. At least once the company experienced the pain of an enterprise-wide malware infection, or a data compromise of sensitive information they had a barometer against which to measure the cost of making sure it didn’t happen again.

So- in a recession, or a depression, or even just a quarter of down revenue, security is often one of the first things to go. However, we do have SOX, and HIPAA, and GLBA, an PCI DSS. That means that aside from the pain the company will feel if there is a data breach or malware compromise, and aside from the damage that will be done to the reputation of the company if customer data is leaked or compromised in any way, there are also additional fines and consequences, including possible jail time, to try and create the proper ‘incentive’ for companies to do the right thing.

But, money is tight. According to the article ‘What Can You Afford NOT To Do On IT Security?‘ from CIO.com, budgets may not be cut from 2008, but they also won’tbe going up in many cases. Personally, I think that more will be cut than this article suggests. Unified Communcations and VoIP security administrators will need to be more resourceful and perhaps look into the free and open source tools available to help protect the unified communications infrastructure. It is possible to protect the network on a minimum budget, but the learning curve may be higher and getting support requires more initiative and effort than simply dialing the vendor’s toll-free number.

What To Look For in a UC SaaS Provider

For small businesses, there are cost-effective options like Microsoft’s Response Point which meet the communications needs pretty well. Large businesses can invest in enterprise-class unified communicaions platforms such as Microsoft Office Communication Server 2007 and the rest of the Microsoft Unified Communications suite. The companies in the middle though, and even some of the large companies, have some tougher decisions to make.

They may not have the budget available to invest in a suitable unified communications solution, the infrastructure available to accommodate a unified communications solution, or the resources available to implement and maintain a unified communications solution. Thankfully for companies like these, unified communications is quickly growing as a SaaS (Software-as-a-Service) offering. SaaS is a great way for a company to get the features and functions they need without all of the up front investment, or ongoing maintenance that comes with deploying a technology internally.

There can be a downside as well though. Buying a SaaS product or service on price alone is a recipe for disaster. You get what you pay for and often the cheapest provider is actually undercutting themselves and operating at a loss just to win customers. That is a shortsighted business plan that quickly collapses on itself when there is no revenue to sustain the services being provided and suddenly the SaaS provider simply fades away. If you are considering SaaS, for unified communications or any other service, take a look at this article from MSNBC.com for a list of the questions you should ask and the research you should do in order to make a sound decision and select a SaaS provider that you can rely on.

.NET Framework Update Causes OCS 2007 Communication Issues

Part of the value of unified communications- in fact a big part- is the unified part. With a Microsoft Unified Communications implementation, the Office Communications Server (OCS 2007) has to be able to communicate with the Exchange Server for a variety of converged communications reasons. One particulalry important reason though is Presence. OCS 2007 is able to sync up with Exchange and the user’s Outlook calendar and automatically update Presence. It also helps for co-workers or managers be able to see when an individual is free or busy when they want to schedule a meeting.

That became a problem recently for some organizations. Mike Stacy, Director of Professional Services for Evangelyze Communications, noticed a string of communications or connectivity issues between his OCS 2007 server and his Exchange server. Ultimately, he determined that a recent update to the .NET Framework was to blame and found the Microsoft KnowledgeBase article he needed to resolve the problem. Check out Mike’s blog post for more details on the problem(s) and the solution: Communicator Exchange Connection Issue.

Exploiting VoIP for Toll Fraud

Toll fraud is nothing new. Pretty much since there have been telephones, or at least enterprise telephone systems, attackers have sought to somehow hijack or piggyback on them in order to place toll phone calls at the expense of the company that owns the phone system. As with many other types of ‘cyber crime’, the crime itself is not new, but technology often makes it easier and faster than the more traditional version of the crime.

Mark Collier, CTO of SecureLogix and co-author of Hacking Exposed: VoIP, noted in a recent blog post what a threat VoIP toll fraud is. Collier points out that, while there may be a variety of ways to attack a VoIP system, toll fraud is one of the few with a clear and direct motive. Collier refers to a white paper detailing a recent toll fraud VoIP breach in Germany, and also alludes to a similar situation here in the United States that resulted in $250,000 of toll fraud theft. You can get more details on these incidents and VoIP toll fraud in general by checking out this post on Collier’s blog.

Clarifying the UC Vision

Unified Communications is still in its infancy more or less. Vendors are still fighting to define what UC even is, and to declare their stake in the industry. Some vendors are traditional voice or network infrastructure hardware vendors that are trying to extend into software and application integration. Some vendors are software developers and application integrators who are working to develop or incorporate voice and network hardware. But, what *really* defines UC?

Joe Schurman, Founder and CEO of Evangelyze Communications and a respected VoIP and UC visionary, explores this question in a recent blog post. Actually, Schurman’s post starts off as more of a vent against what he perceives as current marketing and sales efforts missing the mark. Essentially, Schurman feels that vendors are too focused on feature comparisons and ’selling’ the underlying technology. Schurman says he believes that “…what will actually make a difference to people is how the technology can be integrated, how it can affect the business applications they use today…”

I agree with Joe. Enterprises like Cisco, Nortel, Avaya, IBM, and Microsoft should all know that one of the most fundamental rules of sales is that you “sell the ’sizzle’, not the bacon.” In other words, ultimately what matters is how the product or service will benefit the company. What value will that product or service provide the customer? There are those within an organization who may care what protocol is being used, or the operating system that the product runs on, or how the  technical architecture is put together behind the scenes. All of those things will need to be known and understood at some point, but they are not compelling reasons to buy or not to buy a given solution.

Joe sums it up in his blog post “The CEO of a company does not care about whether dual forking is obtained through two components or one.  The CEO of a company wants to know if he or she is saving cost and will be impressed if the solution can integrate into the company’s business strategy, the process, and the underlying applications that support this strategy that have been custom-built by an internal staff.” The bottom line is that an investment in UC helps an enterprise to operate more efficiently. Operating more efficiently translates to reduced travel and communications costs as well as enabling companies to trim costs in other business processes. Operating more efficiently means that the organization can innovate faster than competitors and respond quickly to changes in the market.

UC for Free from Unison

In case you’ve been hiding under a rock- the economy is having some issues. More than 2 million people lost their job in 2008. The stock market has taken a beating and lost as much as 40% of the value it had a year ago. The government rushed through a $700 billion rescue package for Wall Street, then fought tooth and nail to make sure the Big 3 auto makers couldn’t get the $30 billion they need just to survive. A former head of NASDAQ and wizard of Wall Street investor admitted that his investments were nothing more than a Ponzi scheme that has resulted in a $50 billion collapse rippling through businesses and charities around the world.

So- for companies like Microsoft, Cisco, Nortel and others, it may be a little tough prying the budget from prospective customers to get them to buy unified communications solutions in the near future. Unison thinks they have the answer though. How do you sell in a recession economy teetering on the edge of Depression? You give your product away for FREE. Take a look at this eWeek.com article for more details about Unison’s unified communications platform and how much bang you get for your buck (or lack thereof).

Are You There?

Businesses have used multiple methods of communicating for some time. Phones have been around basically forever. Email has been part of the foundation of corporate communications for at least the last decade. More recently, instant messaging has been embraced by many businesses, and mobile phones have become relatively ubiquitous. So, there is nothing all that novel about a company combining multiple methods of communicating together. However, by itself that is just variable or multiple communications, NOT Unified Communications.

What makes Unified Communications then? Well, the core difference is in the unity. Part of what makes the communications unified is interoperability. Voicemails that are left for a voice call are sent to the users email. Users can initiate an instant messaging session or phone call by clicking on a user’s name in an email. Mobile devices are equipped with email and instant messaging functionality. The tie that binds though is Presence. Presence is the component of Unified Communications that elevates the solution from various separate communications methods, past a collection of multiple communications methods that can work together, to the point where the organization can really begin to realize the productivity and effeciency benefits of Unified Communications.

Presence is what notifies other users about the current state of a given user. Is the person in a meeting? Are they on a call? Are they available? Presence generally illustrates the user’s state with some sort of symbol or icon. Ideally, presence also gives the user some ability to control who can see what. For example, setting their presence so that they appear offline or busy to the general population, while remaining available for more important individuals like co-workers and customers. To understand more about the importance of Presence and its impact on Unified Communications, check out Presence: The Heart of Unified Communications on the SearchUnifiedCommunications site.

FBI Warns of Asterisk-based Vishing Attacks

The FBI has issued a warning that a vulnerability in the open-source Asterisk platform, used by many as a free IP PBX, can lead to the system being exploited to initiate vishing calls. Vishing, a term concocted to mean a voice or VoIP based phishing attack, uses a voice system to contact potential victims and attempt to get them to share sensitive or confidential information which can be used to compromise their accounts. Generally, the purpose would be to gain access to financial information and be able to gain access to bank or investment accounts to steal money from the victims.