Security

Sipera Seeks to Bring PCI Compliance to UC

Sipera Systems, a leading Unified Communications (UC) security provider, has formed a partnership with TrustNet to boost the secure handling of credit card data in enterprises that are deploying VoIP and Unified Communications.

Together, Sipera and TrustNet will offer enterprises the guidance and functionality they need to ensure that their VoIP and UC implementations are consistent with security best practices and support their efforts to achieve and maintain PCI DSS compliance.

Gone Vishing

No. Its not a typo. Vishing is a new twist on phishing scams using voice, typically VoIP. There have been two prevalent vishing scams recently: one selling extended automobile warranties and one offering to reduce your interest rate on your credit cards. You may have received such calls on your home or mobile phone. Don’t bother trying to use the number on your caller ID to contact them or file a complaint though- its spoofed. The FCC has filed lawsuits against the telemarketing firms behind these scams. For more about these scams and the details on vishing in general read Protecting Yourself From Vishing Attacks.

Social Networking on Company Time

Employees are only human. They take breaks. They get distracted. As companies demand more from fewer employees and blur the line between ‘work’ time and ‘personal’ time, it is to be expected that personal or non-business use of computer and network resources will occur. But, how much is too much?

A recent study by Facetime found that actual usage is about 10 times higher than what managers estimated employees were doing. Employees are using MySpace, Facebook, Twitter, Youtube, and many other social networking and Web 2.0 resources. This activity may exceed a reasonable amount of ‘personal’ time for some employees and it also has security implications for the enterprise. Check out this ITWeb article for a more detailed breakdown of what Facetime found in the study.

Summing Up VoIP Security for 2008

A lot happened in 2008. We had what seemed to be a marathon Presidential campaign season capped off with the election of the first African-American to be President of the United States. We had a housing crisis with a mortgage industry in free fall. We had the government bailing out Wall Street banks and investment firms to the tune of $700 Billion with no oversight and no strings attached, while scoffing at bailing out the automobile manufacturing industry for $30 Billion with conditions and a plan to turn things around. We saw 2.6 million Americans lose their jobs. Aside from that part about electing a new President, 2008 didn’t seem to hold much worth smiling about.

Mark Collier, CTO of SecureLogix and co-author of Hacking Exposed-VoIP, found a silver lining though. In his blog, Collier sums up the year in VoIP security for 2008. He notes that, overall, the year was kind of boring. That may not sound like a silver lining, but if the alternative was one of the ’sky-is-falling’ FUD (fear, uncertainty, and doubt) predictions being realized then suddenly boring is not so bad. Check out Collier’s blog for more details of the state of VoIP security in 2008 and links to some of the few attacks that were publicly disclosed.

Security Funding First To Go In Tough Economic Times

Let’s be honest - even in a good economy, when business is booming, security is still a reluctant after-thought in most cases. Why do we have Sarbanes-Oxley, HIPAA, GLBA, PCI DSS and other legislation and regulatory requirements? Because companies can’t be trusted to do the right thing of their own accord. Had they done that, the situations that sparked the creation of each of the various laws and guidelines would never have occurred.

Spending on security is like buying insurance. You spend money on health, auto, home, and life insurance (and perhaps others), but you hope to never use it. If you never get in a car accident in your life, that could be more than $50,000 you spend in your driving lifetime to protect yourself against something that never happens. You could buy two new cars outright with cash and just forget about the insurance.

Companies tend to look at security like that as well. There is no return on investment (ROI). There is no upside gain. Budget is being allocated and money is being spent to safeguard against a gamble that may never come to pass. All that money may just be wasted. Even before there were laws demanding a baseline minimum of security controls, many companies waited to address security until after an incident. At least once the company experienced the pain of an enterprise-wide malware infection, or a data compromise of sensitive information they had a barometer against which to measure the cost of making sure it didn’t happen again.

So- in a recession, or a depression, or even just a quarter of down revenue, security is often one of the first things to go. However, we do have SOX, and HIPAA, and GLBA, an PCI DSS. That means that aside from the pain the company will feel if there is a data breach or malware compromise, and aside from the damage that will be done to the reputation of the company if customer data is leaked or compromised in any way, there are also additional fines and consequences, including possible jail time, to try and create the proper ‘incentive’ for companies to do the right thing.

But, money is tight. According to the article ‘What Can You Afford NOT To Do On IT Security?‘ from CIO.com, budgets may not be cut from 2008, but they also won’tbe going up in many cases. Personally, I think that more will be cut than this article suggests. Unified Communcations and VoIP security administrators will need to be more resourceful and perhaps look into the free and open source tools available to help protect the unified communications infrastructure. It is possible to protect the network on a minimum budget, but the learning curve may be higher and getting support requires more initiative and effort than simply dialing the vendor’s toll-free number.

FBI Warns of Asterisk-based Vishing Attacks

The FBI has issued a warning that a vulnerability in the open-source Asterisk platform, used by many as a free IP PBX, can lead to the system being exploited to initiate vishing calls. Vishing, a term concocted to mean a voice or VoIP based phishing attack, uses a voice system to contact potential victims and attempt to get them to share sensitive or confidential information which can be used to compromise their accounts. Generally, the purpose would be to gain access to financial information and be able to gain access to bank or investment accounts to steal money from the victims.

VoIP Security: The Great Afterthought

Why is security always an afterthought? It seems that time and again there are technological innovations that businesses embrace. They do their due diligence to compare their options. They invest heavily to purchase and implement the new technology. They spend money to educate users to take advantage of the new technology. Much later, usually after there is an actual incident, security finally comes into the picture.

Often, it is a matter of money. New technologies can help the business run more efficiently. New technologies can increase productivity. Security, on the other hand, is an investment of money to prevent a greater loss of money as a result of a security incident or data compromise. It works in reverse. Rather than increasing the bottom line, security prevents the bottom line from going down. But, security is only beneficial if and when there is an actual security incident to prevent. It is like an insurance policy. You pay for it and hope you never have to use it, and it is very easy to rationalize that it is reasonable to accept the risk and take the gamble that the event will never occur rather than investing money to safeguard against it.

TechTarget’s SearchUnifiedCommunications site takes a deeper look at the issue of VoIP and unified communications security in the article Unified Communications Security Ignored and Misunderstood.

Comodo Offers 3-year Certificates for Microsoft UC

While it is possible to build a Microsoft unified communications infrastructure using only private certificates generated internally, it greatly handicaps the effectiveness of the UC environment. In order to communicate with devices connected outside of the network- including laptops of employees in hotels or coffee shops, or mobile phones, as well as the ability to connect with vendors, customers, or partners- a 3rd-party trusted certificate is necessary.

Certificates are sold with expiration dates and must be renewed, which adds some administrative overhead. Someone has to track and monitor certificate expirations and make sure new certificates are purchase so that the unified communications network does not experience an interruption as a result of an expired certificate. Comodo has rolled out a new offering with a 3-year expiration that is also customized to deliver security benefits customized to the Microsoft Unified Communications environment.

According to this article, Comodo’s Microsoft UC certificates “enable administrative flexibility to secure client-server and server-server communications while supporting multiple Exchange and Office Communications 2007 services (e.g. Outlook Web Access, SMTP-TLS, Auto-Discovery, ActiveSync and Outlook Anywhere) - all with a single UC Certificate.”

Unified Threat Management Takes on Unified Communications

If you are going to build an ‘all-in-one’ security appliance, you also need to adapt with the times and add functionality to keep up with new attacks and technologies. Otherwise, organizations will end up with a UTM (unified threat management) solution, plus a mengerie of one-off solutions that undermine the purpose of having UTM protection in the first place.

WatchGuard is keeping up with the pace of technology, evolving their UTM appliance into an XTM (extensible threat management) appliance. In addition to standard enterprise security measures such as deep packet inspection (DPI) firewalls, spam blocking, URL and content filtering, anti-virus protection and intrusion prevention and detection systems (IPS/IDS), WatchGuard’s XTM 1050 includes protection for VoIP networks and VoIP communications.

According to their press release “WatchGuard recognizes that as more enterprise and mid-market businesses adopt VoIP, they open themselves to a new series of VoIP protocol exploits. By utilizing a host of high security technologies, including network address translation, port obfuscation, and SIP and H.323 proxies, the WatchGuard XTM 1050 becomes an ideal security appliance to thwart would-be attackers of VoIP and network systems.” You can read more about the XTM 1050 and the evolution of UTM security in this ITBusinessEdge article.

Is VoIP Ready for Mission-Critical Primetime?

For most businesses, VoIP offers a compelling business argument. Merging the voice network with the data network means only implementing one hardware and wiring infrastructure. VoIP systems are easier to administer and maintain that traditional PSTN phones. The list goes on and on.

VoIP is not without its issues though, one of which would be having all of your proverbial eggs in a single basket- the network. Hopefully an enterprise network is relatively stable, but you still have to consider the possibility of a complete network outage and what that does for communications. Certain fields- emergency response, medical care facilities, banking and finance, etc. - can not afford to be without communications even for a minute. A recent ZDNet article addressed some of these concerns.

There is no way to truly guarantee that communications will be available 100% of the time. However, if the weaknesses of the network and the VoIP communications are properly considered and addressed I believe that a very high availability can be achieved. The technologies and level of redundancy required to achieve that availability are costly though and add to the TCO (total cost of ownership) of the VoIP solution and impact the ROI (return on investment), possibly negating many of the VoIP advantages and making the case for VoIP a harder sell.

Regardless of the industry that VoIP is being implemented in, sound network security practices should be followed. For VoIP networks, segmenting VoIP traffic on separate VLAN’s and encrypting voice communications provide additional security. However, enterprises should also consider the potential for a network-wide outage making VoIP unavailable and have a written policy for how to handle critical communications in the event that such a catastrophe occurs.