One of the biggest problems with information security is that it is almost always reactive. The entire antivirus industry is built on a model where new threats are unleashed on the unprotected public first, then the antivirus vendors capture a sample and create a defense for the threat to add to the signatures their antivirus product can detect.
Unfortunately, it is easy to be complacent…until it isn’t. In other words, complacency only works until an attack catches you sleeping and you end up with catastrophic results. Security experts continue to talk about the potential threat of VoIP attacks, but the fact that no credible attack has been perpetrated (or at least reported) leads many to feel like these are just ‘sky is falling’ predictions from security vendors with a product to sell.
To some degree that may be true, but VoIP administrators need to be diligent about understanding the potential security risks and strike a balance between paranoid and healthy skepticism. This report from Silicon.com provides a link to various tools capable of attacking a VoIP network which are currently available publicly- highlighting that the threat is real even if the attacks haven’t occurred.
It then goes on to talk about VoIP security. VoIP merges the communications network with the data network, making voice communications subject to the same sorts of threats and compromises that used to affect only data networks. Most of VoIP security rests in sound, best practices for network security. The article focuses on two additional measures though- using VLAN’s to segment VoIP communications and using encryption to ensure that VoIP communications data can not be understood by anyone who might intercept the data packets.