WSTA Ticker - May/June 2008 - (Page 18) By Rick Dalmazzi Voice over Internet Protocol (VoIP) has established itself as the heir-apparent technology to replace traditional telephony. The key drivers motivating businesses to transition to VoIP are cost savings and productivity enhancements: VoIP reduces total cost of ownership and facilitates the convergence of telephony with messaging applications. But in making the move to VoIP, some organizations have overlooked the security threats that come with IPbased transmission of voice calls, and the consequent impact on their ability to comply with privacy regulations. sensitive customer information or corporate secrets, and even identity theft. Below are some examples: • Registraton hijacking • Caller ID spoofing • Toll fraud • Data theft • Voice phishing (vishing) Some institutions believe their VoIP system is not susceptible to attack because it is confined to an internal In the financial sector in particular, this is a subject of growing concern. Financial institutions subject to legislation such as the Gramm-Leach-Bliley Act in the U.S. need to ensure full protection of customer information against security breaches that compromise confidentiality and privacy. In a 2005 letter to U.S. financial institutions (FIL-692005) Michael Zamorski, former Director of Supervision and Consumer Protection at the Federal Deposit Insurance Corporation (FDIC), remarked on VoIP security risks: “VoIP is susceptible to the same risks as data networks that use the Internet Configuration weaknesses in VoIP devices and underlying operating systems can enable denial of service attacks, eavesdropping, voice alteration (hijacking), and toll fraud (theft of service), all of which can result in the loss of privacy and integrity.” Unauthorized Access Exploits that allow the attacker to gain unauthorized access to services or information, a major concern for banks and credit card companies today, are among the greatest risks. These activities can result in the loss of local area network (LAN). This is a myth, as VoIP networks are rarely completely segregated, and as a result are vulnerable to attacks originating in the data network. So just what measures must banks and other financial institutions adopt? What steps must they take to address security threats, protect the confidentiality of customer information and ensure compliance with industry privacy regulations? Best practices In an attempt to develop information security standards for federal agencies and regulated industries such as financial institutions, organizations such as The National Institute of Standards and Technology (NIST) and the VoIP Security Alliance (VoIPSA) have articulated best practices as they relate to voice over IP network security. NIST Special Publication 800-58, for example, provides detailed guidance on VoIP security. Continued on page 26 WSTA® Ticker - May/June 2008 18
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.