UC, VoIP Threats Have Evolved
Unified Communications (UC) and Voice over Internet Protocol (VoIP) threats have evolved over the past half-dozen years.
In response to the trend, Mark Collier, CTO of SecureLogix Corporation and co-author of “Hacking Exposed: Unified Communications & Voice Over IP Security Secrets and Solutions,” noted that the second edition of the book focuses on UC application security issues.
“No matter how well you secure your internal UC environment, you are going to be attacked…because it’s so much easier for the attackers to generate unwanted, inbound calls,” Collier said in an interview.
Collier is both CTO and vice president of Engineering at SecureLogix, where he heads up hardware and software product engineering, development, testing and manufacturing. David Endler is the other co-author of the book, and he has been director of Security Research for TippingPoint. Endler was also the founder of the Voice over IP Security Alliance, and he has worked at Jumpshot. He now works at director of product development at Avast Software.
In the book, the two authors highlight how recently there is more possibility for malicious calls from the Public Voice Network (PVN). Attacks can be created via free PBX software, Asterisk is an example, or by calling number spoofing, call generators, and call origination via Session Initiation Protocol (SIP). In addition, attackers can make robocalls, which are used for Telephony Denial of Service (TDoS); voice SPAM; toll fraud; voice phishing; and calls leading to fraud.
“The Public Voice Network has become much more hostile and…enabled new attacks and made traditional voice attacks easier and cheaper to execute. While UC and VoIP add much new vulnerability, what they primarily do is allow the same attacks occurring in the past [to be] much more prevalent and disruptive,” Collier said in a statement released by the company. “This includes attacks such as TDoS, which were never practical in the past, but are now rapidly increasing. The Public Voice Network will continue to get more and more hostile, eventually merging with the Internet.”
In addition, Kevin Riley, chief technology officer at Sonus Networks, says UC platforms are “beginning points for intrusion.”
Riley says "The CIO Playbook" relayed data which shows that 31 percent of organizations saw security and privacy as a “key challenge to implementing UC.”
"This concern is because integrating platforms requires opening up ports to enable the flow of data, which means additional unwanted traffic is able to flow freely," Riley added. "However, organizations can take precautions, like installing session border controllers (SBCs) to close ports that aren't required and protect their networks from dangerous traffic. The legacy, on-premises PBX architecture was isolated to the enterprise from an IP networking perspective and used PSTN for multisite interconnect. In contrast, UC is typically deployed as a multisite IP service that requires opening a wide range of ports, which creates a security risk."
Edited by Alisen Downey