Security in Communications: Report to the Industry
SecureLogix has prepared a groundbreaking study that we'll release on the final day of Enterprise Connect, in a session that also features a representative of the NSA.
One subject that we haven't talked a lot about in the runup to Enterprise Connect is security. There was a lot of concern about security when voice first moved to IP and network managers realized that anything you could do to attack an IP network, you could now do to a voice network that ran on IP. Concerns range from basic distributed denial of service (DDoS) attacks that target the IP network, in which voice is collateral damage; to the prospect of IP packets being captured and played back in various eavesdropping or impersonation scenarios.
So what's actually been going on? How real is the security threat, and what should you be doing to combat it? That's the topic we're going to tackle on Thursday morning, a week from today, at Enterprise Connect. And I'm pleased that we've got two top experts to join us on the main stage, each of whom offers a unique perspective.
Many of you in our VoiceCon/Enterprise Connect/No Jitter extended family know Mark Collier of SecureLogix. Mark is one of the godfathers of the VOIP security issue; he was a driving force in the founding of the VOIP Security Alliance, and wrote one of the first books on this subject, VOIP Hacking: Exposed, with David Endler, then of TippingPoint. Mark', along with his SecureLogix colleague Rod Wallace, VP of Global Services, is going to share with us some of the results of a major new Report to the Industry that SecureLogix will release the morning of the session (sneak preview of this in a moment).
Mark's going to be joined on stage by Troy Lange, NSA/IAD Capabilities Manager for Mobility at the U.S. National Security Agency (NSA). We're really delighted to have Troy on the stage, as NSA is obviously a major player in all issues relating to computer and network security, and Troy is going to share some perspectives we haven't had a chance to hear at Enterprise Connect in the past.
Back to SecureLogix's Report to the Industry: I just received the completed report, and I'll be posting it on line just before the session kicks off on Thursday morning, so watch our Enterprise Connect coverage space for the download of this 23-page PDF. In the meantime, a short preview.
From the introduction to the report, here's why SecureLogix says such a document--hopefully updated annually--is needed:
Several industry reports have emerged since the late 1990s detailing real-world, measured security issues and threat levels associated with data networks and IP-based communications. Examples of such reports include the "State of Enterprise Security Annual Report" by Symantec, and the "Annual Computer Crime and Security Survey Report" by the Computer Security Institute. These reports play an important role in profiling and measuring IP and data network threats and incident levels to help guide corporate security decision making, while educating the public at large. Interestingly, a dearth of attack and threat data for voice/UC communications exists, even though voice technologies pre-date IP systems by more than 100 years. This may partly be explained by the fact that virtual or network-based crime is a fairly recent phenomenon. However, the primary explanation is the lack of real-time network monitoring tools capable of identifying and characterizing voice attacks.
In the absence of real-world data, the industry has turned to prognosticating. Most papers, presentations and discussions on Voice/UC security found today invariably focus on potential vulnerabilities discovered in laboratory environments that may or may not exist in the future as communication technologies and networks evolve. However, almost no real-word, observable data or public reports illustrate these laboratory-based, potential threats actually occurring today. While academic debates over future threats can be interesting, they are not what is needed to understand the attacks and fraud schemes that may be causing substantial damage to your enterprise and customers today.
The report has a wealth of data and conclusions about the threats to enterprise voice communications, but this chart pretty much sums up the major categories of threats, and what SecureLogix's research has found about their severity. The vertical axis is "Activity Increase" and the horizontal axis is "Severity".
The report goes on to present detailed findings under each of these categories--Social Engineering, TDoS (Telephony Denial of Service), etc. It concludes with a "Threat Forecast" that predicts, among other things:
The greatest threats to enterprises will occur because the Public Voice Network will continue to allow more VoIP-based access, will become increasingly hostile, and will therefore increasingly be the source of malicious calls. This network will increasingly look like the Internet from a call-generation standpoint. While packet attacks remain unlikely, even when using enterprise SIP trunks, voice-application level threats (harassing calls, social engineering, TDoS, vishing, and SPAM) will become increasingly prevalent and severe.
As mentioned, we'll post the whole report on line just before next Thursday's session.