No Jitter is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

  1. Home
  2. Security; It's Not Them, It's U.S.

Security; It's Not Them, It's U.S.

The U.S. is the biggest source of security threats in the world. So says the Sophos "Security Threat Report Q1 08".
Headshot of Gary Audin
Gary Audin
April 29, 2008

The U.S. is the biggest source of security threats in the world. So says the Sophos "Security Threat Report Q1 08".

The U.S. is the biggest source of security threats in the world. So says the Sophos "Security Threat Report Q1 08".I started my career right out of college in military intelligence research and development. This permanently imprinted on my thought processes the security vulnerability possibilities for any IT or communications environment. Security is a daily problem, not one that is solved and the work is done.

There have been a few high profile cases of VoIP/IPT security problems, but not anywhere near what the rest of IT systems and users have to face very day. The vulnerabilities, especially for the call managers, have not been exploited much, at least not publicly. However, VoIPShield and Sipera Systems both have announced hundreds of VoIP/IPT vulnerabilities they have found in the major IPT vendor's products.

If you view the security problems already extent, then there is much to fear when an enterprise moves to VoIP/IPT, especially when the Internet is involved. The growth of Unified Communications and the mix of IT applications with voice applications will only make the security threats greater.

The Sophos report stated:

The web now hosts an unprecedented number of threats, with Sophos discovering a new infected webpage every 5 seconds. This is an average of more than 15,000 [threats] every day, three times more than in 2007. Sophos also discovered that a new spam-related webpage appears almost every 3 seconds. In 2007, Sophos..... discovered a new infected webpage every 14 seconds [in 2008 the infected webpage rate is every 5 seconds]. 79 percent of these are legitimate websites.

So you can not ensure security by limiting access to legitimate websites.

Where does the U.S. fit into this security threat picture? The Sophos report discussed two areas, malware and spam. The U.S. ranks number 1 with 42% of the malware hosting sites. China is second with 30.1% and Russia with 10.3%. The U.S. is not as bad for spam relaying. We are still number 1 at 15.4%. Russia ranks second with 7.4% and Turkey(!!!!) with 5.9%. We hear much about the foreign locations, but we should be just as upset by our own homegrown cyber attackers.

Phishing continues to be a problem. The attacks are changing mode. The Sophos report highlights spear phishing, which targets specific organizations. Many educational institutions and web mail services have been attacked The newer phishing attempts to pretend to be from internal IT and HR departments. Think of this when you consider adding VoIP, IPT and UC to your network. Who is really contacting you?

Dealing with security is dealing with risk and risk management. Reduced or eliminated risk and return on investment are opposing goals. You cannot deliver a return without exposing the enterprise to some risk. This is especially true for security.

Dr. George Westerman of MIT and Richard Hunter of Gartner offer insights to risk management in their book "IT Risk: Turning Business Threats Into Competitive Advantage" (Harvard Business School Press). Although the book is not focused only on security, security is one of the major risk elements discussed. The authors have what is called a four part (their four As) holistic view of risk that is worth considering:

  • Availability - ensuring that the systems and processes are running successfully
  • Accuracy - making sure that information is complete, timely and accurate
  • Access - delivering the information only to the right people and systems
  • Agility - a measure of the IT organization's ability to make strategic changes

    Think through your security investment. What holes have been left because the budget is limited? The holes are the risk. It may be hard to evaluate the cost of these holes. Cyber criminals are getting smarter and do not want the IT world to stop them, so they attack or use resources within normal operations to avoid detection. Even the pattern of communications must be observed because the pattern may illuminate the security intrusion.

    The security of VoIP/IPT/UC is not just a network problem. The security of these applications and endpoints is an addition to the security landscape. The IT and telecom management MUST anticipate the VoIP/IPT/UC security risks and not wait until there is a major VoIP/IPT/UC disaster that makes these new security problems self evident.

    Think through your security investment. What holes have been left because the budget is limited? The holes are the risk. It may be hard to evaluate the cost of these holes. Cyber criminals are getting smarter and do not want the IT world to stop them, so they attack or use resources within normal operations to avoid detection. Even the pattern of communications must be observed because the pattern may illuminate the security intrusion.

    The security of VoIP/IPT/UC is not just a network problem. The security of these applications and endpoints is an addition to the security landscape. The IT and telecom management MUST anticipate the VoIP/IPT/UC security risks and not wait until there is a major VoIP/IPT/UC disaster that makes these new security problems self evident.

    • Tags:

    News & Views