It's a security best practice to close at least one of the sliding doors to the patio, and if you don't follow that best practice, little else matters. The same is true in VOIP security.
Over at Nortel's excellent, vendor-neutral VOIP security blog, Lawrence Dobranski takes up the topic that, "Vulnerabilities Are Not Compromised Systems." In other words, saying that a given system is vulnerable to a certain attack doesn't mean that the vulnerability inevitably will be exploited.
Certainly that was true in our case: Cats stayed in, burglars stayed out. The situation could have been exploited, not because our house is inherently insecure, but because a best practice wasn't followed.
In his post, Lawrence Dobranski refers back to a Channel Web article that I linked to last week, and dissects the likelihood of an attack succeeding against certain vulnerabilities. For Dobranski, much of this comes down to whether the relevant "threat vectors"--i.e., means of exploiting the vulnerability--are blocked. The way of ensuring that the threat vectors are blocked is by following best practices.
Knowing and then implementing best practices, however, is table stakes for enterprise network managers. I think that understanding where the vulnerabilities lie is, in fact, critical here, and I tend to think that Mr. Dobranski's separation of the issue into vulnerabilities and exploits is a distinction without a meaningful difference. He writes about the exploit described by Channel Web:
To successfully exploit the vulnerability as explained, two threat vectors had to exist. Both vectors could have been mitigated by the use of standard VoIP best practice installations; coupling these with additional best practices in the VoIP deployment (ex. Session Border Controller) would have further lowered the risk; and ensuring the vulnerabilities are patched in a timely manner would have completed the mitigation... It is not one vulnerability that results in the compromise, but a vulnerability and bad risk management decisions.
I don't think it's entirely a coincidence that the Channel Web article is based on an interview with VOIPShield, a company that has butted heads with Nortel and other IP-PBX vendors for their announcements of vulnerabilities in these vendors' products--announcements that, in the past, have come before the vulnerabilities were fixed.
Of course, VOIPShield is trying to sell a product, and therefore has an interest in making sure that network managers hear about vulnerabilities in systems. It's the network manager's job to think through the vulnerability reports as carefully as Mr. Dobranski does in this post, so that the network manager can determine the best approach to mitigation--based on threat vectors vs. (or in combination with)vulnerability patching.
I agree with the Nortel blog that you don't want to overhype the threat by assuming every vulnerability will be exploited. But I also think it's getting close to shooting the messenger if you blame VOIPShield for bringing the subject up. Network managers and security experts can make prudent decisions about threat mitigation, but they need all the facts, and that includes understanding where the vulnerabilities are.
