Friday, 6 April 2012

VoIP Security Challenges & Opportunities

As VoIP takes over telecommunications, options to deliver security are increasing.  However, security takes many forms from security of your VoIP system to the requirement for encrypted VoIP.

Appropriate Security precautions must be taken before connecting any device to the internet and VoIP systems are not different or more vulnerable than anything else connected to the internet.

Security issues to be aware of include:
·         Fraudulent Calls
·         Interception of calls
·         Vulnerability scans
·         Man-In-The-Middle attacks
·         Denial of Service Attacks
·         SPIT (Spam over Internet Telephony)

Key Security Issues to address:

Hacked IP-PBX / SIP Trunks – Hosted VoIP is better
The barbarians are at the gates, 24/7.  International Revenue Share Fraud (IRSF) is increasing exponentially as there are literally thousands of industrial grade scanners searching for insecure IP-PBX’s around the clock.  If the hackers gain access to an IP-PBX they can run up call costs of thousands of pounds per hour.

For SIP trunking installations the opportunity is to sell VoIP optimised firewalls, secure / encrypted channels or to migrate SIP Trunking customers to Hosted VoIP as well as the opportunity to sell consultancy services to ensure that customers VoIP infrastructure is secure.

While the responsibility of the calls made by a hacker lies with the end user, put simply if you leave the key in your front door you can’t complain if a burglar helps himself, responsible ITSP’s actively monitor their networks to spot fraudulent and unusual calling patterns to limit fraudulent activity and all the pain it causes them, their resellers and the end user.

With Hosted VoIP from a reputable supplier the chance of being hacked is remote and if it did happen the responsibility would rest with the ITSP, so reseller and end user is safe, which is a very tangible benefit for Hosted VoIP.

Credit Card PCI-DSS Requirements
A recent worrying development is that the Payment Card Industry Data Security Standard (PCI DSS) which is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards has recently decreed that any VoIP telephone that is used to take credit card payments must use encrypted VoIP.

The opportunities for margin being to supply handsets that are capable of encryption, using typically SRTP & TLS as well as the additional charges from ITSP’s to handle encrypted calls over SIP Trunks or Hosted VoIP.

Therefore, there are certainly opportunities to sell security based products and services to new & existing customers in response to changes in legislation, i.e. PCI-DSS or to protect against the ever increasing threats from hackers / scanners.