Curt Frierson, VP, SouRCe Services and Ryan Spanier, SouRCe Team Member
Security | Research | Consulting

Objective: The Emerging Technology Series is designed to assist financial institutions in evaluating the risks associated with new technologies. Organizations are often drawn by the features and functionality that cutting-edge technology can provide; however, it is important to understand the risks associated with any technology before implementing it into a production environment. Any addition to your technology infrastructure carries with it risk which must be planned for and managed. Understanding the risks involved will help align your institution’s technology decisions with business objectives. Although this guide will help highlight some of the more common risks financial institutions may face in implementing this technology, it is not intended to be a comprehensive guide to assessing risk within your network. A formal risk assessment should always be performed prior to implementation which addresses threats to your specific environment.

What It Does: The introduction of Voice Over IP (VOIP) technology has provided a major advancement in the convergence of voice and data communications. VOIP allows voice communication to be conducted over a digital data network. This technology eliminates the need for separate voice and data infrastructures. Conceptually, VOIP is a network application that allows you to make telephone calls. Voice traffic can now travel over the same path as your email and files. This allows businesses to leverage existing network infrastructure to a greater advantage. An organization can utilize their Wide Area Network for voice and data. This can be extremely beneficial for businesses whose branch offices are located in separate area codes, vastly reducing ongoing communication costs. VOIP can also reduce the costs associated with making changes to the phone system.

How it Works: VOIP operates by converting analog voice communication into digital data packets. These data packets are then transmitted across the data network using the IP protocol- the same way most other network devices communicate. A traditional telephone PBX system is replaced with a network device similar to an application server. This device can then be accessed and managed as you would with any other server. Administrators can connect to the server from their desktop computer to perform administrative duties, such as adding phone users, changing phone extensions, or updating the software.

A VOIP enabled phone connects to the network as a desktop computer does. Once connected, the IP phone communicates back to the VOIP server. This allows the central server to control the settings for each phone. Many VOIP solutions allow users to make changes to their own phone settings using the phone itself, or by client software running on their computer.

Summary: Basically, VOIP technology converts traditional telephone service into a network application. Because of this, VOIP is subject to many of the same threats facing other forms of informational assets. Fortunately, many of the same security controls in place to defend a company’s digital information will serve to protect VOIP communication. On the other hand, a lack of appropriate controls will expose yet another form of critical information. This fact reemphasizes the need to ensure adequate risk management strategies are in place before considering a VOIP deployment.

The following chart presents some of the key threats associated with VOIP technology in a financial services environment. In addition, some controls are identified to help manage or mitigate the identified threats. Following the chart, additional security controls are presented which can help secure the overall VOIP environment. Each of the controls specified in this worksheet should be examined to determine whether they are appropriate for your environment.

Eavesdropping Eavesdropping (also known as sniffing) presents one of the most obvious, and perhaps critical, risks to VOIP. Because voice communication is being converted into digital packets, this traffic is now subject to more methods of interception than conventional phone systems. If captured, these packets can be reassembled to replay the conversation. Also, eavesdropping may allow an attacker to access the information that identifies the user, such as PIN numbers, phone extensions, and IP addresses. The attacker could then use this information to make changes to the user’s account or access account information, voice mail, etc.
  • Physical Security
  • Disabling Unused Network Ports
  • Encryption (SIP or H.323 protocols)
Denial of Service MVoice traffic is very time sensitive, requiring quick delivery for high-quality conversations. Packet latency over 150 milliseconds is generally considered unacceptable. Data networks have long been susceptible to Denial of Service (DoS) attacks, or an attack which attempts to remove access to computer resources. Since VOIP migrates traditional phone traffic to a data network it suffers the same limitations. Services can be impacted even by standard network traffic as well. If too much traffic is being used on a network segment, there may not be enough left over for high-quality voice conversations. This can cause Jitter (random delays in voice conversations) and Latency as well as delays in call connections.
  • QoS (Quality of Service)
  • Physically separate data and voice networks
  • Separate internet circuits
  • VOIP compatible perimeter devices
Viruses and Trojans Since VOIP networks are now linked to data networks, they are vulnerable to many of the same malicious code threats. Most of these threats are currently associated with DoS due to increased network traffic. However, as VOIP becomes more popular there will be an increase in malicious code targeting VOIP systems. Additional vulnerabilities can be introduced if “softphones” are allowed on the network. “Softphones” are PCs with phone software used to make calls and interface with the VOIP network.
  • MAC Address Filtering
  • Audit log reviews
Default or Incorrectly Configured Access Points The default configurations of access points are widely known. Several aspects of default configurations pose risks to the overall security of the wireless network. The first and possibly most important is the password to the access point itself. With a default or weak administrative password, an attacker could potentially gain access to the access point and change any of the configuration settings. This could nullify most security controls that have been implemented. A complex and routinely changed password required to manage the access point is critical. Another risk of a default installation involves the Service Set Identifier (SSID). The SSID acts as a crude password for the access point. Users must connect to the access point by the SSID. Changing the default SSID will provide a minimal but important layer of security for the WLAN. SSIDs are also broadcasted by default. The purpose of broadcasting an SSID is to allow users to easily identify access points that are within range. Unfortunately, this also allows an attacker to easily identify that an access point is present. Disabling SSID broadcasts will prevent novice hacker attacks by requiring more complex methods of detecting the wireless network.
  • Physically separate voice and data networks
  • Block incoming H.323, SIP or MGCP connections at voice gateway.
  • Use QoS aware IDS systems
  • Prohibit “softphones”
Incorrectly Configured Network Devices VOIP systems rely on many infrastructure devices to ensure proper functionality. Some of these devices are proprietary to each system, including voice gateways, voicemail systems, and phones. Others are more standard, including switches and routers. If these standard devices are left in default configurations they can open up the VOIP network to attack. Some examples are port mirroring on switches, which would allow someone to monitor all VOIP traffic and eavesdrop, or changing router QoS to cause Jitter, Latency or DoS. Since attackers are already familiar with these products these will be the first target of attack.
  • Change default passwords
  • Upgrade firmware
  • Setup VLANs
  • Disable port mirroring
  • Monitor network devices
Software Vulnerabilities VOIP systems use software to control server and client functionality. Like any computer software, vulnerabilities will be, and will continue to be, discovered from time to time. It will be necessary to periodically patch the software running a VOIP system. The availability of software patches should be announced by the system manufacturer. It will be necessary to include the VOIP system in the overall patch management procedures of the organization. If left alone, these vulnerabilities will expose your VOIP system to known exploitation methods by internal or external attackers.
  • Choosing an established manufacturer
  • Subscribing to security mailing lists
  • Appropriate patch management procedures

Additional Security Controls: As previously stated, VOIP can be secured through many of the same controls as the broader data network. It is imperative to analyze the security of your existing network before deploying a VOIP solution. The following security controls, while not unique to VOIP, will help establish a secure overall environment upon which to build a VOIP system.

  • Firewall: A properly configured firewall is the bedrock of any secure network. A firewall should block traffic on any port that is not necessary for business objectives, including both inbound and outbound ports. This will keep the vast majority of intruders from entering your network in the first place.
  • Network IPS : Firewalls are typically limited in their abilities to block traffic by their nature of blocking based on ports. If a particular port is open to the internal network, say Port 80 or 443 for remotely accessing email, any traffic over those ports would be permitted. Monitoring network activity with an intrusion prevention system can allow you to proactively detect and block most types of intruder attempts to which you may otherwise be vulnerable. These systems analyze data by comparing it to known attack signatures. This allows these systems to detect and block attacks coming through a port that is open through the gateway firewall.
  • Administrative Controls: Implement policies and procedures for VOIP use that include tools, methods, and procedures to limit security risks by effectively combating threats. Controls should also include periodic testing, end user training, a methodology for Risk Assessment and a formal strategy for addressing Security Incident Response.

Recommended Federal Regulatory Guidance: FDIC FIL-81-2005 (IT-RMP) New Information Technology Examination Procedures; FDIC FIL-69-2005 Guidance on the Security Risks of VOIP; FFIEC Information Technology Examination Handbook: Operations Section: Risk Mitigation and Control Implementation.

Write a Comment