VoIP security barely a blip on SMBs' radar

By Shamus McGillicuddy, News Writer 24 Jan 2007 | SearchSMB.com

Technology news and tips for midmarket CIOs Digg This!     StumbleUpon     Del.icio.us

Richard Ridolfo, CIO of Simat, Helliesen & Eichner Inc., a New York-based aviation consulting firm, said security concerns affected how he rolled out VoIP.

We prohibit the use of free commercial service because I don't believe the technology is mature yet. Richard Ridolfo CIO, Simat, Helliesen & Eichner Inc.

"We're using company-owned VoIP infrastructure, and we are using it on encrypted, controlled data paths," Ridolfo said. "And we prohibit the use of free commercial service because I don't believe the technology is mature yet."

But when Ridolfo was looking at VoIP offerings, he saw no mention of security in vendors' marketing messages.

"As with anything, the risk [of a security breach] is theoretical risk right now," Ridolfo said. He said today it's much easier to write a virus or steal data off a file-sharing system than it is to build an exploit for VoIP.

"Does that mean someone isn't working on it right now? No," Ridolfo said. "A high-profile attack, such as a single, crucially important phone call, that will be intercepted, whether it is commercial or government. Then you'll see a bunch of those in short succession. Then there will be a big push to introduce security."

In a recent survey by the Computing Technology Industry Association Inc. (CompTIA), an Oakbrook Terrace, Ill.-based provider of vendor-neutral certifications, 50% of 350 SMBs said they trust the security offered by IP telephony vendors. This number was up slightly from 48% last year.

Steven Ostrowski, director of corporate communications at CompTIA, said concerns about security should provide an opportunity for vendors and resellers who can show they have the expertise to protect customers.

Smaller businesses are relying on solution providers or value-added resellers and system integrators to provide guidance. "They're looking to them to make sure their total security solution is in place -- that not just email, but all voice and data communications are secure," he said. "On the one hand it's a challenge for solution providers to address the issue. On the other hand, it might be an opportunity for them to increase their business if they can show they have the expertise and can protect networks."

Voice is just as vulnerable to exploits as data communication, Ostrowski said, "because at the end of the day it's running over an IP network and it's 'packetized' data."

One analyst was surprised by how many SMBs said they felt VoIP was secure.

"I would say that number is extraordinarily high to me," said Gary Chen, an analyst at The Yankee Group, a Boston-based research firm. "Right now there is no VoIP security, because people haven't thought about it."

Chen said the population of VoIP users is still too small to attract the attention of hackers. But it's only a matter of time.

"It's going to come," he said. "When the population is there, hackers will go for it."

More on VoIP VoIP: The migration dilemma Secure VoIP in simple steps

Chen said some VoIP vendors and some third-party security vendors are helping secure VoIP installations, but it's still a new area for most of them. There is little incentive to sell it, since customers aren't demanding it.

"It's going to be a big attack that gets a lot of attention that drives the market forward," he said.

Chen said there are a variety of ways hackers could attack a VoIP phone system. A simple, but effective exploit would be an old-fashioned denial-of-service attack. A hacker could paralyze a company's IP phone system and demand a ransom.

"You could also take over people's accounts and make calls and charge it to someone else," he said. "You can also take over a number and use that in some sort of phishing scam, where people think they're calling and talking to a bank, but they're talking to someone else."

Let us know what you think about the story; email: Shamus McGillicuddy, News Writer

Tags: Information security management for the midmarket,  Risk management for the midmarket,  VoIP and unified messaging for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security management for the midmarket IT security spending a bright spot in '09, with more growth predicted Gartner: Vetting security of third-party partners in five steps Locking down security in the move to electronic medical records Security and risk management in the midmarket Identity and access management planning guide for the midmarket Information systems management for the midmarket CIOs share advice on doing more with less Get smart about patching security vulnerabilities A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Risk management for the midmarket Gartner: Vetting security of third-party partners in five steps Security and risk management in the midmarket Identity and access management planning guide for the midmarket Get smart about patching security vulnerabilities Log management tool saves big on network fixes, integrates with IPS Unified communications: Securing access to OCS Disaster recovery and business continuity planning: Know the risks Database security: Who should have access? San Francisco network lockup justifies CIO fears Security monitoring tools: Better to buy than build? VoIP and unified messaging for the midmarket Midmarket data center management guides: Tips and best practices FAQ: What is unified communications, and why would I want it? Mobile unified communications options for the midmarket Fixed-mobile convergence saves firms costly mobile phone charges Unified communications plans should tap CIO CIOs grapple with tying Wi-Fi, VoIP into unified communications plan Unified communications: Savvy business move or security meltdown? Unified communications: Securing access to OCS Unified communications security: How safe is it? CIO Joseph Edward: In-house app ties parishes together

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary