Security is a low priority among most small and midsized businesses
(SMBs), as well as vendors, when it comes to
Voice over Internet Protocol (VoIP), experts
say. That will quickly change once hackers take aim, however.
Richard Ridolfo, CIO of Simat, Helliesen & Eichner Inc., a
New York-based aviation consulting firm, said security concerns
affected how he rolled out VoIP.
 | | | | | We prohibit the use of free
commercial service because I don't believe the technology is mature
yet.
Richard Ridolfo
CIOSimat, Helliesen & Eichner
Inc. |
| | | | | |
| |
|
"We're using company-owned VoIP infrastructure, and we are using it
on encrypted, controlled data paths," Ridolfo said. "And we
prohibit the use of free commercial service because I don't believe
the technology is mature yet."
But when Ridolfo was looking at VoIP offerings, he saw no
mention of security in vendors' marketing messages.
"As with anything, the risk [of a security breach] is
theoretical risk right now," Ridolfo said. He said today it's much
easier to write a virus or steal data off a file-sharing system
than it is to build an exploit for VoIP.
"Does that mean someone isn't working on it right now? No,"
Ridolfo said. "A high-profile attack, such as a single, crucially
important phone call, that will be intercepted, whether it is
commercial or government. Then you'll see a bunch of those in short
succession. Then there will be a big push to introduce
security."
In a
recent survey by the Computing Technology Industry
Association Inc. (CompTIA), an Oakbrook Terrace, Ill.-based
provider of vendor-neutral certifications, 50% of 350 SMBs said
they trust the security offered by IP telephony vendors. This
number was up slightly from 48% last year.
Steven Ostrowski, director of corporate communications at
CompTIA, said concerns about security should provide an opportunity
for vendors and resellers who can show they have the expertise to
protect customers.
Smaller businesses are relying on solution providers or
value-added resellers and system integrators to provide guidance.
"They're looking to them to make sure their total security solution
is in place -- that not just email, but all voice and data
communications are secure," he said. "On the one hand it's a
challenge for solution providers to address the issue. On the other
hand, it might be an opportunity for them to increase their
business if they can show they have the expertise and can protect
networks."
Voice is just as vulnerable to exploits as data communication,
Ostrowski said, "because at the end of the day it's running over an
IP network and it's 'packetized' data."
One analyst was surprised by how many SMBs said they felt VoIP
was secure.
"I would say that number is extraordinarily high to me," said
Gary Chen, an analyst at The Yankee Group, a Boston-based research
firm. "Right now there is no VoIP security, because people haven't
thought about it."
Chen said the population of VoIP users is still too small to
attract the attention of hackers. But it's only a matter of
time.
"It's going to come," he said. "When the population is there,
hackers will go for it."
Chen said some VoIP vendors and some third-party security vendors
are helping secure VoIP installations, but it's still a new area
for most of them. There is little incentive to sell it, since
customers aren't demanding it.
"It's going to be a big attack that gets a lot of attention that
drives the market forward," he said.
Chen said there are a variety of ways hackers could attack a
VoIP phone system. A simple, but effective exploit would be an
old-fashioned
denial-of-service attack. A hacker could
paralyze a company's IP phone system and demand a ransom.
"You could also take over people's accounts and make calls and
charge it to someone else," he said. "You can also take over a
number and use that in some sort of phishing scam, where people
think they're calling and talking to a bank, but they're talking to
someone else."
Let us know what you think about the story; email:
Shamus McGillicuddy,
News Writer