Better be, if you're moving to VoIP, according to David Endler, director of security research at TippingPoint, a developer of intrusion prevention systems. That's because the technology is becoming a sexy target for hackers. "It's what happens when an app comes to be considered a killer app," said Endler.
Fuzzing is a kind of denial of service attack in which a hacker sends malformed data packets to a VoIP system, causing it to crash. Footprinting is a technique that the black hatters employ to gather information about a VoIP network using search engines like Google.
Among other things, phone extensions for a corporate VoIP network can often be found on Google, Endler cautioned--great for a little social engineering. (BTW, I hate the term "social engineering." Let's call it what it is: Lying to people to get them to divulge information they otherwise wouldn't.)
Endler likened SIP enumeration--where hackers look for vulnerable ports on a network--to a burglar checking for unlocked doors on a house. Once inside, they can glean all sorts of valuable data from a VoIP system. Certain tools can even recreate conversations that took place on a VoIP network.
That's pretty handy if you want advance notice on, say, a big corporate merger.
At the same session, Mark Collier, CTO at VoIP management vendor SecureLogix, said the two biggest sellers of VoIP systems--Cisco and Avaya--could improve their security methods.
"Avaya could do a better job of not putting juicy things in TFTP files…like passwords," said Collier. VoIP users usually need to download those Trivial File Transfer Protocol files to set up their systems out of the box.
Collier also noted that the default settings on Avaya and Cisco systems leave many access services turned on. "That leaves it up to the user or integrator to make sure things are set up properly," said Collier.
VoIP systems can be vastly more flexible and economical than traditional corporate PBX phones. But here's the bottom line: if they're exposed to the Web, they require the same attention to security that other critical network systems receive.
VoIP security, said Collier, "is a real issue."
Collier and Endler operate a Web site devoted to VoIP security topics.