Voice over Internet Protocol (VoIP) has established itself as the heir-apparent technology to replace traditional telephony. The key drivers motivating businesses to transition to VoIP are cost savings and productivity enhancements: VoIP reduces total cost of ownership and facilitates the convergence of telephony with messaging applications. But in making the move to VoIP, some organizations have overlooked the security threats that come with IP-based transmission of voice calls, and the consequent impact on their ability to comply with privacy regulations.

In the financial sector in particular, this is a subject of growing concern. Financial institutions subject to legislation such as the Gramm-Leach-Bliley Act in the U.S. need to ensure full protection of customer information against security breaches that compromise confidentiality and privacy.

In a 2005 letter to U.S. financial institutions (FIL-69-2005) Michael Zamorski, former Director of Supervision and Consumer Protection at the Federal Deposit Insurance Corporation (FDIC), remarked on VoIP security risks: “VoIP is susceptible to the same risks as data networks that use the Internet... Configuration weaknesses in VoIP devices and underlying operating systems can enable denial of service attacks, eavesdropping, voice alteration (hijacking), and toll fraud (theft of service), all of which can result in the loss of privacy and integrity.”

Unauthorized Access

Exploits that allow the attacker to gain unauthorized access to services or information, a major concern for banks and credit card companies today, are among the greatest risks. These activities can result in the loss of sensitive customer information or corporate secrets, and even identity theft. Below are some examples:

• Registraton hijacking

• Caller ID spoofing

• Toll fraud

• Data theft

• Voice phishing (vishing)

Some institutions believe their VoIP system is not susceptible to attack because it is confined to an internal local area network (LAN). This is a myth, as VoIP networks are rarely completely segregated, and as a result are vulnerable to attacks originating in the data network.

So just what measures must banks and other financial institutions adopt? What steps must they take to address security threats, protect the confidentiality of customer information and ensure compliance with industry privacy regulations?

Best practices

In an attempt to develop information security standards for federal agencies and regulated industries such as financial institutions, organizations such as The National Institute of Standards and Technology (NIST) and the VoIP Security Alliance (VoIPSA) have articulated best practices as they relate to voice over IP network security. NIST Special Publication 800-58, for example, provides detailed guidance on VoIP security.

While best practices like these have been publicized, industry research reveals that U.S. enterprises are lagging in implementation of VoIP security measures—despite widespread proliferation of the technology. A 2008 survey conducted by In-Stat found that while 80 percent of respondents had deployed some type of VoIP solution in their company, more than 40 percent had no specific plans for securing their VoIP infrastructure. At the same time, most indicated their organization had a budget in place for network security.

VoIP and IT audits

Currently, examiners who conduct IT audits may or may not look at VoIP as part of their evaluations. Increasingly, however, VoIP will be a factor.

The technology has already been incorporated into the FDIC’s standard IT Examination Officer’s Questionnaire. In conducting their work, IT examiners review the security mechanisms and controls financial institutions have in place to secure their computer systems during interactions between employees and customers. They seek to affirm the integrity, confidentiality and availability of the system, as well as compliance with federal laws and agency guidelines. As VoIP enters into the security equation more and more, examiners will begin to assess additional elements such as the nature of a VoIP deployment and the existence of any gaps in voice-data network topology that could be exploited.

Remaining accountable

Financial institutions are not the only enterprises that will need to prepare for this type of scrutiny. With the evolution of rules and regulations governing security and privacy of information—legislation such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), and the European Union’s electronic communications regulations—organizations in all sectors will need to devote greater attention to VoIP as an integral part of their network security plan.

Rick Dalmazzi is President & CEO of VoIPshield Systems (www.voipshield.com), a leading provider of VoIP auditing and security products. He can be reached directly by phone at 613-224-4443 x201 or via email at rdalmazzi@voipshield.com.