As promised, here are my VoIP and Voice security predictions for 2009, limited to just a few, key predictions.
1) The poor economy will slow the adoption rate for VoIP and Unified Communications (UC). This will continue to limit the size of the enterprise VoIP deployments for potential hackers to exploit. VoIP/UC will continue to be mostly an internal/campus application where the threat level for attack is low, so deployments will be largely secured along the same lines as other data network applications. Enterprises will continue to primarily use the default VoIP security configurations and will not deploy extra firewalls/IPS’s, specialized VoIP security devices, use encryption, or other extra cost/extra effort items.
2) The rate of pure VoIP attacks will be basically the same as 2008. While internal/campus VoIP/UC systems will be deployed with some inherent vulnerabilities, I just don’t believe the rate of attacks will increase, largely because the primary threat is still an internal attacker. I am sure there will be attacks that are not noticed nor made public, but I don’t predict an increase in actual published attacks. As I have long stated, the primary voice threats to the enterprise reside at the network edge, where private corporate networks connect to untrusted public networks. Aside from VoIP/UC mostly being an internal/campus application, there just won’t be enough incentive for more attacks.
3) The real voice security story through 2009 will be the continued increase in the types, frequency, and severity of application-level attacks against traditional and VoIP/UC systems. Why? Because the largest threat to the enterprise are attacks from outsiders conducting illicit activities over an unmonitored enterprise voice network edge (the voice DMZ), where private networks connect to service provider networks. Currently, most enterprise voice connections to the service provider network are traditional trunks such as analog, T1, or ISDN/PRIs. Despite the growing numbers of internal VoIP/UC systems over the last few years, the vast majority of these deployments terminate at a media gateway, which converts calls to and from analog, T1, or PRI at the enterprise network edge. Most voice system attacks against enterprises will continue to be application attacks, such as toll fraud, data network penetrations via modems, viruses over unauthorized modem connections, phone-based social engineering and identity theft, fax spam, harassing/threatening calls, etc. There are financial incentives for these attacks, so they will continue and likely grow.
4) There will be a small increase in the adoption of SIP trunks in 2009, but nothing dramatic. Generally when enterprises deploy SIP trunks, they will be using dedicated connections and I believe the threat level for these trunks to be low. I recommend enterprises deploy SIP security, but they shouldn’t have to pay an arm and a leg for it (SIP trunks save money right?). Where we may see some attacks is at the low end for SIP trunking, where smaller or very cost-conscious enterprises are using the Internet for delivery. In this deployment, the SIP application is exposed to the Internet, where it can be scanned and attacked. Since many of the Internet-based SIP trunk offerings have very little security, this is a place where we may see some attacks. The mass transition from TDM to SIP at the enterprise network edge, along with the method of delivery, is the real lynchpin that will escalate the number and frequency of VoIP attacks in the future.
5) The slowing/static transition to internal VoIP/UC and SIP trunks will be unwelcome news for pure-play VoIP security and enterprise-focused Session Border Controller (SBC) vendors. Several SIP firewall and enterprise SBC ventures have already died on the vine awaiting the great and oft-predicted enterprise TDM exodus and transition to SIP on the edge. The lack of spending for pure VoIP security to drive revenue, coupled with a shrinking pool of available VC funds, will force further consolidation in the VoIP security vendor space.
6) Denial of Service (DoS), including floods, fuzzing, etc., will continue to be the “biggest” vulnerability for VoIP/UC deployments, though attacks will not be very common.
7) I am sure we will see more VoIP security/attack tools, vulnerability disclosures, articles, and possibly books. In general though, I think the level of activity and interest in pure VoIP security will stay about the same as it was in 2008, which I believe was down from past years.
So continue to deploy VoIP/UC where it makes sense, use good data networking practices to secure internal/campus based VoIP/UC, consider an assessment so you know your risk, and deploy SIP security for any SIP trunking. Even more critically, address application issues like toll fraud, poorly secured authorized modems, unauthorized modem access, social engineering, etc. This is undoubtedly were most of the current risk resides for the enterprise.