“Eavesdropping is taking place, and people don’t realize it,” says Stan Quintana, managed security services vice president for AT&T. Because companies don’t always encrypt their VoIP traffic all the way to the end users, “there is substantial exposure to intercepting that conversational data and monitoring it,” he adds.
Carriers are beefing up their VoIP security services, and demand for these offerings is growing as more VoIP vulnerabilities come to light.
High-profile attacks against VoIP systems are helping drive this market. In early June, for example, two men were arrested and charged with routing approximately 500,000 calls illegally over the network belonging to Net2Phone, a Newark, N.J., VoIP provider. Fifteen Internet phone companies reportedly were victims of the scam.
To combat this type of fraud and other threats, network managers are turning to service providers for security reviews and tests of their VoIP systems. Among the carriers offering VoIP security assessments are Verizon Business and AT&T, while Sprint offers services through Lucent’s Worldwide Professional Services Division.
“There is more demand for these services, because there is more discussion of VoIP security,” says Will Stofega, research manager for VoIP services at IDC. “One or two years ago, the discussion of VoIP security risks was theoretical. What we’re going to start seeing is the threat of moving from theoretical to reality.”
VoIP systems are vulnerable to the same threats as data networks, including denial-of-service attacks, viruses, spam and theft, as well as the risks of fraud and privacy invasion that plague traditional voice systems, experts say.
“Attackers like to go after bigger targets,” says Cindy Bellefeuille, director of security solutions at Verizon Business. “We anticipate that as the adoption of VoIP systems grows — and we’re seeing it grow rapidly — the number of threats will proliferate.”
VoIP systems add risks to networks because they bring in new hardware, software and applications. Another threat is the coexistence of regular telephone and VoIP networks during the transition to this new technology, experts say.
“VoIP security and VoIP assessments are one of the biggest questions we get from potential customers,” says Stan Quintana, managed security services vice president for AT&T.
AT&T has been offering VoIP security assessments for more than two years through its professional-services arm. These assessments analyze VoIP system architecture, policies, business continuity plans and vulnerabilities.
“We have quadrupled our demand for these services compared to two years ago,” Quintana says, adding that demand is coming from financial services, pharmaceuticals and vertical industries “across the board.”
Verizon Business announced in June enhancements to its VoIP Security Assessment Service, which dates to predecessor MCI’s acquisition of NetSec, a security services firm, in 2005. This service can be purchased before going live with a VoIP system or on an ongoing basis.
