Look in the mirror: those bags under your eyes, that sallow skin, the haunted look. You must work in IT. Between keeping the
network running and dealing with hackers, slackers, and clueless managers, it's a wonder you get any rest at all.
But if you think you're losing sleep now, just wait. A batch of new problems is about to make a good night's sleep even more
elusive. Nightmare scenarios include VoIP security breaches, scary data leaks, rogue software infestations, configuration
calamities, and creepy compliance concerns. By all accounts, there's good cause to sleep with one eye open.
Things That Go VoIP in the Night
In November 2004, Edwin Andres Pena allegedly paid suspected computer hacker Robert Moore $20,000 to steal more than 10 million minutes of VoIP telephone service
so Pena could resell them to unsuspecting customers. But the hacker didn't attack Vonage or any of the second-tier VoIP providers.
He went after an investment firm in Rye Brook, N.Y., which had no clue its network had been hacked.
As enterprises increasingly replace segments of their traditional phone systems with VoIP, they put themselves at risk for
what Covergence CTO Ken Kuenzel calls "phone flu" -- attacks that target weaknesses in the Session Initiation Protocol that
VoIP applications employ.
"The problem is we've not yet applied the same security principles and models to the SIP protocol that we have to HTTP and
SMTP," says Kuenzel, whose company sells VoIP security solutions. "It's a situation where systems are vulnerable to all sorts
of attacks and intrusion."
Aside from denial or degradation of service, VoIP attackers could eavesdrop on your calls or steal passwords and other sensitive
information. They could also record voice packets and inject them into other conversations -- conceivably, capturing your
voice saying "buy" or "sell" and playing it back to an employee during a call. And once they're in, little can prevent them
from accessing the rest of your network.
"With VoIP, it's significantly easier to disrupt communications from remote locations," says Richard Telljohann, manager
of security software at IBM Tivoli. "The same worm that takes out your e-mail system can also take out your phones."
WorldxChange, a New Zealand VoIP provider, uses Covergence's Eclipse software to secure VoIP service for its commercial and
residential customers. Many IT pros fail to take into account the complexity of VoIP deployments, says Phillip Moore, operations
manager for WorldxChange. He says they don't pay enough attention to signaling and media security, port restrictions, firewall
rules, account access, and provisioning information.
"If IT managers want to sleep better at night, they need to apply the same security practices to voice that they have to e-mail
and Web traffic," Kuenzel says. "They know what to do and how to do it, they just need to deploy products that bring these
new apps in line with their tried-and-true security models."
The Data Leak Under the Bed
It seems you can't open a newspaper without encountering yet another story about a calamitous data leak. Bank of America,
ChoicePoint, Citibank, Ernst & Young, the Veterans Administration, Wells Fargo -- all have collectively misplaced millions
of records over the past two years.
Bob Gligorea knows about data leaks from both sides. As information security officer for Exchange Bank, he's responsible for
ensuring that the bank's data stays where it's supposed to -- in the bank. But he also was the victim of a data spill last
February, when the American Institute of Certified Public Accountants lost a hard drive containing 330,000 unencrypted Social
Security Numbers, Gligorea's included. His consolation prize? One free year of credit monitoring.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
