What keeps IT up at night?

Look in the mirror: those bags under your eyes, that sallow skin, the haunted look. You must work in IT. Between keeping the network running and dealing with hackers, slackers, and clueless managers, it's a wonder you get any rest at all.

But if you think you're losing sleep now, just wait. A batch of new problems is about to make a good night's sleep even more elusive. Nightmare scenarios include VoIP security breaches, scary data leaks, rogue software infestations, configuration calamities, and creepy compliance concerns. By all accounts, there's good cause to sleep with one eye open.

Things That Go VoIP in the Night

In November 2004, Edwin Andres Pena allegedly paid suspected computer hacker Robert Moore $20,000 to steal more than 10 million minutes of VoIP telephone service so Pena could resell them to unsuspecting customers. But the hacker didn't attack Vonage or any of the second-tier VoIP providers. He went after an investment firm in Rye Brook, N.Y., which had no clue its network had been hacked.

As enterprises increasingly replace segments of their traditional phone systems with VoIP, they put themselves at risk for what Covergence CTO Ken Kuenzel calls "phone flu" -- attacks that target weaknesses in the Session Initiation Protocol that VoIP applications employ.

"The problem is we've not yet applied the same security principles and models to the SIP protocol that we have to HTTP and SMTP," says Kuenzel, whose company sells VoIP security solutions. "It's a situation where systems are vulnerable to all sorts of attacks and intrusion."

Click for larger view.

Aside from denial or degradation of service, VoIP attackers could eavesdrop on your calls or steal passwords and other sensitive information. They could also record voice packets and inject them into other conversations -- conceivably, capturing your voice saying "buy" or "sell" and playing it back to an employee during a call. And once they're in, little can prevent them from accessing the rest of your network.

 "With VoIP, it's significantly easier to disrupt communications from remote locations," says Richard Telljohann, manager of security software at IBM Tivoli. "The same worm that takes out your e-mail system can also take out your phones."

WorldxChange, a New Zealand VoIP provider, uses Covergence's Eclipse software to secure VoIP service for its commercial and residential customers. Many IT pros fail to take into account the complexity of VoIP deployments, says Phillip Moore, operations manager for WorldxChange. He says they don't pay enough attention to signaling and media security, port restrictions, firewall rules, account access, and provisioning information.

"If IT managers want to sleep better at night, they need to apply the same security practices to voice that they have to e-mail and Web traffic," Kuenzel says. "They know what to do and how to do it, they just need to deploy products that bring these new apps in line with their tried-and-true security models."

The Data Leak Under the Bed