How important is security to enterprise technology management? In a recent survey by Gartner, enhanced security is at the top of the CIO agenda in 2005. With voice platforms now integrated into the corporate network, and voice applications entrenched in everyday business operations, the burden of safeguarding voice systems now lies within the IT domain.
White Paper
Voice Network
Security-Strategies
for Control
Susan AndersenJanuary 2006Next generation communications systems, such as VoIPVoice Network Security and multi-media servers, require the deployment ofHow important is security to enterprise technology additional hardware devices, protocols, and applications,management? In a recent survey by Gartner, enhanced which increase the complexity and the number of access1security is at the top of the CIO agenda in 2005 . With points requiring management. Further, the transmission ofvoice platforms now integrated into the corporate voice packets over corporate networks and the Internetnetwork, and voice applications entrenched in everyday introduces a new issue-content privacy. With voicebusiness operations, the burden of safeguarding voice systems on global networks, security threats now comesystems now lies within the IT domain. from anywhere.
Rapid changes in telecommunications networks havecreated significant concerns for fraud detection and The costs of security breachesprevention, system abuse, unauthorized access, and Translating security breaches into real dollar costs is acontent privacy. Voice systems, which encompass difficult undertaking. Certainly, toll fraud costs can betraditional PBXs, VoIP and multi-media servers, voice quantified, since they can be identified from bills frommessaging and unified messaging platforms, and voice long distance vendors. Security costs arising fromgateways, have evolved from closed and standalone to compromised systems or outages are difficult to quantify,open and integrated in corporate networks. The evolution but generally equate to significant costs in terms ofand increased complexity of these systems, combined personnel time, employee productivity, and financialwith the migration to IP, has direct implications for revenue losses. Costs arising from lost or stolen companysecurity management. information are also a factor to consider. For example, anemployee that has left a financial services company canstill access a voice mailbox and receive broadcastHow real is the threat? messages that are sent to a distribution list. Or a sensitiveSecurity experts agree that voice systems are open and voice message that is transmitted across a network can bevulnerable to security breaches. They have even stated decoded and compromised. The costs to remedy andthat companies focus less on securing voice-messaging close security breaches usually exceed the cost ofplatforms than on other network components, leaving securing systems at implementation.them vulnerable to attacks. In fact, the threat is oftenunderestimated. Points of entryCorporate executives at Hewlett Packard learned a painful The voice network no longer is a set of separate, disparatelesson in voice security in March 2002. A voice mail, systems housed in switch rooms. The enterprise voicecontaining sensitive information about the HP/Compaq network consists of a common network infrastructure,merger from then CEO Carly Fiorina, to the company CFO, with multiple access points for end users, administrators,was intercepted and sent to a newspaper. Security experts and applications software. Access points circumventhave narrowed down the cause of the breach to either a firewalls.successful crack of the CFO's mailbox password or tograbbing a file from the voice-messaging server. PBX Trunks
The Internet has only served to exacerbate security Switch toll fraud and abuse arises from external hackersvulnerabilities. An Internet search using the keywords who try to enter vulnerable access points such as PBX"security" and "voice mail" will produce over a dozen links trunks and stations. For example, a hacker dials into a PBXto organizations with published directions on accessing and randomly tests trunk access codes to seize antheir internal systems. In fact, telephone access numbers outgoing trunk using touch pad signals. Once the trunk isand even default passwords are posted to the public seized, telephone calls can be made to any long distancedomain. With little effort, an individual can identify the number.corporate numbering plan and systematically go through amailbox range to find an un-initialized mailbox, and then Direct Inward System Access (DISA) portsuse the default password to gain access. These are physical ports on PBXs intended for remoteAdministrators of telephone systems have always had to access by employees with proper autho... [download for more]
