Impact of VoIP goes beyond the network

While
VoIP attacks are still rare today, these are expected to increase by
50 per cent in 2008, according to McAfee research. The prediction is based on
extrapolation of recent trends: more than twice the number of
VoIP-related vulnerabilities were reported in 2007 versus the previous
year.

“The knowledge to hack into VoIP systems follows the level
of VoIP penetration,” says Bogdan Materna, CTO at Ottawa-based security
provider VoIPshield Systems Inc. “Hackers lack the experience now, so
it’s not that popular. We know cases are happening but affected parties
are not going public, and this is one of the issues in the industry.
There are no entities like CERT (Computer Emergency Response Team) or
surveys to track VoIP incidents like there are for data security
breaches.”

From a staffing perspective, security management for
integrated platforms introduces new headaches, he says. “Telecom staff
understand voice but not IP networks, with IT people it’s the reverse,
and security guys know something about IP but voice is foreign to them.
These groups have to merge and work together, so just from a process
point of view, this can cause security issues.”

Physical security
VOIP
networks are vulnerable to all manner of familiar data network exploits
such as denial of service attacks, worms, and viruses. While there are
best practices for securing converged networks with technology, there
are areas of concern outside the network.

Physical security
around VoIP is an area that requires rethinking, as many functions
become logical ones, says Materna. “The old PBX boxes used to be
physically separate systems with a separate telecom group looking after
them. But VoIP is just servers and computers running software, so all
kinds of new issues ”“ weak passwords, who can access servers to do what
”“ are introduced.”

But traditional physical security measures
are still needed. A U.S. National Institute of Standards and Technology
(NIST) report warns that even if companies deploying VoIP systems
follow all security best practices by installing VoIP-enabled
firewalls, intrusion detection systems and voice traffic encryption,
they will still need locks and security guards to make sure attackers
don’t get access to the servers.

There are also access and
role-based issues to consider in a call centre environment, which has
sensitive functions that can be more easily abused. The call recording
function to monitor quality, for example, can now amass large
quantities of calls containing customer information in digital, easily
downloaded formats, says Materna.

Other managerial functions are
also vulnerable. “Supervisor functions that allow managers to listen in
on calls to review how agents interact with customers are software
functions in a VoIP system,” says Gary Audin, president of Delphi Inc.,
an Arlington, VA-based telecom consultancy. “With PBX boxes, this was a
wired separately with a physical connection, and no one else could use
it unless they had access to the physical station. Now that it’s a
logical function, anyone who can take on a supervisor role can
eavesdrop.” Audin adds that Cisco’s own VoIP system was abused by an
employee who used this tactic to eavesdrop on his boss’ discussions
about performance evaluations and salaries.

To tackle these
shifts in logical and physical security, Nortel best practices
recommend general controlled and monitored access to data centers,
secure rooms with privileged access and role-based access to VoIP and
call centre infrastructure, in addition to audit trails, threat
assessment/intrusion detection systems, and securing external access to
infrastructure via VPN or other methods for networks.

Human VoIP factors
 “VoIP
networks are capable of being secured with a layered security
architecture ”“ but hackers can bypass all that with social engineering,
which defeats all the technology,” says Tracy Fleming, IP telephony
practice leader at Avaya Canada. As with data networks, security
training will need to be extended to call centre agents to help them
resist being tricked into revealing passwords or other access
information to hackers masquerading as IT staff once voice and data
networks merge.

At the customer end, one profitable new form
of social engineering that combines new technology with human trickery
is vishing, or phishing using VoIP networks, says Materna. In this new
scam, hackers set up a 1-800 number and a fake call centre for a
legitimate financial institution, then send e-mails to induce unwitting
customers to call and divulge their account numbers, personal
identification numbers (PINs) and other information. “All the voice
prompts sound the same as their bank, but they’re actually talking to
hackers,” he says. “These incidents haven’t been revealed in the public
domain, but we’re heard this has already happened at some banks.”

Materna
points out that social engineering tactics are actually easier with
voice systems. “Many people don’t trust the Web or e-mail when it comes
to providing sensitive information, but they still trust their phones.
Now that VoIP is becoming part of the Internet infrastructure, a lot of
data security issues are migrating to VoIP.” Customer authentication
mechanisms such as PINs aren’t robust enough in this new terrain and
will need to be fortified with other mechanisms as VoIP systems
proliferate, he adds.

Another important human issue is agent
screening. The opportunity to steal customer data and commit fraud
increases dramatically with VoIP. Conversations with customers used to
disappear into the ether, but voice files containing customers’
financial information can be more easily stolen via downloaded files.
In a widely-publicized 2006 incident, a call centre agent at an
outsourced Indian facility for London-based HSBC bank diverted $424,689
of customer funds into his own account. The press reported with glee
that the bank had not conducted a background check on the agent to save
$215.
 
The rise of virtual contact centres that connect
teleworkers via VoIP systems is another major trend that requires
security attention. “These are getting popular, as it’s one of the main
advantages of VoIP,” says Materna. By allowing agents to telework from
their homes, companies can save on real estate costs and employ staff
anywhere.

But along with the benefits come the headaches of
securing remote home environments where enterprises have little
control. To pre-empt any potential issues, many companies equip remote
agents with terminals or web-based stations that don’t run corporate
applications locally, says Fleming. “Nothing is left on the computer
when transactions are done. Many also have no-printer policies, and
we’re even seeing screens where you can only see the information
straight-on but not at an angle.”

Voxcom gets VoIP
The
ability to tap into labour markets anywhere was one of the main drivers
in implementing VoIP at Voxcom’s call centre, says Patti McDougall,
manager of quality assurance and telecom services. The Edmonton-based
security monitoring company monitors 125,000 residences and small
commercial businesses across Canada for intruders, fire, floods and
other risks.

Unemployment rates are low in boomtown Edmonton,
and the company is looking at ways to attract new employees and retain
key talent, she explains. “We started an at-home agent program so we
could leverage our technology to accommodate teleworkers and not be
bound to any one region for staff.”

Security was a key
consideration in developing the program, as a high degree of
reliability is required of Voxcom’s agents and systems. “It’s an
emergency response call centre, so our operators are responsible for
dealing with alarms going off on customers’ panels, be it contacting
the customer, police, or medical personnel,” says McDougall.

The
company did its due diligence before embarking on the program. “We
spoke to many companies doing VoIP at home to identify any issues ahead
of time,” she says. Voxcom considered but rejected the idea of allowing
staff to use their own home PCs. “We wanted to be able to control the
level of access and security,” she says. “The only thing available on a
home desktop is the agent software via a VPN connection.”

Voxcom
equipped its home agents with PCs that are actually glorified
terminals. All processing is done through a terminal server application
that links to corporate customer relationship management (CRM)
applications where customer information is stored, she says. “Nothing
is stored locally so we don’t need to deal with viruses and firewalls.
And you can’t see from peripheral vision what’s on the screen.”

In
addition, home agents are required to sign an agreement stating the PC
will only be used for Voxcom business. ”The agreement also outlines
expectations, roles and guidelines for working at home, including
suggestions for personal safety, for example, if they get injured at
home while working. We also do random audits of at-home agents, and we
have 100 per cent call recording and 30 per cent screen recordings to check for
compliance.”

About 15 of Voxcom’s 100 call centre agents are
teleworking, and the company plans to expand the program into other
departments and regions in the future, she says. To qualify for the
home program, staff must meet certain criteria. “We conduct background
checks on all our employees regardless but there’s a second level for
home agents. They have to have been with us a minimum of six to 12
months, must meet certain criteria based on quality scores, and can’t
have had any disciplinary actions in the past year,” she says.