VoIP Security
Voice over Internet Protocol (VoIP) security is an emerging issue now, but it is only a matter of time before the risk rises to a level which demands action. VoIP is susceptible to the same dangers as data networks that use the Internet. At risk: any telephone conversation traveling on the company network; sensitive information; deals; strategies; and company secrets.
In July, 2005, Internet Security Systems (ISS) issued an alert to warn users of a security flaw in Cisco's VoIP product which could permit hackers undetected entry to a VoIP network. ISS found an implementation flaw in Cisco's Call Manager, which handles call signaling and routing.
In a financial institution guidance letter, the Federal Deposit Insurance Corp. (FDIC) cautioned banks on VoIP security risks: "If improperly implemented, VoIP can pose significant operational risks to financial institutions." The FDIC advised management to "perform a comprehensive risk assessment before implementation to ensure the confidentiality, integrity and availability of voice communications using VoIP technology."
The National Institute of Standards and Technology issued a report stating that federal agencies and other organizations that are considering switching their telephone systems to VOIP should proceed with caution and carefully consider the security risks
Most corporate VoIP systems are closed, with no Internet connection, and thus do not yet face major security threats. Nonetheless, many organizations are already considering ways to secure their VoIP networks. In addition, employees can download and use VoIP programs like Skype. This type of peer-to-peer program allows free computer to computer VoIP calls over unprotected Internet connections. Employees may find these programs convenient, and management may overlook legitimate use of the program because of the cost savings, but those calls are open to hackers. To address this risk, some companies block the download of such programs, and monitor the software installed on employee computers.
Posted by Brian Wong
the main issue is not today but how to plan for the future. It doesn't matter if the VoIP systems are currently not connected to other carriers or companies. Soon or later they will. It was like that with the LANs, WANs (now VPNs) and a lot of other systems.
It seems that nobody like to learn from the past