Securing UC: There are Ways, but Where's the Will?Securing UC: There are Ways, but Where's the Will?

One of the greatest obstacles to increasing security hasn't changed: The industry's failure to bake security into a product or service from the very start.

Having endured a winter that seemed like it would never end, and a spring that has been notable primarily for tornados, floods, forest fires and the White Sox doing a sad imitation of the Cubs, I've been waiting for some good news. Unfortunately, I'm still waiting. Every time I browse a newspaper or listen to a newscast, I'm bombarded by stories of yet more hacker attacks.

There's nothing new about cyber-attacks/crime; for years, we've known that the break-ins that make headlines are just the tip of a ginormous iceberg. But the scope of the recent attacks has been breathtaking and reveals how vulnerable our collective cyber-underbelly has become. The hack of the RSA tokens affected millions of computer users around the globe, including Lockheed Martin, the largest U.S. defense contractor; similarly, cracking Sony's Playstation Network exposed that product's vast customer base. The list goes on and on, and is already depressingly familiar.

Closer to home, in the communications space, the pace and ferocity of attacks has also picked up. Here are just a few of the bullets on Sipera's update on communications security break-ins:

* 50% increase in attacks from 2009 to 2010 from hackers targeting enterprise UC servers (source: VIPER Lab honeypots).
* Now up to 25% of all hacking attacks in the wild (open Internet) are against the voice and UC vector, up from single digits in previous years (rest of attacks are classic database and network layer attacks).
* An attack against VoIP takes place every 2.5 minutes during peak periods (source: VIPER Lab).
* More than 20,000 exploits and threats against VoIP and UC are now identified.
* Toll fraud, services theft:
--More than 2,200 enterprises in US compromised by a single team of hackers in voice toll fraud attacks that stole $55 million (source: US Federal Bureau of Investigation).
--Romanian hacking ring hit businesses with VoIP attacks stealing 11 million Euros (source: European Law Enforcement authorities).
--Thousands of examples of enterprises compromised because inadequate SIP trunk, VoIP server protection (sources: multiple, including Network World magazine, Unified Communications magazine, Comms BusinessMagazine, FierceVoIP, others).
--"Call walking" reconnaissance attacks, scanning attacks make up majority of VoIP attacks against enterprises, precursor to toll fraud.

Since Sipera is in the business of selling UC security tools and services, it's not surprising that its website contains data intended to scare the you-know-what out of communications folks. But even allowing for some vendor hype, as UC tools become more widely deployed, they also become a more appealing target to attack.

The unpleasant truth is that the greater the number of communications data flows--voice, IM, text, email, video--the more potential entry points for an attacker. And with a growing percentage of that traffic relying on wireless device and network facilities, exposure increases even more.

The good news is that the industry and IT departments are not starting at ground zero when it comes to network and communications security. There's a lot that we know, as evidenced by a round-table discussion conducted by UCStrategies a few months ago, and you can hear the podcast or read the transcript here.

The areas of emphasis for security, e.g., authentication, identity, auditing, etc., haven't changed but, unfortunately, one of the greatest obstacles to increasing security also hasn't changed: The industry's failure to bake security into a product or service from the very start.

Andy Zmolek, Director, Enterprise Solutions at LG Electronics MobileComm, noted during the UCStrategies round-table, "What I would like to talk about a little bit is the notion that a lot of people have about security, that it's something you can bolt on; it is a feature. And that is really the wrong way of looking at security. There are a few things that you can bolt on that are security related but in general, security is like quality. And it's something that you bake in. And understanding security, particularly in unified communications, has a lot to do with understanding what it is that you are trying to protect, and are the mechanisms that you are using adequate for that kind of protection?”

Zmolek's comment reveals a fundamental truth about security: It's a burden that falls equally on both the vendors and their customers. The vendors have to make security much more integral to the entire product development cycle. Similarly, customers need to make security a fundamental requirement, and to be much more thorough about how they articulate that requirement in RFIs, RFPs, etc.

Not all the bad guys are geniuses, but there definitely is a subset that is both smart and motivated. New security tools, systems and processes are needed, but in the meantime, IT pros and their suppliers can begin to tighten security by heeding the security lessons that have been learned over the past several decades.