VOIP Security: Vulnerabilities and ExploitsVOIP Security: Vulnerabilities and Exploits

About a week ago, a member of my household who shall go nameless left both the sliding door and the screen door to the patio wide open for about 2 hours. When this individual returned and saw the doors open, panic ensued, only to dissipate when the cats were found sprawled in the family room a few feet from the opening, displaying no interest in taking advantage of the situation. "So, this is the new system?" asked Angus. "You might want to think about closing that next time," Foo added helpfully.

About a week ago, a member of my household who shall go nameless left both the sliding door and the screen door to the patio wide open for about 2 hours. When this individual returned and saw the doors open, panic ensued, only to dissipate when the cats were found sprawled in the family room a few feet from the opening, displaying no interest in taking advantage of the situation. "So, this is the new system?" asked Angus. "You might want to think about closing that next time," Foo added helpfully.It's a security best practice to close at least one of the sliding doors to the patio, and if you don't follow that best practice, little else matters. The same is true in VOIP security.

Over at Nortel's excellent, vendor-neutral VOIP security blog, Lawrence Dobranski takes up the topic that, "Vulnerabilities Are Not Compromised Systems." In other words, saying that a given system is vulnerable to a certain attack doesn't mean that the vulnerability inevitably will be exploited.

Certainly that was true in our case: Cats stayed in, burglars stayed out. The situation could have been exploited, not because our house is inherently insecure, but because a best practice wasn't followed.

In his post, Lawrence Dobranski refers back to a Channel Web article that I linked to last week, and dissects the likelihood of an attack succeeding against certain vulnerabilities. For Dobranski, much of this comes down to whether the relevant "threat vectors"--i.e., means of exploiting the vulnerability--are blocked. The way of ensuring that the threat vectors are blocked is by following best practices.

Knowing and then implementing best practices, however, is table stakes for enterprise network managers. I think that understanding where the vulnerabilities lie is, in fact, critical here, and I tend to think that Mr. Dobranski's separation of the issue into vulnerabilities and exploits is a distinction without a meaningful difference. He writes about the exploit described by Channel Web:

I don't think it's entirely a coincidence that the Channel Web article is based on an interview with VOIPShield, a company that has butted heads with Nortel and other IP-PBX vendors for their announcements of vulnerabilities in these vendors' products--announcements that, in the past, have come before the vulnerabilities were fixed.

Of course, VOIPShield is trying to sell a product, and therefore has an interest in making sure that network managers hear about vulnerabilities in systems. It's the network manager's job to think through the vulnerability reports as carefully as Mr. Dobranski does in this post, so that the network manager can determine the best approach to mitigation--based on threat vectors vs. (or in combination with)vulnerability patching.

I agree with the Nortel blog that you don't want to overhype the threat by assuming every vulnerability will be exploited. But I also think it's getting close to shooting the messenger if you blame VOIPShield for bringing the subject up. Network managers and security experts can make prudent decisions about threat mitigation, but they need all the facts, and that includes understanding where the vulnerabilities are.