The information security bandwagon has been popular for a few years now – VoIP is the latest addition, but the focus is in the wrong areas.
The biggest problem with VoIP security is static passwords.
Patching phones, VLAN, QoS, and a secure network all sound great as ComputerWeekly recently reported “VoIP security safeguards — they may be there already“. This piece is great for Cisco – one must buy equipment that supports VLANs and QoS.
But, this line of thinking makes the wrong assumptions: that the network is secure and that the traffic won’t leave the managed network – two assumptions that don’t work well with VoIP as soon as people want to call other people.
Companies need to assume that the network is insecure and out of their control. Most of the network is anyway as soon as the calls go out on the Internet.
When using static passwords on an insecure network, it is only a matter of time before they are compromised.
Most companies already have password change policies or are moving away from passwords toward two-factor authentication with the rest of their IT infrastructure.
But most IP phones and Internet Telephony Service Providers (ITSP) still don’t support password rotation or two-factor authentication. Most don’t even support call encryption.
Hardware vendors need to consider adding two-factor or Private Key Infrastructure (PKI) authentication support to their hardware. Internal private key generation would be ideal.
Companies thinking of moving to VoIP or already using VoIP should consider the phones before the next SOX audit.