The changing face of SIP security

Over time, any security product becomes vulnerable and at risk because of the ever changing technology environment. This means that simply deploying security once and then either infrequently or never updating it is an inherently flawed solution. So, when any switched-on organisation is updating anti-virus and anti-malware solutions, why is SIP security still based on a one off Session Border Controller (SBC)?

As security breach cases continue to grow rapidly, I encourage organisations to treat SIP security with the same urgency as anti-virus and infrastructure hardening before it’s too late.

The attacks continue

It’s impossible to miss the frequent large scale security attacks being covered in the news lately. The theft of 15 million T-Mobile customers’ data from credit checking firm Experian, the exposure of the personal data of US based Uber drivers, and the denial of service attack on HSBC are all examples of the reputable companies hackers are able to infiltrate.

In what is a constantly developing threat environment, any inconsistency in a security policy creates a vulnerability that, if detected, will be quickly exploited. What’s more, customers are now very aware of security risks and an attack can instantly ruin an organisation’s reputation. This knowledge has forced the majority of organisations to update anti-virus and anti-malware solutions however, this mindset has failed to convert into SIP trunking.

Failure to update the security product means that as soon as it is deployed, its ability to protect the organisation begins declining from day one. From denial of service to toll fraud, VoIP calls routinely fall prey to attacks and its time to ask why network providers and security vendors continue to play down the risk of unprotected SIP.

Static security

The process for web security and email is well established now. Organisations recognise the developing vulnerabilities and therefore the associated security is updated routinely to defend against these. Purchasing reliable security now means not only buying a product but also investing in a vendor’s continuous research into threats and commitment to also take emergency action when a new hack emerges.

Toll fraud and denial of service cost businesses £25.5 billion every year globally - £1.2 billion in the UK alone. Despite this, vendors often imply that once protected with one-off hardware, the communications network and infrastructure is impregnable. This obviously isn’t the case. Every year, hackers are undertaking new methods in the hope of finding a way in, meaning any organisation that has left SIP ports open is likely to be found out and compromised quickly.

In a recent report, security consultancy Nettitude found that with attacks on UK businesses, VoIP servers represented 67 per cent of all recorded. In contrast, SQL was the second most attacked service accounting for only 4 per cent of the overall traffic. These attacks range from eavesdropping on sensitive communications with intent to harass or extort to misrepresenting identity, authority, rights and content. According to the NEC, a massive 84 per cent of UK businesses are considered to be unsafe from hacking, which can result in huge phone bills and threats.

Get ahead with SIP

Adoption of VoIP is now at its highest and by 2020 the cybersecurity market is estimated to be worth $170 billion (£120 billion). Despite this, there remains a strong focus on email, desktop, and web services security, and SIP security investment remains low. As security develops in other sectors, hackers will be drawn to the easiest route of attack, and this lack of VoIP protection will be an easy choice.

SBCs provide a base level of security, but just like any other product it needs to be developed and updated. All providers need to be continuously undertaking research to deliver a real time, reactive and intelligent level of security to protect against these growing threats.

Any successful security needs a constant process of change in line with the evolving threat landscape. The responsibility is on both vendors and businesses to ensure they are safeguarding customers data and protecting their own business against costly attacks. Static security no longer works and its time for the SIP security industry to embrace a process of evolution and protect users today and for the future.

Paul German, CEO, VoipSec

Image Credit: Shutterstock/Florence-Joseph McGinn