The SIP security fallacy
- Published: Friday, 12 February 2016 12:36
Paul German looks at the specific security issues with VoIP session initiation protocol and explains why the risks need to be taken seriously. It’s time to think differently about SIP security: before it is too late…
There is no such thing as static security because all security products risk becoming vulnerable over time as the threat landscape evolves. Any ‘deploy once, update infrequently or never’ security solution is inherently flawed. Which is why every switched on organization routinely updates its anti-virus (AV) and anti-malware solutions, hardens its infrastructure and updates its policies. So why is SIP (session initiation protocol) security still based upon a one off implementation of a session border controller (SBC)?
From denial of service attacks to toll fraud, SIP trunking is inherently vulnerable. And in an era of near continuous security breaches, that vulnerability continues to change and escalate. No technology or communications environment is static: and SIP security should be treated with the same urgency as anti-virus and infrastructure hardening.
The breaches go on
Another day, another security breach. Today’s threat levels are high and, given the constant publicity and public scrutiny, only the most foolhardy organizations would ignore the need to safeguard infrastructure. Yet inconsistencies in security policies and practices are creating new vulnerabilities. Why, for example, are organizations totally committed to continuously updating anti-virus and anti-malware solutions yet will happily install a session border controller to protect VoIP calls and never consider it again?
If there is one thing that every security expert will confirm, it is the continuously changing nature of the threat landscape: and a security product’s ability to safeguard a company declines from day one. In an era of near ubiquitous VoIP calls, when companies are routinely falling prey to toll fraud and denial of service attacks, it is time to ask why network providers and security vendors continue to downplay the vulnerability of SIP.
The deploy once, update many times, model adopted by AV, web security and email security over the past two decades is well established and organizations recognise the clear vulnerabilities associated with failing to update routinely. Companies understand the importance of buying not just a security product but a vendor’s continuous research into emerging threats and a commitment not only to routine updates but also emergency patches in response to new hacking vulnerabilities. In effect, when it comes to a continuously changing security situation, organizations recognise the need to buy products and solutions that utilise research, existing users and community to stay ahead of the hacker.
So, why are other aspects of the communications network and infrastructure, including routers and switches, still subject to the static – implement once, update never – approach? Does this mean these areas are impregnable once protected? While some vendors may like to imply this is the case: it is not. For example, hackers are routinely undertaking port scanning in the hope of finding a way in: any organization that has left SIP ports open is likely to be found out, and compromised, very quickly.
The scale of attack may surprise businesses: security consultancy Nettitude’s recent report revealed that attacks on VoIP servers represented 67 percent of all attacks it recorded against UK-based services: in contrast, SQL was the second most attacked service, accounting for just 4 percent of the overall traffic. With 84 percent of UK businesses considered to be unsafe from hacking according to NEC, the implications are significant and extend far beyond the obvious financial costs of huge phone bills or the increasingly common ‘telephone denial of service’ threats, also known as ransom events used to extort money.
From eavesdropping sensitive communications with malicious intent, such as harassment or extortion, to misrepresenting identity, authority, rights and content – such as modifying billing records – or gaining access to private company and customer contacts, hackers are increasingly looking for more than basic call jacking.
Ahead of the game
The cyber security market is set to be worth $170.21 billion by 2020 (1); with a strong bias towards securing email, desktops and web services. Yet while the adoption of VoIP is now at record levels, SIP security investment remains low. When hackers are looking for the easiest way in, this lack of protection is an open invitation.
The reality is that SBCs provide an entry level of security: but, like any other security product, they need to evolve. And that means SBC providers need to be making a continuous investment in security research and providing routine updates in order to deliver a reactive, real time and intelligent level of security to protect against these new world threats.
Organizations – and providers – need a change of attitude to SIP security. In the evolving threat landscape no one knows what is coming and the onus is on both vendors and businesses to ensure they are in the best possible position to both safeguard data and protect against expensive toll fraud attacks. The constant change process has become a fundamental aspect of successful security – and that needs to be applied across the board, not just to AV. Static security does not work; it is time for the SIP security industry to face up to its responsibilities and embrace a process of continual update that will truly safeguard organizations tomorrow: not just today.
Paul German is CEO of VoipSec.
(1) Cyber Security Market by Solution (IAM, Encryption, DLP, Risk and Compliance Management, IDS/IPS, UTM, Firewall, Antivirus/Antimalware, SIEM, Disaster Recovery, DDOS Mitigation, Web Filtering, and Security Services) - Global Forecast to 2020