A recent research effort demonstrated through what they call “Phonotactic Reconstruction”, the ability to “decipher” the encapsulation/encryption process employed by a substantial amount of VOIP providers – including Skype. The research is pretty clear cut, and highlights that – 1. It is within means to eavesdrop on these conversations, and 2. Security through obscurity still does not hold water.
The second point is that which has become more important as I work with global organizations and grow to understand the complexities that exist within the co-mingling of corporate-consumer system environments (more on that in the future). VOIP is complex … it is a classic example of security balanced with a technology application (enough security but not too much that creates voice distortions). Unfortunately, if the calls can be eavesdropped than the security is insufficient. This is significant given the enormous usage of this technology that occurs within most global corporations (Skype alone has about 124 million active monthly users with 560 registered). Beyond eavesdropping there also exists the ability to leverage these “voip environments” to break into other parts of the business.
This raises the question – how do organization’s be agile and aggressive in leveraging these beneficial technologies, safely. The simple answer is that as technology is acquired a risk assessment is absolutely necessary, but as a technology evolves future risk assessments are paramount. The evolution is what is critical here – Skype, Iphone/App-stores, Blackberry devices, etc … these all were introduced with unknown trajectories and without obvious benefits or risks. It is THIS fact of unknowing and the shifting of what is known that creates the need to mature how businesses embrace, continue to embrace, and manage (yes by manage… I include secure) all these technologies. The need here goes beyond simple technical specifications, but a balance of “risk” and “security”. Meaning the following should be, at least, considered:
- How dependent is the business on the technology .. what are our backup plans
- What type of information will traverse this technology and who will depend upon it? – and therefore who are the stakeholders / inputs for discerning what is critical –> this usually leads to conducting an assignment to owners and assets (it is only then can the risk be accepted let alone thought through properly)
- As the owner and information alignment exercise will show – this is a point in time exercise … future visits are needed to learn if the owner sees additional risk, or sees the risk universe shift completely
- What are the security safeguards – are they proven or new-fandangled? (new is 100% always more risky and should initiate a broader consideration of risk)
- What encryption is being used .. and is it being used completely and in the right places? (If home music stream devices can employ AES-256, enterprise products can too)
Much more time can be spent on risk assessments (I would suggest investing time to look at NIST 800-30 or Octave as a starting point… ISO 2700X is good too, but not free). The key takeaway is challenge ‘complexity’ as a security and assurance control – it is neither. In the world of PCI, the VOIP guidance / call center / and PCI DSS 2.0 provide insight – simplifying the language, yes encryption of the activity is required.