Growing Use of Peer-to-Peer VoIP Services Creates New Threat to Enterprises

SurfControl is warning enterprise IT departments to establish policies regarding the use of free and paid-for desktop voice-over-Internet-protocol (VoIP) services. Analysis by the company's Global Threat Analysis and Research team shows the rapid growth of these desktop-based services mirrors the adoption rate seen of public instant messaging systems. These services, as with instant messaging, create a threat vector to enterprises which can be exploited to gain entry into corporate networks, distribute destructive malware such as spyware and Trojans, instigate denial of service (DoS) attacks or steal sensitive and confidential information.

Desktop VoIP services allow users to make free calls from Internet-connected PCs or handheld devices, creating an unfiltered, uncontrolled and an unsecured channel between an employee's desktop and the outside world. Malicious hackers and cyber criminals can redirect voice traffic and record the contents without the user ever knowing, or impersonate a caller on the other end of the line in order to steal information. Enterprises also face increased exposure to DoS attacks targeted at the open communications channel. A targeted DoS attack can cripple business operations by rendering a network inoperable.

"Because consumers often use corporate computers for both personal and business purposes, and no doubt will be compelled by the promise of free or relatively free phone services, this is a very real security threat to enterprise networks. We recommend businesses begin addressing the issue today, before it gets out of control as we saw with the use of public instant messaging in enterprise settings," said Susan Larson, vice president, global threat analysis and research. "VoIP voice traffic is still relatively insecure and can be easily stolen and recorded. Because these services require that an application be downloaded, enterprises are also faced with a new way by which malicious content can bypass existing security measures to enter corporate networks."

SurfControl's Global Threat Center offers the following guidelines to help companies safeguard against the new threat posed by desktop VoIP services:

• Create and enforce an Acceptable Use Policy (AUP) for Desktop VoIP.
• Standardize on Desktop VoIP applications that will be supported on the corporate network.
• Create security policies governing the downloading of any application onto corporate desktops, including Desktop VoIP clients.
• Establish a layered security model that operates at the gateway, on the network, and on the desktop.
• Use security technologies to ensure the optimum threat protection including the ability to prevent unwanted desktop VoIP applications from installing on the desktop, the ability to create customizable threat signatures and the proactive monitoring and reporting of Desktop VoIP usage on the network.
• Provide ongoing education to users regarding the potential dangers of desktop VoIP systems.