As technology advances in the areas of VoIP systems, smartphones, and other mobile devices, threats are keeping pace in every area. Risk can come in the form of viruses, targeted attacks, and device loss, but experts note that there are ways to boost protection. Here’s a look at some of the most prevalent threats and how to keep your enterprise safer.

VoIP Issues

Although VoIP may present challenges that appear unique, they’re actually covered by the basics of security, notes Randy Abrams, director of technical education at ESET (www.eset.com), a provider of antivirus and antispyware applications.

“Remember, the IP in VoIP is Internet Protocol,” he says. “The Internet was designed to be a robust communications network but not a secure one. The major threats a company faces in using VoIP is that, when improperly implemented, eavesdropping is pretty easy.”

VoIP facilitates the same kind of origination spoofing that affects email, IM, and other computer-based communications, he adds. There is no real identity verification on the Internet, and VoIP can enable caller ID spoofing.

The systems may also be at risk for DDOS attacks, Abrams says, but in general, that’s more related to nuisance and cost than security.

Preventing spoofing can be a simple matter of ensuring that settings are correct, Abrams notes. PC-based VoIP implementations can enable remote attackers to call from legitimate numbers, eliminating the need for spoofing.

For other security measures, he adds that any enterprise using VoIP should have the systems on a VLAN and make use of the entire security toolbox, including antivirus, access control, intrusion prevention, and intrusion detection tactics.

Mobile Threats

Web-based threats are also a top concern for smartphones and mobile devices, notes Steven Ferguson, senior network engineer at the TCSG (Technical College System of Georgia; www.tcsg.edu), a state agency responsible for overseeing all of Georgia’s 33 technical colleges.

He notes, “In the past, network security focused on protecting desktops and laptops, but smartphones and mobile devices are becoming popular targets for attack and are particularly vulnerable to malicious URLs, viruses, and malware.”

This threat can loom larger through the use of free applications such as Gmail and Yahoo! Mail, says Ozzie Diaz, president and CEO of AirPatrol (www.airpatrolcorp.com).

“The cost-consciousness of a small business often leads them to use free tools for business purposes,” he says. “The increased presence of spam and malware through these free email services can pose significant risks to the small business, especially if they connect the mobile devices to their enterprise networks or PCs.”

Another threat is loss of the device, adds Abrams. When a smartphone or other device is lost or stolen, not only may it include proprietary information, but it also may contain enough info to hack into a network or provide powerful tools for social engineering.

“With a little reading, an attacker can very convincingly appear to know the employee or associates well enough to be extremely believable,” Abrams says. “An attacker may know an employee’s travel schedule and not only attack the employee, but craft messages claiming to be where the employee is.” The context of time and location, combined with knowledge of projects, can easily fool many people into divulging more information, he adds.

Staying Safe

TCSG has hundreds of employees using BlackBerry devices, and as both a governmental and an educational entity, the organization has added layers of security regulations to meet.

To minimize risk of attacks, there’s a policy control set on the network, but it can be difficult to extend those controls to wireless devices, Ferguson says. Part of TCSG’s solution was to implement a Web security SaaS service that neutralizes external Web threats.

“The service works by evaluating the reputation of Web sites that employees are trying to access [on their mobile devices] and blocking access to malicious content on compromised sites,” he notes. All of the mobile device Web traffic is routed through a secure gateway proxy server to prevent users from looking at inappropriate sites or accessing malware-infected content.

Much like the VoIP protection, this is another area where security should be multilayered and include just about every protection that IT can throw at it, including policy development, antivirus, antispyware, access control measures, intrusion prevention and detection, and regular log checkups. Also vital are controls related to syncing, as malware can easily be spread into the network when a user syncs a device into a laptop or desktop.

For risk reduction related to data loss, Abrams emphasizes that encryption is critical. Not only can encryption prevent legal problems in terms of compromised customer data, he notes, but encryption can prevent the disclosure of proprietary information and ward off otherwise easy social engineering attacks.

He adds that devices that are lost and then returned can be a threat, as well, because they may have been altered while they were missing to include back doors. Recovered devices should always be reformatted, Abrams says.

Combating threats in VoIP systems, smartphones, and other devices may feel like firefighting sometimes, but the more multilayered a security plan is, the less likely the chances are of discovering a wildfire.

by Elizabeth Millard