Older: 
Why Vulnerability Assessments Matter…
The Nortel Voice Security Blog will regularly feature posts by members of Nortel’s Voice Security Ecosystem. Today Tom DeSot, the Chief Compliance Officer for Digital Defense, Inc., will be our featured blogger. Digital Defense is a network security firm based in San Antonio, Texas, that specializes in working with organizations to meet their compliance and security goals through the use of a multitude of Software as a Service (SaaS) delivered services.
Why Vulnerability Assessments Matter…
While the use of ongoing and recurring vulnerability assessments to uncover issues on data networks has been in place for quite some time now, these activities are still somewhat new, to some, in respect to their use within voice networks.
In times past, voice and data networks lived in two separate realms, with different equipment and skill sets typically associated with their respective teams. However, with the advent of VoIP and all of the new associated unified communications technologies, the realms have now joined into one. Unfortunately, this merger has introduced new vulnerabilities into corporate networks: vulnerabilities that organizations need to detect and remediate just like any other.
A perfect example of this would be vulnerabilities associated with the VoIP handsets themselves. POTS handsets are typically nothing more than hardware and wiring, leaving little to attack from a network perspective, while the newer VoIP handsets with their software foundation run network visible services such as TFTP and HTTP. As a result, each time a new vulnerability is associated with those services, the new handsets have the potential of being exposed and subsequently exploited during an attack. Though VoIP is still somewhat new in comparison to other networked technologies, attacks of this nature are already occurring in the wild. The question at hand is what do you do to protect yourself while still providing benefit to day-to-day business needs?
Enter recurring vulnerability assessments for your voice networks.
As a part of any solid vulnerability remediation program, assessments need to be introduced into the voice realm. Vulnerabilities are found, sadly, with ever-increasing frequency on VoIP PBX, call management packages, and as stated earlier, handsets. The only way an organization can hope to stay ahead of the curve, and not end up flying off it and into the abyss, is to perform recurring vulnerability assessments that ensure these issues are detected and subsequently remediated.
Too much data to work with when combined with your data network assessments you say?
The age of running an assessment, working off a report, and logging everything in Excel have long since past. Not only do these antiquated practices place an undue burden on the information security and IT teams, they make running more frequent assessments (the whole point of the matter) a true challenge. In short, there IS typically too much data to work with, and too many balls to drop, when assessments are run in this fashion.
As a result, most organizations are moving to a more automated method of conducting assessments via ASP or premised based assessment and vulnerability management technologies. Not only do they gain a more centralized and manageable assessment process with these moves, but they also gain the ability to conduct trending analysis and reporting, something typically unattainable with the older piecemeal methods. And in this day of heavy regulatory and audit pressures, the ability to report on your actions and progress are mandatory.
But, say you are out in front of the pack, and your security organization is already leading the charge to assess your voice networks. Even better is the fact that, with great foresight, you are already looking into assessment technologies that addresses the aforementioned methodology challenges. What then? Are there still considerations to recurring voice network assessments you need to think through before taking that first tenuous step and introducing assessment traffic into your voice IP space?
Most assuredly! Just as with any assessment of a data network, proper steps need to be taken to ensure you can assess your voice networks without having an impact on availability. As such, architecting your assessments to ensure business needs are accounted for is a critical first step.
In the next post we’ll discuss assessment architecting considerations and point out the pit falls that many organizations make when designing and implementing their assessment programs.
Tom DeSot
Chief Compliance Officer
Digital Defense Incorporated
