Risk management of VoIP implementation

Corporate governance is generally regarded as the means by which an organization should be directed and controlled. According to good corporate governance practices, an organization should maintain a competitive advantage by securing its assets and protecting against new threats introduced through new technologies. An example of a new technology that is being increasingly implemented in organizations is that of Voice over Internet Protocol (VoIP). VoIP is typically seen as a replacement for the Public Switched Telephone Network (PSTN) and converts analog voice into digital voice packets for transport on computer networks. VoIP implementations are on the increase due to its many benefits. However, the focus of VoIP implementations is typically on the advantages and not on potential risks. This oversight could affect corporate governance as due care and due diligence may not be assured. This paper will investigate a possible way of making organizations aware of these information security risks through the development of a VoIP Risk Table, which will correlate the risks, threats, likely impact, recommendations and COBIT 5 process practices related to VoIP by means of a qualitative content analysis. This table could assist organizations with proper risk management for VoIP implementations enabling organizations to take the necessary steps to mitigate risks and ensure better governance of VoIP technologies.


INTRODUCTION
The senior management of an organization has many responsibilities as part of its corporate governance duties in increasing the effectiveness and efficiency of its organization.As part of its corporate governance duties, it is vital for senior management to provide guidance and direction towards the protection of information assets (Institute of Directors South Africa, 2009).Information assets are defined as a body of information that is managed as a single unit and must be protected and shared effectively.Further, information assets have both value and risks associated (Digital Continuity Project, 2011).
Voice over Internet Protocol (VoIP), also known as IP telephony, is the means of sending voice information assets over packet switched networks.In other words, VoIP takes audio signals and turns them into digital signals or packets (Dudman, 2006).
Threats to VoIP implementations are on the increase, and VoIP was identified by the SANS Institute as one of the top 20 Internet security attack targets (Bradbury, 2007).This does not mean that VoIP is inherently unsecure but rather that attackers are now looking in places they have not before.These attackers" sudden interest in VoIP is mainly due to its rapid rate in adoption.It is important to note that this paper will not discuss VoIP technologies, but rather the risks that VoIP technologies could potentially introduce into a consolidated network.Through a VoIP Risk Table, each potential risk introduced through the implementation of VoIP will be correlated with the relevant COBIT 5 process practices, as well as recommendations on how these risks could be mitigated.

The adoption of VoIP
In the case of South Africa, the adoption of VoIP in private networks became a reality in 2004 when many restricttions on the utilization of VoIP services were lifted (Tobin and Bidoli, 2006).Since then the rapid adoption of VoIP is due, primarily, to the benefits it provides to organizations globally.For example, it has been estimated that the reduced cost of a packet-switched network for VoIP could be as much as half that of a traditional circuitswitched network, such as Public Switched Telephone Network (PSTN), for voice transmission.Through VoIP, a converged network is achievable, whereby data applications, voice and video all utilize a common infrastructure, which results in network costs being consolidated.These reduced costs have often been cited as the primary reason for adopting VoIP (Varshney et al., 2002;Werbach, 2005).Furthermore, it allows communication between a number of devices such as computers, networking devices and PDAs, as well as for extended features such as voice-mail and instant messaging.These advantages could contribute to the efficiency of the daily operations of organizations (Varshney et al., 2002;Werbach, 2005).Despite these potential benefits to organizations, implementing new VoIP technologies could also lead to risks being introduced.

Potential loss of value
As mentioned previously, there are many advantages in implementing VoIP in organizations, especially with regard to overall cost and efficiency.However, if not implemented with security as a primary concern, this perceived value may be at risk.The threats facing organization networks, and in particular VoIP implementations, are becoming more prevalent as more and more unwanted attention is given by unethical hackers.For example, in 2005, at the Black Hat security conference in the USA, there was only one talk on the topic of VoIP and security.Yet in 2006, a whole session, consisting of multiple talks, was dedicated to the topic of security in VoIP (Bradbury, 2007).
With regard to information security, similarities could be seen between the initial lack of security in wireless implementations and the current security of VoIP implementations.In many cases, wireless solutions were adopted and implemented without due consideration for the information security risks introduced (Arbaugh et al., 2002).Many organizations implemented wireless networks as an extension to existing wired networks, with default settings, resulting in "open" networks.This was due to poor security implementations and a lack of proper information security governance and not to the fact that wireless networks are inherently unsecure.This resulted in these "open" wireless networks being targeted by unethical hackers.These new security threats led to a great loss in value to organizations that implemented wireless, as their networks were more vulnerable to attack (Bradbury, 2007).With regard to VoIP, it could be incorrectly assumed by network administrators that VoIP traffic is "normal" data and can be protected by information security measures already implemented or already governed by network policy.However, this is not necessarily the case (Walsh and Kuhn, 2005).In order to ensure that VoIP implementations are protected, a means of identifying the common security risks organizations may face when implementing VoIP should be established.

ENSURING VALUE
Corporate governance is generally regarded as the responsibility of senior management and is the means by which an organization is directed and controlled (Posthumus et al., 2010).However, corporate governance encompasses a broader definition.An organization is not only responsible for protecting stakeholder interests and complying with regulations set out by government.Organizations should also focus on leadership, sustainability and corporate citizenship (Institute of Directors South Africa, 2009).There are three philosophies introduced by the King III Report from South Africa that could potentially aid any international organization in meeting its corporate governance mandates.

Leadership
Good leadership is seen as the directing of an organization"s operations in order to achieve sustainable economic, social and environmental performance (Institute of Directors South Africa, 2009).

Sustainability
To attempt to ensure sustainability for both the organization and its stakeholders, decision makers should be aware that nature, society and business are interconnected in complex ways.This complexity results from ensuring both organizational sustainability and environmental sustainability in the 21 st century (Institute of Directors South Africa, 2009).

Corporate citizenship
An organization is regarded as a person in the eyes of the law.It is therefore required that the organization behave as a responsible citizen of the Republic of South Africa by following all applicable laws, operating in a sustainable and ethical manner while playing its role within South African society (Institute of Directors South Africa, 2009).
In order to aspire to these philosophies, King III also emphasizes a number of critical aspects that need to be governed carefully.One of these critical aspects is information technology (IT) and its governance, known as information technology governance (Posthumus et al., 2010).In order for a South African organization to exercise good governance, best practice would be to comply with the King III report which outlines proper information technology governance (Institute of Directors South Africa, 2009).Organizations outside South Africa could also utilize the King III Report to properly govern their information technology as it is considered a best practice by many experts.The King III report states: "Effective IT frameworks and policies, as well as the processes, procedures and standards that these involve, should be implemented with the view to minimize IT risk, deliver value, ensure business continuity, and assist the organization to manage its IT resources efficiently and cost effectively" (Institute of Directors South Africa, 2009).
A subsection of information technology governance is information security governance.Information security is often defined as the lifeblood of organizations and should ensure confidentiality, integrity and availability.As crucial information could be communicated via IP phones, it is necessary that information security be ensured for VoIP communications.This would ensure that the VoIP implementation, and the means of securing it remains aligned with business needs, ensuring that value is maintained.According to good corporate governance practices, organizations should maintain a competitive advantage by securing their information assets and protecting against new threats introduced through new technologies, such as VoIP (von Solms and von Solms, 2008;Dlaminia et al., 2009).
There are numerous security concerns with regard to the implementation of VoIP in organizations.These concerns relate to risks that the organization should either avoid or mitigate to ensure value is gained from VoIP.This value could be assured through proper risk management, which is part of information security governance.Through information security governance, required policies and controls should be put in place to ensure VoIP provides the value it should, while mitigating security risks.Through proper risk management, one may identify the risks VoIP poses to an organization, determine the organization"s risk appetite and, finally, identify to what degree the organization wishes to mitigate the risk, if not totally avoid it (von Solms and von Solms, 2008).In order for this to be accomplished, the common risks organizations face when implementing VoIP must be established, as well as the threats and vulnerabilities that enable these risks to materialize.

THE THREATS
As mentioned, the risks associated with VoIP should be Gerber and Thomson 3741 mitigated or avoided in a organization.However, it must be clarified that VoIP does not necessarily add new risks, but rather alters already existing risk portfolios.The risk portfolios common to most organizations affect confidentiality, integrity, availability and legislative compliance, amongst others.VoIP alters these portfolios by introducing complexity, new access points to the network, new channels for blended threats, new protocols and routing patterns into the already established IP network (Roberts, 2005).The risks introduced could be loss of confidentiality, loss of integrity, loss of availability and possible contravention of legislative compliance.
Multiple threats, and the categories they belong to, have been summarized by the VoIP Security Alliance.This collaboration of experts seeks to aid organizations in securing their VoIP implementations.Examples of the security threat categories, and examples of the VoIP specific attacks included in each category, are listed below (VoIPSA, 2005):

VoIP specific denial of service
This refers to an intentional interruption of VoIP services, including; user call flooding, endpoint request flooding, request looping and malformed protocol messages.

Network denial of service
This refers to an intentional interruption of network services, such as a Distributed Denial of Service attack, which would indirectly effect all VoIP communications.

Physical security
This refers to any attack that requires the attacker to gain physical access to network devices.For example, intentional loss of power which would render the VoIP implementation inoperable without backup power.

Interception and modification
This refers to ways in which attackers could collect the VoIP signalling and VoIP data between a source and a destination, and could possibly modify this traffic for unethical purposes.

Eavesdropping
These attacks enable an attacker to monitor signalling or data streams between two or more VoIP endpoints without altering the data and could include the following attacks; cell pattern tracking, number harvesting and conversation reconstruction, amongst others.

Contravening legislation
A consequence of the above attacks could lead to a breach in either the confidentiality or integrity of voice information packets.As a result of these attacks, should an applicable section of legislation be contravened such as sections 5 and 6 of the 2003 Regulation of Interception of Communications and Provision of Communication Related Information Act (RICA), depending on the facts and outcome of a court case, it may lead to criminal sanctions.The organization may also be held civilly liable for damages suffered by the third party as a result of these actions.The organization may also be held civilly liable for breaches of the constitution, such as the infringement of a customer or employees privacy (SA Goverment Gazette, 1977).
Each of these threats exploits security vulnerabilities present in VoIP equipment, on the network equipment that VoIP is being implemented on or on the media that voice packets are being transported on over the network.Each organization should look at its unique VoIP implementation to determine where the vulnerabilities lie.Once the vulnerabilities and potential threats have been identified, it is vital for the organization to establish the likely impact each threat category poses, so as to determine to what degree they wish to mitigate these risks (James and Woodward, 2007).This is done through risk assessment.

RISK ASSESSMENT
Control Objectives for Information and related Technology (COBIT) 5 is a framework that contains the processes and process practices an organization should employ with regard to information security governance in order to implement proper risk assessment (ISACA, 2012).A few of these process practices from COBIT 5, which are relevant to VoIP, have been adapted below specifically for securing VoIP implementations:

APO01.02: Establish roles and responsibilities
Establish, agree and communicate roles and responsibilities of IT personnel as well as other stakeholders responsible for the business VoIP implementation.All relevant personnel authority, responsibility and accountability should be stipulated.

APO01.03: Maintain the enablers of the management system
Maintain enablers of the VoIP implementation"s management and ensure that they are integrated and aligned with the organization"s governance and management philosophy.Compliance, continuous improvement and the handling of process deviations should be promoted.

APO01.06: Define information (data) and system ownership
Define and maintain responsibilities for ownership of information (data).Owners should make decisions about classifying information systems and protecting them in line with this classification.VoIP signalling and data should be classified in accordance with business requirements and secured to an appropriate level.

BAI04.05: Investigate and address availability, performance and capacity issues
Monitor, measure, analyze and review availability, performance and capacity of the VoIP implementation.Deviations from baseline measurements should be resolved and followed up.

DSS01.02: Manage outsourced IT services
Manage the operations of outsourced IT services, such as a VoIP implementation, to maintain the protection of organization information and reliability of the service delivery.

DSS07.02: Manage network and connectivity security
Use security measures and related procedures to protect VoIP information over all methods of connectivity.

DSS07.03: Manage endpoint security
Ensure endpoints, such as VoIP phones, are secured to a level equivalent or greater than defined security requirements of information processed, stored or transmitted.

DSS07.04: Manage user identity and access
Ensure that all users have information access rights in accordance with their business requirements.Ensure that access to VoIP implementation is limited to employees that require it.

DSS07.05: Manage physical security
Implement procedures to grant, limit or revoke access to premises, buildings and areas according to business needs.Access should be justified, authorized and logged.This should apply to any party entering the specified premises.

DSS07.06: Manage sensitive documents and output devices
Establish physical safeguards, accounting practices and inventory management over sensitive IT assets.VoIP assets such as VoIP telephones and conference phones should be secured.

DSS07.07: Manage Information Security Incidents
Clearly define and communicate potential VoIP security incidents and provide incident management processes to expose incident progression.

DSS07.08: Manage information handling
Manage information assets securely throughout their lifecycle.VoIP implementation communications should be correctly labelled and encrypted over the network.Any recorded information should be destroyed in accordance with retention policy and be in accordance with applicable legislation.

MEA03: Monitor and evaluate compliance with external requirements
Evaluate that IT processes and IT-supported business processes, with specific regard to VoIP, are compliant with laws, regulations and contractual requirements.Obtain assurance that the requirements have been identified and complied with.Integrate IT compliance into overall business compliance.

EDM03: Ensure risk optimization
Ensure that the organization"s risk appetite and tolerance for the VoIP implementation is expressed and communicated.Furthermore, the risks to business value related to the VoIP implementations is identified and managed.
If the applicable COBIT 5 process practices are followed and to adhere to the COBIT 5 recommendations, changes in organization security policies would most likely be the result.Once risks have been assessed, they should be mitigated or avoided if organizations wish to ensure value from VoIP.The following section will introduce the VoIP Risk Table, which will correlate the previously discussed risks, threats and recommended mitigation techniques associated with VoIP implementation.These will be presented together with the relevant COBIT 5 process practices to assist senior management in information security governance.

THE VOIP RISK TABLE
It is vital that management is aware of the potential risks or changes to current risk portfolios introduced through the implementation of VoIP.All the risk assessment and management aspects mentioned previously are correlated into the VoIP Risk Table, as represented in Table 1, to make management more aware of possible VoIP security issues and related consequences.This table was formulated by means of a qualitative content analysis.The relevant literature regarding VoIP specific security threats, and recommendations to mitigate or avoid them, was correlated with COBIT 5 objectives.This correlation aids organizations in aligning their VoIP implementation with the objectives of the organization, such as secure and cost effective communications.Ultimately this aim of this table is to assist organizations in meeting the previously mentioned governance mandates.
Table 1 shows the Risk column with the associated Threat column, identified by the VoIP Security Alliance.Included in the table is the Likely Impact that these risks and threats could introduce and this column could aid management in the risk assessment process.Following the Likely Impact, technical recommendations for mitigation of the identified risks are found in the Operational Recommendations column.The Operational Recommendations are the technical and procedural recommendations for daily operations, which may be applicable to operational managers and staff with regard to the VoIP implementation.The Executive Processes outline the governance and policy recommendations from COBIT 5, identified by the authors, which may assist executive management with regard to the VoIP implementation.
As seen in the Table, there are numerous recommendations which aim to ensure the availability, integrity and confidentiality of a VoIP implementation.
Attempting to ensure the availability of VoIP implementations, the following operational recommendations are provided.
1. Separation of data and voice networks can be achieved by implementing 802.1QVirtual LANs (VLANs).This will logically separate VoIP communications from the data network and will prevent endpoints attached to the data network from initiating attacks on the VoIP network (Titmus, 2006).2. Authentication of users and devices may be implemented by a standards based IEEE 802.1x network access control mechanism.Using this mechanism may ensure that any device attempting to gain access to the network must first pass an integrity check, for example, having the most up-to-date anti-virus software.In this way only devices that pass the applicable security checks will have access to the network preventing possible attacks on the VoIP network (Titmus, 2006).
3. The security boundary of a network should be secured with a firewall to protect internal business functions from external networks.A firewall that is capable of inspecting VoIP traffic such as SIP, H.232 and voice data for anomalies and allows precedence for voice traffic will, most likely, be required should VoIP communication extend past the boundary of the organization (Titmus, 2006).4. In order to protect against an attacker spoofing the identity of a legitimate VoIP user, proper signaling encryption should be exercised in conjunction with proper authentication of users and devices (Butcher et al., 2007).Techniques for encrypting VoIP signaling traffic is covered in the recommendations for mitigating breaches in integrity.5. Physical access to servers, switches, cabling and any other network infrastructure critical to the VoIP implementation should not be accessible to anyone without the correct security clearance or administrative duties related to the system.This may be achieved by securing any entrance to network infrastructure, and erecting physical barriers to prevent any unauthorized access to the network backbone (Butcher et al., 2007).
In addition to the above recommendations, the following COBIT 5 process practices, BAI04.05Investigate and address availability, performance and capacity issues; DSS07.02Manage network and connectivity security; DSS07.03Manage user identity and access, DSS07.04Manage user identity and access and DSS07.05Manage Physical Security, should be examined and the recommendations made by these process practices should be implemented where applicable in an attempt to ensure availability for VoIP implementations.
Attempting to ensure the availability of VoIP implementations, the following operational recommendations are provided.
1. IPsec encryption protocol may be used to encrypt VoIP signaling protocols, such as SIP, to provide a secure tunnel for protocol conversations and voice packets.IPsec however will increase packet size after encryption and may increase transmission delay and bandwidth requirements.This, however, should not be a concern for the organization network but would present media quality issues over broadband access networks such as ADSL which may affect teleworker operations (Butcher et al., 2007).2. With the aim of mitigating the interception or modification of VoIP communication data, an extension to the Real-time Transport Protocol (RTP), which carries VoIP data, called the Secure Real-time Protocol (SRTP) may be used.SRTP ensures that VoIP data carried over the network is secured, with low overhead, by providing means of authenticating the payload of VoIP packets.IPsec could also be used in place of SRTP, keeping organization bandwidth restraints in mind (Butcher et al., 2007).
In addition to the above recommendations, COBIT 5 process practice, APO01.06Define information (data) and system ownership should be examined and the recommendations made by this procedure should be implemented where applicable in an attempt to ensure integrity for VoIP implementations.
To attempt to ensure the confidentiality of VoIP implementations the following operational recommendations are provided: 1.The same techniques outlined above for integrity could be implemented to attempt to ensure confidentiality in a VoIP implementation.
In addition to the above recommendations, COBIT 5 process practices, DSS07.06Manage sensitive documents and output devices and DSS07.08Manage information handling, should be examined and the security and classification techniques recommended should be implemented where applicable in an attempt to ensure confidentiality for VoIP implementations.
To attempt to ensure compliance to applicable legislation the following operational recommendations are provided: 1.All previous mentioned techniques outlined for availability, confidentiality and integrity could be implemented in an effort to avoid contravening a section of applicable legislation.2. In addition, an organization should stipulate within policy how the employees may use the VoIP communication assets in compliance with legislation.The employees should be made aware of the policy and it should be enforced (Dagada et al., 2009).
In addition to the recommended operational recommendations, the following equivalent COBIT 5 process practices should also be addressed, MEA03 Monitor and evaluate compliance with external requirements; DSS01.02Manage outsourced IT services; DSS07.07Manage Information security incidents; APO01.02Establish roles and responsibilities and APO01.03Maintain the enablers of the management system.
As indicated in Table 1, the overarching COBIT 5 process, EDM03 Ensure Risk Optimization, and the underlying process practices, discussed above, would be the final outcome should both the Operational Recommendations and Executive Processes be im-plemented.This may ensure that the risks do not impact the value that a VoIP implementation may introduce, enabling an organization to minimize the potential risk and gain greater value from its VoIP implementation.
The following analogy will clarify the purpose of the VoIP Risk Table and how the table could be used to ensure that, at a minimum, the awareness of VoIP security is achieved.This analogy will cover how one would mitigate concerns over the risk of the loss of confidentiality.Bob Smith is the CIO of a small to medium sized organization and is responsible for ensuring that the information systems are kept secure.The organization wishes to implement VoIP as its primary means of telephony.Bob refers to the VoIP Risk Table and observes that a risk to the confidentiality of data transferred by VoIP could be a concern.He is concerned as the table states a lack of confidentiality will likely result in a breach of privacy which would be unacceptable as his organization deals with testing prescription drugs and sensitive data about studies is often communicated over the phone.Additionally, the organization may face civil liability should the patients information be leaked and his/ her privacy breached in violation of his/her constitutional right to privacy.Bob contacts the network manager, questioning him with regard to encrypting the media, which he saw was the recommendation for mitigating the threat to confidentiality.It is clear to Bob that the organization security policy must also be reviewed to incorporate the new VoIP implementation as COBIT 5 process practices are also found in the table.A procedural policy will need to be drafted to ensure the confidentiality of voice communications.If Bob follows and adheres to all recommendations in the table, he may be able to mitigate the most common risks posed by VoIP to a level acceptable to his organization before the VoIP implementation goes live.This would ensure that the more common security risks introduced through the implementation of VoIP are mitigated.
If VoIP is implemented without taking the contents of the VoIP Risk Table, or similar recommendations, into consideration, it could lead to a lack of sustainability with regard to the VoIP implementation and the organization itself, if breaches were to occur.Through taking the Risks and Threats into consideration and ensuring the applicable COBIT 5 process and related process practices are followed, management would be following good corporate and information security governance.In addition, the King III philosophies of leadership, sustainability and corporate citizenship would be adhered to as all three deals with economic and organizational sustainability.

Conclusion
VoIP is a rapidly growing technology and could be introduced into organizations to reduce cost, amongst other benefits.However, the implementation of this technology introduces new information security risks and threats or alters existing risk portfolios, which may inadvertently be overlooked.If the highlighted security issues are overlooked, information security governance is not being adhered to and a lack of due care and due diligence may be exhibited.This lack of governance may introduce risks which need to be mitigated.In order for an organization to adhere to the before mentioned philosophies of leadership, sustainability and corporate citizenship, the organization will need to thoroughly consider the risks of implementing VoIP.The VoIP Risk Table introduced in this paper could be used by organizations to assist with information security governance as it highlights the risks, threats and recommended mitigation techniques, together with the relevant COBIT 5 process practices that should be followed.