When looking at a network’s vulnerabilities the voice-over-IP system usually isn’t on the list of most IT administrators.
But an Ottawa company says it should be, because like anything on the network it’s a possible source of an intrusion.
It hopes to change that with two software products that make it easier for security auditors to ensure VoIP systems meet international standards like ISO, PCI and NIST.
“When you talk to a CIO about VoIP security, he kind of doesn’t necessarily resonate. When you talk about PCI compliance, it resonates,” says Rob Gowans, CEO of VoIPShield Systems. “So it’s very much about reframing the conversation for what it is he cares about.”
The company has recently released version 3.1 of VoIPAudit, a vulnerability assessment tool which detects and reports on compliance against several security standards. It will be updated shortly to support the latest versions of ISO and other standards.
It supports Cisco System Inc.’s CallManager 8 and 9, and will shortly add support for Avaya Inc. and SIP systems.
VoIPAudit includes asset, configuration and administrative management, comprehensive reporting and recommendations for remediation of identified issues.
While vendors regularly issue updates and patches to their VoIP-related software, IT staff may make configuration changes that make the systems insecure, Gowans said. That’s why he says running VoIPAudit can be used by both internal and external auditors.
The company’s other product is VoIPGuard, real time packet header inspection looking for malicious activity, which is being overhauled and will be re-launched later in the year.
The company was actually started in 2006, but had early teething troubles. Gowans said it was too early to market, before organizations seriously turned to VoIP.
Toronto-based Terracap Ventures, a division of the Terracap Group, was an early investor, then took control of the company two years ago with the idea of letting it simmer for a while until the market caught up, Gowans said.
Gowans, who has held telecom-related jobs since 1985 and been involve in a number of startups – at one time he was vice-president of Intel Corp.’s service provider group — was an advisor to Terracap. Six months ago he became VoIPShield’s CEO after a change of management.
After Terracap led two rounds of investment in 2013 to help rebuild the company, Gowans wants to make it more visible. VoIPAudit still doesn’t have a customer, he said.
The rebuilding also including reconstructing a partnership with Ukraine’s University of Chernitvtsky, where VoiPShield has a research lab for discovering vulnerabilities. Product development is done in Ottawa.
“Finding vulnerabilities in VoiP is not like finding them in Windows or Linux,” Gowans says, because most systems are from major companies like Cisco that make a hardened operating system.
Still, the company has a database of more than 1,000 virus signatures aimed at generic SIP or platform-specific systems.
VoiPAudit is mapped against ISO 27001, 27002, PCI and NIST800. It is in process of being upgrading from PCI2 to PCI3.
Gowans plans to sell VoIPAudit and VoIPGuard through security system integrators.
The bot threat
Some of the most serious threats networks face today are "bots," remotely controlled robotic programs that strike in many different ways and deliver destructive payloads, self propagating to infect more and more systems and eventually forming a "botnet."