The Ecosystem: Unified Communications (UC) integrates voice, video and data to provide for true presence, collaboration and transparency of location, time and method of interaction. The IP ecosystem includes the obvious IP based equipment (phones, PBXs, routers, etc.) but the ecosystem also includes applications that we use every day (e-mail, search tools, document creation, database access, etc.). The transition from TDM to IP exposes voice and video applications to the same security challenges that data has always faced.

Insecure Endpoints: Hackers cruise the Internet looking for open/insecure access points into a network. IP Phones, routers, IP PBXs all require increased vigilance. Just as the smartphone is integrating the functions of a computer and wireless phone, IP Phones have security issues. IT management needs to apply similar methods and procedures for insecure endpoints as they always have for access to business IT networks and applications. IT must formalize efforts to control and strengthen passwords, usage, certified devices, patch management, etc.

Eavesdropping/Modification: As always, the easiest place to listen in on conversations or alter information is within the enterprise or business. These man-in-the-middle style attacks are both the most difficult to prevent, occur the most often and result in the greatest loss of money/value. Certain activities such as instant messaging and social networking traffic increase this risk.

Control Channel: This vulnerability leads to toll/international calling fraud, fuzzing, and spam. Denial-of-service attacks may also be a consequence of a hacker gaining access to the control channel.

SIP Trunking and PSTN Interconnection: Authentication of traffic that crosses from legacy to IP networks and vice versa is important, although, the act of authentication effort lies mostly with the service provider. Dynamic registration improves the mobility of the user but increases the exposure to hackers.

Identity/Spoofing: It is possible to spoof/change Caller ID information on IP connections resulting in phone phishing misleading recipients into providing potentially confidential information.  Interestingly, certain businesses actually request DID spoofing in order to hide their identity (credit collections is an example) and they do so without concern to the ethical issues. Both types of spoofing require changes in approval processes and access.

The “end of geography”: Perhaps no such much the end of geographical limits but the expansion of potential victimization. A business can implement a very secure environment and then have it all exposed due to a connection to a partner that is not secure. Dan Yorks thoughts relate to the sheer proliferation of endpoints, in both number and type”