When a hot new technology comes along businesses flock to adopt it and implement it and benefit from all of the features and flash the new technology has to offer. They buy the 'sizzle' and want to dive right in and start using it. Security is often an afterthought. The irony is that securing a technology is much simpler and less expensive generally if it is done from the ground up. Tacking it on after the fact is typically more complex and cumbersome. But, I digress.

VoIP (Voice over IP) is one of those hot new technologies that has been widely adopted but with little or no thought to security. Traditional voice networks have had an advantage in that the communications were managed by separate hardware on an entirely separate network. There were still security issues to consider like toll fraud, but not nearly the threats that potentially exist on a IP network. With voice now sharing the same infrastructure as the rest of the network it is also subject to many of the same types of threats, in addition to the traditional voice threats.

One of the things that has offered some measure of pseudo-protection to VoIP implementations is that many VoIP hardware vendors have developed proprietary protocols for their communications. That provides some 'security by obscurity' in that attackers are more familiar with common protocols and have to dedicate themselves to exploring and finding the weaknesses of a specific protocol if they want to exploit proprietary hardware platforms. However, VoIP is popular and that paints a target on its back. And, because it is on the IP network, and VoIP security is often overlooked, the VoIP infrastructure offers attackers a weak link in the network security armor.

One practice that will help protect the voice communications as well as preventing the VoIP systems from providing an exploitable weakness for the network is to make sure the VoIP hardware and software are patched. Enterprises and small businesses alike should make sure that their VoIP hardware and software are a part of their patch process. Stay informed by joining vendor mailing lists or frequently visiting the vendor web site to make sure you are aware of any vulnerabilities. Apply the patches if they are available and it is feasible on your network. If there is no patch or you can't apply the patch, at least understand the vulnerabilities so that you can implement alternative controls to mitigate the threat and so you can keep your eyes open to make sure your systems are not compromised.