Everyone loves to start the year making predictions. It is a fun exercise to try and guess what will happen in the coming year, and then reflect back at the beginning of next year to see if you were right or wrong. I suppose if you develop a record of making reasonably reliable predictions then you can cement your place as a visionary in the industry. Mark Collier, CTO of SecureLogix and co-author of Hacking Exposed - VoIP, has posted his predictions for 2009 on his VoIP Security Blog (he also has his review and recap of his 2008 predictions if you are interested).

I respect Collier. I read his book. I like what SecureLogix has to offer. I follow his blog. I have a relative degree of confidence that he knows what he is talking about and that his predictions will be fairly accurate. That said, I have two concerns. First, organizations are reluctant to invest in VoIP security because they are waiting for the big attack to justify the expense. This is a reactive posture. I understand that it is difficult to make a business case for an event that hasn't happened and that may not ever happen, but in the meantime the vulnerabilities still exist and the potential for exploit still exists. The lack of any major attack is more a matter of attackers working out the business model for how to monetize the attack for profit than a matter of inherent security of VoIP. Once a dedicated attacker with a motive chooses to strike most organizations will find themselves unprepared.

Second, I think that successful VoIP attacks are likely to be more precise. Everyone is waiting for a massive attack to make front page news to justify why VoIP security is important. However, executing some sort of mass denial-of-service attack that takes out a VoIP provider or knocks out the phone system for a company will generate headlines, but not revenue. Gone are the days when attackers executed attacks just because they could or to build 'street cred' in the hacker underground. Most attacks today are financially motivated. Most VoIP attacks are more easy to accomplish from inside the network where employees may have both financial and political motives. Bottom line- the best or most successful VoIP attacks will be surgical attacks against specific targets. The damage may be done and the impact felt without the target ever realizing there was an attack and certainly without the sort of newspaper headlines that companies seem to be waiting for before they'll open the purse strings and commit to VoIP security.