Electronic-Commerce Security: Voice Over Internet Protocol - Essay Example

?E-commerce: VOIP Security Introduction VoIP refers to the abbreviation of voice Over Internet Protocol. This terminology refers to the communicationtechnology used for transimitting sound signals via the internet. The voice in this case becomes converted into binary form in order to be relayed digitally through the internet. Due to the security implication of transmitting data via the internet, the data (binary) can be encoded on transmission and decoded on retrieval. The use of cryptography in this case tries to prevent eavesdropping by unwelcome parties.Even with the use of cryptography to protect calls; hijacking of calls also proves to be a major threat. This can be done by diverting the direction of the call. A person with the information of the ongoing call can tap into it and redirect the call to another place. Having done that, the person can then wait to decode the call after acquiring the cryptography key. More companies now prefer using the technology to communicate internally and with other businesses. This has raised the concern of how safe the technology can be in relaying sensitive information. Recently, big organisations have fallen victim of security attacks via the internet. Some organisations have lost billions of dollars to hackers and other E-Criminals. These criminals range from old experienced tech savvy people to Elementary School kids. With the cyber world having so many criminals, transmitting sensitive information through the internet has raised questions about the security implications of the system. Literature Review about the use of VoIP Some companies have employed the use of VoIP in theirbusiness transactions.In this case scenario, we will investigate the use of VoIP.VoIP has overriden the use of POTS (Plain Old Telephone System) in several businesses. Different variations of VoIP exist namely: 1. Self Provided –this becomes used by individuals who use applications such as skype which allows video conferencing from personal computer to personal computer.This can also be done through phones that have webcams such as the iPhone. 2. IP Telephony: a. Independent IP Telephony –this does not depend on the serivces of an internet Service Provider. Users of different personal computers connect directly and communicate with each other. b. Dependent IP Telephony –there has to be internet for this kind of VoIP to communicate. Mostly done over long distances via internet connection. 3. Business LAN (Local Area Network) or WAN (Wide Area Network)–here the POTS become replaced by a network. A research conducted in South Africa showed that self provided VoIP has proven to be the most successful of all kinds of Voice over Internet Protocol (Uys 2005). The popularity of self provided VoIP comes as a result of it being common and more secure than other forms of VoIP. Its popularity lingers in home use. The sale of mobile handsets has reduced significantly in some parts of the world due to the availabiltity of the VoIP services. The only factor that makes the sale of mobile handsets constant relies on the mobility of the devices and the availability of the VoIP service in the some of the handsets.With laptops now being able to integrate the processing power of desktops and communication capabilities of cell phones, mobile handsets face tough competition. The only advantage that hand held gadgets have over laptops lies in their smaller sizes and being easier to carry. Several major companies and organisations in the world have adopted the use of VoIP in their services (Mathiyalakan 2006). These include: 1. Bank of America which has over180000 VoIP phones in all of its branches. 2. Boeing plans to equip 150000 of its workers with VoIP. 3. Ford got into a deal with SBC to have over 50000 VoIP phones installed. 4. Vonage gets new subscribers at the rate of 15000 per week with over 600000 cutomers already in place. 5. The main telecommunications player in UK; BT installed VoIP as of 2009. Three types of gadgets exist that help enable users to make VoIP calls. These devices consist of: I. IP phone - this device consists of an IP host host. It becomes used to make calls by directing the call to the IP address of the phone. Traditionally IP phones were complicated and had difficult to understand menus. Nowadays, the IP phone can hardly be distinguished from the ordinary cellular phone. In fact, IP phones and cellular phones have a combined use. This makes their prices quite expensive when compared to other types of phones. With regular phones having their own IP address for connectivity to the internet, the IP phone only adds the functionality of VoIP and video conferencing. II. Traditional phone connected to a VoIP adapter –traditional phones and a digital adapter have many uses together. The adapter sometimes can be used as the IP address whereas the cable of the traditional phones becomes used as the means of relaying information. The combination hence makes a proper way of connecting to the internet. In this case the phone becomes the means of communicating for the VoIP whereas the adapter becomes the IP address. The adapter also changes the signal to digital form so that it can be transmitted via the internet. This combination of the adapter and the traditional telephone can be very efficient for the elderly who have a familiarity with them. III. Computer equipped with a speaker and microphone –this has the biggest popularity among all types of VoIP calling gadgets. Laptops also offer this kind of VoIP calling device with preinstalled speakers and microphones. The method used by VoIP users to call each other goes by the name of signalling Protocol.The protocol allows users to set up connections with each other and different kinds of signalling takes place. Some of these signalling modes include session initiation and termination, device registration, capability recognition and alteration (Darwis 2008). The most commonly used protocols for VoIP include: i. Session initiation protocol ii. Media gateway protocol With the establishment of a connection, the audio becomes converted to digital form whereby it becomes relayed in form of data packets. These packets, known as Real time Transport Packets can transport audio, video and timed text.A Real Time Packet (RTP) consists of a time stamp and sequence number. Usually, when data packets become transported via the internet, they become divided into sections and each section given a sequence number. This sequence number shows the order in which the data packets will combine to form a complete signal. These packets use different mediums and channels to get to the destination. These channels usually consist of the shortest route possible to the destination. When they get to the destination, they become re arranged according to their sequence numbers. These packets when re arranged form a complete signal. Another component required for the completion of the VoIP communication goes by the name of the CODEC. This abbreviation refers to Encoder-Decoder. The device converts analog signals to digital and back to analog. The signal when captured becomes converted to digital form in order to be relayed via the internet. At the end of the terminal the signal becomes converted back to analog form in order to be received by the recipient.During the conversion of the signal to digital form, the converter has to compress the packets in order to reduce the bandwidth used. Advantages and disadvantages of VoIP over small businesses The use of VoIP by small businesses presents both advantages and disadvantages as discussed below (Uys, 2005). Advantages of VoIP in small businesses a. Saving costs on telephone calls–given that VoIP integrates internet with calling, the phone calls’ billcan be reduced massively. As a business, the idea lies behind reducing operational costs and increasing profits. The use of VoIPmeans that the calls will be made via the internet hence cutting the costs of using POTS. With VoIP, as long as a connection exists, the calling will be done efficiently. Additionally, the VoIP service does not necessarily need the presence of an internet connection. A simple LAN or WAN can facilitate the establishment of a VoIP. This can further reduce the costs incurred for the business operations since internet does not necessarily need to be used. b. Utilisation of network–the implementation of VoIP makes the network utilisation efficient since it happens through networks.With some of the companies subscribing to network facilities that they may not adequately exploit, the use of VoIP makes sure that the network becomes fully exploited. c. Additional features of VoIP–the use of VoIP comes along with other features such as conferencing, caller identification, video calling and messaging.VoIP allows transfer of files such as videos, music, documents and other types of files. d. Can be used in any location – given that POTS mostly need a person to be located in an area with network of the service provider or connection, VoIP proves to be more flexible. As long as the user has a connection to the internet, the VoIP can be used in any location chosen. Portable equipment such as laptops allows people to work from home as long as they have the internet connection. This further reduces travelling costs for the employees. e. Integration with other applications–with the use of VoIP, some information can be acquired such as weather reports and flight schedules. This can help a great deal depending on the type of company being in operation. For example an airport can use the above mentioned information on their VoIP services to relay important information to their customers using VoIP. f. Call history - VoIP allows users to save the call history of their accounts. This provides important track record of calls made in and out of the company. Additionally, the call history can be easily retrieved by copy pasting this to the computer. g. Speech recognition abilities –VoIP makes the calling secure by allowing only identified users use the VoIP accounts to call. This in addition to user identification allows the integrity/validity of the calls to be identified. Anonymity of the users has security concerns since people can prank or have other malicious intentions. VoIP reduces these risks by a huge margin. Disadvantages of VoIP in small businesses a. Risk of intrusion–as discussed in the introduction, the major problem facing VoIP lies in the security. A user’s account can be hacked, tapped into and eavesdropped or worse the calls can be diverted. This can cause untold damage to a business since the diversion of calls can have unsuspecting customers make business transactions without knowledge. The continuation of business transactions after hacking without the customer’s knowledge can lead great losses and legal risks.Intrusion can also lead to the inclusion of spam in the coded message. This further wastes production time since after the intrusion employees have to sample the transmitted data to differentiate between junk and valid data. b. Environmental risks–with the use of VoIP being legal in only some countries, inter country communication can be a little bit tricky. The calls can incur extra costs or can be resticted to only a select few. This can also mean that the business may be forced to use traditional methods such as POTS which were perhaps not planned for. c. Develpomental risks –given that VoIP relies on computers, the installtion of VoIP enabled devices might face several challenges. These challenges include lack of compatibility of the VoIPs software with the computers in place. Another problem that could arise includes the lack of compatibility of the VoIP application with the system software. d. Operational issues–some operational issues that come along with VoIP. These issues include delays, packet losses. With the VoIP service involving data packets being transmitted in different pathways, some of the data packets may fail to assemble in the original format. Internet has its shortcomings such as low reception which may lead to delays or even loss of contact when communicating.This type of incidence can cost a business a lot of revenue since it can be termed as unreliable due to the shortcomings of the communication channels. Implementation of VoIP by small businesses Methodologies for implementing VoIP include the in-house installation of IP servers (Gareiss, 2008). Most organisations opt for this method whereby the current infrastructure becomes replaced by pure IP. As long as a strong networkexists, the installation of the VoIP will be of the required standards.This mode of doing things makes installation of VoIP the first step in the major progress of a business. The business can opt to extend the services of the VoIP to desktop, web and room video conferencing, presence, audioconfereincing, contact center integration and instant messaging. The installation of these other features mainly comes after 6 months of properly working VoIP. When voice and real time applications become combined with business applications, customer facing portals and web serivces, the result becomes a very complex network. With all these applications and technology equipment running on the same networks and machines, a lot of pressure fall on the equipment and network. This makes the work network engineers and other technicians very demanding. The pressure results from the fact that the system has to work efficiently and continously. Whenever glitches arise, the technicians should solve the problems within the shortest time possible. The solution should be such that no one notices the existence of the problem anyway. With the installation of VoIP and its affiliate programs, more workers do their work from home. This trend has seen an 800% increase of the people who work from home. The increase of home based workers comes with both advantages and disadvantages. The business cost for employees working from home reduces significantly. On the other hand, people who work from home have no supervision hence a tendency for laxity. Collaborative tools have come in hand to help in the suprvision of people working away from the office. Business drivers for theimplementation of VoIP The adoption of VoIP puts a lot of strain into a network (Gareiss, 2008). More businesses, however, continue to adopt the use of VoIP in their services. The main reason for the increase in the use of VoIP falls under 3 categories: 1. Saving on costs–using VoIP can reduce the international toll rates by upto 20% to 40%. The reduction of the toll rates depends heavily on the country. Other cost reductions such as local loops vary from 25% to 65%. Moving audio conferencing and video conferecncing to IP networks also oversees a great reduction in costs. For example, a company can pay a carrier upto $317,000 for conferencing services but when the company buys IP equipment, the costs can go as low as $17,000 per year. 2. Improvement on production - production in terms of time saving can increase significantly.With the introduction of new VoIP equipment; a worker can save upto 20 minutes per day. The use of unfied communication in tasks such as reading one’s voice mail and being able to track down customers has led to a significant simplification of work. The downside to this becomes the question of how the extra time becomes spent by these workers. Whetherthe time becomes spent on business activities or personal activities.Automated services such as transferring calls between cities using VoIP does not incur charges unlike using POTS. This has a positive impact on the business. The receptionists can be reassigned to other work places and replace them with only one. 3. Having a competitive advantage –with VoIP enabling a business to have its employees work from elsewhere, the company can gain a lot of competitive advantage. In order to close a deal, most customers need presence in order to be well convinced of buying the product or service being offered. The use of collaborative equipment makes the company able to monitor its workers and at the same time allow them to be on the field. The presence of the seller makes the customer to beeasily convinced. The products/services on sale hence go faster than they would without a person/seller on the field. All this becomes enabled due to the virtual presence of the worker in the office and physical presence on the field. How to handle the challenges facing the implementation of VoIP Several challenges come along with the implementation of VoIP (Barnes 2005). Chief among them includes the technical challenges, product assessment and business. Some of the ways to avoid or go around these hurdles involves doing some of the following practises: a. Spending time with the workers and all units of the business in order to determine the aim of establishing a VoIP. Some of these drivers as discussed above include saving costs, gaining a competitive advantage or increasing production. After establishing the driver for having a VoIP, there should be cost models establsihed around the business drivers of establishing a VoIP. b. With the cost models assessed, the business should then evaluate the current costs against the benefits that come along with the establishment of VoIP.The productivityenhancementsshould then be tied to saving of capital and generation of more income. Wherever the production will increase due to time saving, thereshould be checks into what more can be done by the worker(s) to take advantage on the time saved. This should be done in order to prevent the time saved from being used in a non beneficial way to the company by the workers. Lazing around should be discouraged and more tasks should given. c. Network optimisation should be considered whereby some of the methods used to establish the network will incur more costs than others. The use of cables to establish the network will be more expensive than the use of broadband. Additionally, cableshave disadvantages such as a higher possibility of tapping, eavesdropping and other forms of attack towards the VoIPcommunication. d. With the development of the cost model, tests to the network perfomance should be conducted.This test seeks to establish how the implementation of the VoIP will affect the costs, user satisfaction, application, network and production. With the availability of this data, it will be easier to receive budget and support for the expansion. Before installing the VoIP, the business should have a target for performance so that there will be a comparison after the installation. The main reason for setting standards results from the necessity to have customers comfortable with the new services after their implementation. When end users complain about a certain problem then, the company can use the technicians to solve the problem which can incur additional unnecessary costs. With the achievement of the targets, there will be confidence in future IT projects to be carried out and hence it will be easire to get funds for them. Third parties should also be involved in the analysis of the new project installed. This should be done in order to avoid any bias in the analysis towards the project by either the owners or the technicians. Enhancing banks’ security when using VoIP With VoIP primarily being conducted through the internet many forms of cyber attacks can jeopardise the efficiency of the service (Gregory, 2006). The most basic concern of cyber criminals revolves around monetary gains or pleasure of doing so. For banks, cyber attacks will target monetary gains. Basic security measures shall be compared to basic cyber criminal tactics. Cyber criminals attack the weakest point of entry in a network. The best way to counter this would be securing every point of entry. Cyber criminals attack at any time of their choice. A security system should be vigilant at all times of the night and day. Throughout the year. Cyber criminals usually exploit all types of vulnerabilities. It will be advisable fro a security system to close all the vulnerabilities. Cyber criminals search for new vulnerabilities. The security system should close all known vulnerabilities. Having a converged network will be easier in managing hence avoiding attacks from cyber criminals. Different networks serving the same purpose or in the same organisation provide greater chances for cyber criminals to attack. Furthermore, the converged network will make the internal networking easier and more manageable. Divergent networks on the other hand provide more vulnerabilities and weaknesses which when accessed by cyber criminals can endanger the whole company. As much as converging the network will be beneficial, throwing away old telephone hardware will not be necessary. These materials can be used newly in the network. The attachment of this hardware to the outside such as cabling will have to be cut in order to establish a single network. As discussed earlier, the use of externally connected cables only increases the security risks of a company. Some of the attacks that may occur on a VoIP include: Eavesdropping – a person can listen to conversations on the VoIP. Accessing sensitive information –infromation being transferred in the network such as banks accounts, financial records can be accessed. This happens when a cyber criminal successfully hacks into a server, gateway or even firewall. Vandalism – the attacker can jeopardise a company’s operation in different ways depending on his/her imagination. The company can take from a day to years before it realises the damage done. Quality of service – an attacker can target the services being offered in order make them less efficient. For example, an attacker can send a worm which congeststhe network andmakes it slower. The attacker can also reduce the call/voice quality and even prematurely end calls made. These attacks can occur to anyone and the best way to handle them involves following the principle of least need and least privilege. Least need refers to providing only the needed functionalities to a computer. For example, a computer being handled by a receptionist should only be installed with the software needed by the receptionist. If the receptionist makes calls and schedules appointments, the computer he/she uses should only have the related software installed in the computer. Other additional softwares may increase the vulnerabilities of the computer to attacks. Least privilege refers to giving limited access to fulfilling the task at hand. For example, the internet becomes used for VoIP. The internet has many other functions but if a worker’s job only involves making calls, the internet access should be limited to only making calls. This mode of using least needed/ least privilege should also be used on higher levels such as servers and gateways. Gateways in particular should be sspecific to their jobs without any other functionality. Increasing functionality for them only increases the vulnerability. When a gateway becomes vulnerable, the whole network becomes at risk too since the gateway connects the whole internal network to the external network (internet). When a VoIP becomes installed in a company that already has a data network, several adjustments may need to be done. These adjustments include the upgrade of the Virtual Private Network. The upgrade results from the projected increase in flow of traffic in the Internet Protocol. A Virtual Private Network that does not add latency to the quality of calls and voice also needs to be considered. Audio performance remains to be a high consideration in the installation of VoIP.Thequality of voice/calls cannot be sacrificed since end user satisfaction remains as the biggest target. Methods of securing the VoIP network The converging of the VoIP and data networks combines two different aspects of the network. Several considerations need to be made in order to make sure that these two aspects of network do not collide. Network management – a network management system needs to be established in order to make sure that the VoIP and data can work in the same environment. The establishment of a stronger Virtual Private Network makes the work of network management easier. Only major problems will be dealt with since the problem of clogging and slow transmission will be eliminated by the Virtual Private Network. Virtual Private Network technology –this makes the workers located in other places to be virtually present in the office.The Virtual Private Network technology also implements the use of firewalls to enhance its security. In order to ensure a robust security plan an outline of things to do need to be listed. The basic steps for building a strong security plan entails: A. Having an effective plan for multi layered security in order to meet regulatory and business requirements. B. Security policies should be implemented, communicated and enforced. C. A strong security architecture and and the best solution should be implemented. D. Operating systems should be hardened and encrypted where possible. E. Operational security practises should be implemented and maintained. F. Security should be maintained through monitoring, remediation, event management and following up. VoIP face quite a number of threats and vulnerabilities as listed below: Threats - spam, viruses, hackers, Trojan horses, phishing scams, worms, spywareand malware. Vulnerabilities – refers to weaknesses in the system. When these weaknesses become unattended, they increase therisks of an attack or failureof the system. VoIP become attacked by hackers who exploit their vulnerability. Two types of threats shall be examined. These threats fall under the category of human based and technology based threats. Technology based threats. i. Attacks on infrastructure - VoIP consist of data networks that transport voice and video packets. These networks consist of traditional networking devices such as routers, servers, gateways and switches. These devices come to pass through mass production which means that they all have a similar build and context. Hackers know how to exploit the weaknesses in this equipment hence making them a big threat for any network using them. ii. Attacks using applications – several malicious programs can be created in order to access the networks internally. These programs could be viruses in the form of trojans which appear to be doing something constructive but give out information through the network in the background. iii. Call interception –calls can be accessed on their way to and from their destination. These packets can be reassembled even before they get to their destination by someone awareof the source or destination of the packets. iv. Denial of service attacks (DoS) –as with the use of worms to clog a network, a DoS involves literring a network connection with so much garbage such that communication through the network becomes impossible. v. Impersonation/session hijacking – a person can pretend to be the legitimate user of the VoIP service. This happens when a hacker intercepts a call and redirects it to him/herself. This can be very dangerous since the hijacker can access sensitive information and use it to his/her advantage hence jeopardising a person’s business. Human based threats. i. Hackers – this refers to people ranging from children to organised criminals who intentioally attack a system’s weakness. These kinds of people usually spend a lot of time trying to penetrate systems and acquire vital information. Some of them do it for fun while others try to gain from it. ii. Insiders - this refers to people working within the organisation who have a lot of information about the organisation. These people can exchange this information for a token or can go sell it. iii. Former employees –these people can go on a vengeance spree and pose a great threat to an organsiation. Since they have knowledge of the internal operations of the organisation they can use their knowledge to gain from or attack the organisation. Technical vulnerabilities i. Software bugs - any type of software from the operating system to the applications can pose a risk. Errors in them can be manipulated to gain access to the system. ii. Incorrect configurations - networks have all their devices configured to certain settings or protocols. Whenever devices have incorrect configuration. Problems will most likely occur hence making the system very vulnerable to attacks. Human based vulnerabilities i. Inexperienced workers –having ambitious workers with little or no experience has proved to be disastrous when these ambitions go too far. These employees most often lead to massive losses by companies when they try too hard to get a promotion. ii. Distractions – with the policy of maximising on profits and minimising on expenses, people tend to be overworked and sometimes distractions will most likely occur. Whenever this happens sensitive information can be left lying open (Barnes, 2005). With all these threats and vulnerabilities, it will be important to enhance several security measures. Some of these measures include: a) Having physical security in place. b) Work management should be unified. c) Confirming user identity and ensuring security upto the user level. d) Encrypting all the data. e) Ensuring logical segregation. Conclusion Using VoIP can be both tricky and beneficial. Exploiting all options should be the main agenda in order to install the VoIP. There exist major risks that can bring a company down to its knees but also opportunities that can elevate it to the highest levels. VOIP’s major benefits include massive reduction in costs. It also allows business people to transact with people living in other parts of the world. It also allows other services not available in normal calling services such as video and audio conferencing. Sharing of data can also not be done with the POTS service. Installing the service will require extra vigilance since it has major security threats. The internet has lots of people with programs searching for weaknesses in all systems. Without the proper security in place, the VoIP service can be a nightmare since the losses can be immeasurable. Additionally, recovering from the losses can be the second nightmare since the systems may need to be replaced depending on the kind of attack they get. Vandalism may require new systems to be bought. Worms may need the replacement of the networking system. Spyware may need installation of new system software. Viruses in the system can lead to buying of new anti viruses. In conclusion, the use of VoIP has benefits equal to its disadvantages. Before installing the service the pros and cons should be weighed out. The organisation should identify the main aim of installing the service and should equip itself with methods of countering problems bound to be brought by the system. References Barnes, Z. (2005). Is Implemetation Of Voice Over Internet Protocol (Voip) More Economical For Businesses With Large Call Centers. Maryland: Bowie State University. Darwis, D. (2008). Implementation and Analysis of VoIP CPE Management System using TR- 069. (Student paper). KTH. Gareiss, R. (2008) VoIP: Challenges, Drivers, Hurdles and Recommendations. Network World. Gregory, H. (2006). VoIP Security for Dummies. New Delhi: Wiley Publishing. Mathiyalakan, S. (2006). VoIP Adoption: Issues & Concerns. IIMA , 6 (2): 62. Uys, L. (2005). “Voice over internet protocol (VoIP) as a communications tool in South African business”. Prod. Academic Journals, 3 (3): 089-094. Read More