Consider Security When Implementing Voice Over IP At Your Institution

If your institution is considering a move to “Voice over Internet Protocol” (VoIP) phone systems, you’ve already been doing some research on the subject. VoIP is on its way to becoming the default technology choice for many financial institutions’ voice services, maintaining call quality and ensuring security still present many challenges. While other businesses can easily move their phone systems over to this cost-saving technology, financial institutions must realize there’s a great deal of work that must be done before implementing VoIP.

Maintaining a balance of service and security is important, said Juan Deaton, Cellular Systems Engineer at the Idaho National Lab's Next Generation Wireless Test Bed. “The emphasis for financial institutions needs to be on security, then quality of service, because VoIP introduces a great many new vulnerabilities to your network.” Deaton added the increased vulnerabilities opens the institutions to possible “man-in-the-middle attacks” where hackers would be able to eavesdrop on

customer calls, and capture account information.

Both the National Institute of Standards and Technology and the FDIC have issued information regarding VoIP technology and the security implications that should be considered prior to implementation. Institutions need to research the regulations regarding VoIP and any record retention rules. Keep in mind these may be different from regular phone systems.

Financial institutions contemplating the use of VoIP technology should consider the following best practices:

Ensure that the institution has examined and can acceptably manage and mitigate the risks to information, systems operations and continuity of essential operations when implementing VoIP systems.

Assess the level of concern about security and privacy. If warranted and practical, do not use “softphone” systems, which implement VoIP using an ordinary PC with a headset and special software.

Carefully review statutory requirements for privacy and record retention with competent legal advisors.

Develop appropriate network architecture.

Use VoIP-ready firewalls and other appropriate protection mechanisms. Financial institutions should enable, use and routinely test security features included in VoIP systems.

Properly implement physical controls in a VoIP environment.

Evaluate costs for additional backup systems that may be required to ensure continued operation during power outages.

Consider the need to integrate mobile telephone units with the VoIP system. If the need exists, consider using products implementing WiFi Protected Access (WPA), rather than Wired Equivalent Privacy (WEP).

Give special consideration to emergency service communications. Automatic location services are not always as available with VoIP as they are with phone calls made through the PSTN. (from “Guidance on the Security Risk of VoIP” issued by FDIC.

Nine best practices cited by NIST were included in the same FDIC document. NIST noted that “the integration of voice and data in a single network, establishing a secure VoIP and data network is a complex process that requires greater effort than that required for data-only networks.” Click here to read NIST'sNine Best Practices

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.