How VoIP Providers can Improve their security
Security From Both Ends
VoIP security is fast becoming a hot topic these days due to its rapid rate of adoption. With all forecast models pointing to an increase in VoIP usage over the next few years, it's a fair bet to assume that these concerns are only set to increase. As of now though, customers and VoIP providers are only just beginning to pay real attention to VoIP security. Few ITSPs as of now advertise their protection against various attacks including the prevention of eavesdropping.
But security requires efforts from both ends - the providers themselves can only do so much to ensure that the underlying technology and architecture is secure. The customers too need to be educated about the threats and organizations can enforce certain policies which will dramatically reduce the chances of someone misusing their communications infrastructure.
In some instances, the ITSPs can enforce these policies, but customers aren't very tolerant of such measures and it might lead to some dissatisfaction over them. However, a proper explanation of the risks involved will probably get them on board. Let's take a look at some of measures an ITSP can take regarding VoIP security and whether or not full encryption is needed to ensure complete protection.
Without a doubt, the single most important security measure a VoIP user can take is to have a strong password that is changed regularly. If an SIP proxy server can be 100% sure that a user connecting to it is actually who they're supposed to be then we can cut down on almost all VoIP hacking which relies on breaking into the VoIP server itself. Unfortunately, many people don't even bother changing the default passwords and even if they do, they choose passwords which are open to dictionary attacks or can be easily guessed.
Even if a VoIP line is unencrypted, we can easily hash the password and send it along so a man in the middle attack gains nothing by intercepting the hash code. These are usually one way hashes so you can't recreate it without knowing the original passcode. But at the ITSPs end, without proper encryption of both the signalling and the media it can be possible for a person to listen in on VoIP conversations without actually attempt to hack anything.
So encryption and password management are key on the ITSP's side and the customers end respectively. A company providing scalable hosted VoIP servers has the technical expertise to encrypt traffic to and from the customer for whom the switch to hosted PBX should be more secure than the regular PSTN line.