Safety in numbers

Von Bob Francis

A basic tenet of computer security should be, "Be proactive." It"s the computer equivalent of putting your wallet in a safe place before going out on the town.

That"s true on an individual level, and it"s also true on a group level. So it"s probably a good thing that a group has formed to come up with security priorities for VOIP.

The newly formed VOIP Security Alliance (VOIPSA) includes industry heavyweights such as Nortel Networks Corp., VeriSign Inc., and Verizon Communications Inc., along with security companies such as Tipping Point, a 3Com Corp. company that provides IPSes. Not every company involved with VOIP is a member. For instance, Cisco is not a member.

The group has a couple of priorities, including classifying different threats to VOIP and establishing best practices for VOIP vendors. According to David Endler, VOIPSA chairman and director of security research at Tipping Point, the group hopes to be a resource for VOIP users and the industry.

"I think we"ve seen plenty of security issues come to the fore anytime a new technology starts to take off. Our purpose is not to be a standards organization but to offer some guidelines to the industry to head off problems," Endler said.

Endler added that VOIP networks and computer networks face some of the same problems such as DoS attacks. "That could devastate an organization if a DoS attack hit a company"s servers," Endler said.

Of course, the group"s members are interested in selling more VOIP equipment and services, but Endler says in this case the needs of the vendors and of the users dovetail nicely. "Companies are not going to deploy VOIP throughout their organization if they are not convinced it is a secure solution," he said.

He"s probably right. Certainly it is better to take action early in the growth of a technology rather than waiting until the technology has already been deployed. That would be the "closing the barn door after the horse has left" approach.

But that is sort of the approach taken by the Fingerprint Sharing Alliance (FSA), which plans to share information on individuals responsible for online attacks. The FSA, which includes network heavyweights such as British Telecom PLC, Cisco Systems Inc., EarthLink Inc., MCI Inc., and NTT Corp., plans to automate the sharing of information about individuals and groups that attack networks.

In a typical network attack, an individual or group will attempt to find a vulnerability in one network. If they are blocked, they move on to another network, and so on. If the alliance automates the process of sharing information on attacks, the individual or group doing the malicious handiwork may be quickly blocked from other networks, leaving them high and dry.

I think these two alliances demonstrate at least one thing: Computer security is impacting IT operations at both vendor companies and their customers. It is also further demonstration of something that several security experts have been saying for some time: Most new computer security threats are coming from organized-crime groups looking to do more than just get a grin from knocking out a large company"s network.

Just because these various companies have formed alliances does not mean they can stop security threats, but it should give them a little more leverage. At least they know they have put their wallet in a safe place.