Group seeks to bolster VoIP security

By Bill Brenner, News Writer 25 Oct 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Security experts have long lamented that enterprise Voice over Internet protocol (VoIP) rollouts are outpacing efforts to harden the technology against thieves, hackers and fraudsters. There has also been little consensus on how to define VoIP-specific threats and develop best practices to fight them.

But one industry group hopes to at least solve the latter problem with a new 36-page .pdf document outlining a threat taxonomy users, vendors, carriers, law enforcement agencies and legislators can use to make the technology more secure.

The document was released Monday by the Voice over IP Security Alliance (VOIPSA). The global organization was formed in February to "find and mitigate VoIP security risks through testing, research and education so that VoIP technology can thrive and propagate," according to its Web site.

Jonathan Zar, senior director of Sunnyvale, Calif.-based SonicWall Inc. and secretary of VOIPSA, said the document is important because it provides a foundation for all future discussions on VoIP security that are both technically and socially informed.

"This gives enterprises, designers and carriers a clear and common understanding of what the problems are, how they might be measured and how they can be dealt with," Zar said. "The idea is also to bring law enforcement, legislators and technologists together on the same page and get them to speak the same language."

Specifically, Zar said, the taxonomy document offers:

• Core definitions that give specific meaning to privacy and security;
• A framework to connects public policy and technology issues;
• Recognition that the human element in threats is distinct from their technical means;
• Specific sets of issues for consideration by legislative bodies and by law enforcement; and
• A detailed structure for technical vulnerabilities across the value chain.

VOIPSA also announced Monday that its membership now exceeds 100 companies and institutions around the world "that represent the entire value chain for VoIP." Zar said members include major carriers, software companies, equipment vendors, large users and system integrators. New members include Juniper Networks Inc., Nokia Corp., Deloitte & Touche USA LLP. and BearingPoint Inc. The group has also unveiled a new Web site with expanded membership services.

Examples of VOIPSA's threat taxonomy
Here are some of the definitions VOIPSA uses to describe the threats users face:

Call-pattern tracking is the unauthorized analysis of traffic to or from any node or collection of nodes on the network. This technique enables unauthorized conduct such as theft, extortion and deceptive practices like phishing.

Traffic capture is the unauthorized recording of traffic by any means and includes packet recording, packet logging and packet snooping. Traffic capture is a basic method for recording a communication without the consent of all the parties.

Number harvesting is an unauthorized means of capturing identity and enabling subsequent unauthorized communication, theft of information and other deceptive practices.

Conversation reconstruction is a technique for collecting, duplicating or extracting information on the audio content of a conversation without the consent of all parties to the communication.

Voicemail reconstruction is any unauthorized monitoring, recording, storage, reconstruction, recognition, interpretation, translation, and/or feature extraction of any portion of any voice mail message.

Call black holing is any unauthorized method of dropping, absorbing or refusing to pass IP or other essential elements in any VoIP transmission. This can be used to prevent or terminate a communication. Call black holing is defined to include any VoIP protocol for any form of communication, whether voice only or converged with other media, including video, text and images.

Call rerouting or call sinkholing is any unauthorized method used to redirect an IP signal or other essential element of any VoIP transmission to divert communication. When authorized, call rerouting may also be used as a defensive technique against attack or an enabler for other services.

Fax alteration is any unauthorized modification of any of the information in a facsimile or other document image, including header, cover sheet, status and/or confirmation data.

Conversation alteration is any unauthorized modification of information in the audio, video and/or text portion of any communication, including identity, status or presence information.

Conversation impersonation and hijacking is the injection, deletion, addition, removal, substitution, replacement or other modification of any portion of any communication with information that alters any of its content and/or the identity, presence or status of any of its parties.

False caller identification is the signaling of an untrue identity or presence.

This article originally appeared on SearchSecurity.com, a sister site of SearchSMB.com.

Tags: Risk management for the midmarket,  Security tools for the midmarket,  VoIP and unified messaging for the midmarket,  Information security management for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Risk management for the midmarket Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge Adopting a beta tool: Risks vs. rewards for a midsized enterprise The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility How to decide if changing technology vendors is worth the time, risk A guide to managing the risk assessment process Free risk management tools and resources for the enterprise CIOs taking risk of cutting vendor maintenance contracts to save money 10 must-have steps for an effective SMB information security program Security tools for the midmarket Why CIOs need to get real about identity and access management in 2010 Free risk management tools and resources for the enterprise IT security spending a bright spot in '09, with more growth predicted Security and risk management in the midmarket Identity and access management planning guide for the midmarket A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Unified communications: Securing access to OCS Unified communications security: How safe is it? VoIP and unified messaging for the midmarket Midmarket data center management guides: Tips and best practices FAQ: What is unified communications, and why would I want it? Mobile unified communications options for the midmarket Fixed-mobile convergence saves firms costly mobile phone charges Unified communications plans should tap CIO CIOs grapple with tying Wi-Fi, VoIP into unified communications plan Unified communications: Savvy business move or security meltdown? Unified communications: Securing access to OCS Unified communications security: How safe is it? CIO Joseph Edward: In-house app ties parishes together

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary