| QUESTION & ANSWER |
Avoiding a VoIP security 'judgment day' |
 |
By Eric B. Parizo, News Editor
01 Mar 2005 | SearchEnterpriseVoice.com |
|
|
Some might argue that a VoIP security "judgment day" is unavoidable -- that only a large-scale, well-publicized information theft or network outage will raise awareness of just how dangerous it is to take voice network security lightly.
But David Endler, the first chairman of the newly created VoIP Security Alliance and director of security research for 3Com Corp. subsidiary TippingPoint Technologies Inc., doesn't buy it. SearchEnterpriseVoice.com spoke with Endler this week about his group's mission, what it takes to keep voice networks safe and why organized crime might soon be interested in VoIP attacks. What is the mission of the VoIP Security Alliance?
David Endler: Our mission is to become the central authority on VoIP security, and provide a repository of resources to raise awareness and educate the industry.
|
|
|
|
|
As soon as it becomes lucrative to launch those kinds of [VoIP] attacks, then you can expect to see a huge surge, similar to what happened in the realm of spyware.
David Endler
|
|
|
|
|
|
|
|
|
|
A year ago, when many of [TippingPoint's] customers were considering rolling out VoIP, we came to the conclusion that there wasn't a central place where someone could go and answer fundamental questions about VoIP security, specifically regarding best practices for secure deployment, configuration and network design.
Including vendors and other organizations, the group already has nearly 50 members. What's at the top of your agenda?
Endler: In the near term, we want to educate people on fundamental security strategies to apply on their voice networks, and apply best practices on a vendor-neutral basis. In the next year or two, we're going to see an explosion in VoIP deployments, and as the accessibility and popularity of any particular technology grows, the potential threats increase. It was the same with Wi-Fi. You'll have attackers who have a bigger sandbox for playing with this technology. We'll see a rise from the elite few who know what they're doing to massive groups of "script kitties."
With so many VoIP vendors and so many kinds of implementations, is it possible to foster industry-wise security best practices among vendors?
Endler: I think so. In fact, I think you'll find that, because so many of the vendors are involved with this project, it'll be vendor neutral. I think there are some general recommendations that people can apply regardless of their specific architecture. Things like a threat taxonomy that identifies what the real threats are, testing tools and methodologies, and configuration checklists for network design.
Is it possible to raise VoIP security awareness, or must a successful high-profile VoIP attack happen first?
Endler: It's only a matter of time before tools are released to exploit certain VoIP networks, and there are already a variety of vulnerabilities that affect the infrastructure components that VoIP systems use, like servers and routers. We want to raise the bar when it comes to those best practices so that the necessary security requirements are met.
|
|
|
|
|
When you get a call on your Caller ID, it may look like a call from your bank when it's really someone trying to get your personal information.
David Endler
|
|
|
|
|
|
|
|
|
|
Are there specific kinds of VoIP network attacks that will become more common over time?
Endler: Quite frankly, the most prevalent threats to VoIP are the same threats that endanger the data network, but in some cases those threats can take on an increased impact. For instance, if your data network is under a DoS attack, your systems can have a slower-than-normal response. If a call center is under attack, it may mean that a 911 call is hard to hear because of latency, or might not go through at all. But over time you'll see attacks specific to VoIP applications, like caller spoofing, toll fraud, call hijacking and call redirection.
When will that be?
Endler: As soon as it becomes lucrative to launch those kinds of attacks, then you can expect to see a huge surge, similar to what happened in the realm of spyware. It's become a hugely lucrative enterprise for organized crime, and there are tools and templates for rolling out new threats and convincing people to load malicious apps on the desktop. Eventually, you'll see auto-generated toolkits that let people make free phone calls.
Or, in terms of social engineering, you see a sort of phishing but in a voice manner. When you get a call on your Caller ID, it may look like a call from your bank when it's really someone trying to get your personal information. Or if someone calls you and asks you for your password and the call looks like it's from your IT group, you're more likely to give out that information. The infrastructure for these kinds of exploits is just starting to get rolled out.
Most of the major VoIP vendors have already signed on, although one notable exception is Cisco Systems. Has Cisco been approached about joining?
Endler: Absolutely, and it's considering how it wants to be involved. There are a lot of groups that have been invited and are shopping it around for approval within their organizations. Typically, we'll get the technical point of contact excited, but he needs to wait around for the final authority from the mothership.
((Content component not found.)) Can any particular protocol -- like Session Initiation Protocol or H.323 -- make an enterprise more vulnerable?
Endler: Part of the problem in that question is that the state of security research around VoIP is very young. It's at the tip of the iceberg. There's been some research done that's uncovered vulnerabilities in SIP and H.323 that were publicized two or three years ago, but surely there will be many more things to come. But it all depends on how vendors implement those protocols. It's not the protocols that are vulnerable, it's how vendors choose to implement them.
Finally, what will the organization focus on during the next few months?
Endler: This week we're electing committee chairs for various groups such as research, best practices and community outreach, and within another week we'll issue a general call for participation in our near-term projects. We'll know exactly what those are after the elections.
This interview originally appeared on SearchEnterpriseVoice.com.
|
|
|
|
