MSIT 458 Information Security and Assurance

1
MSIT 458Information Security and Assurance
VoIP Xeon GroupRohit BhatRyan HannanAlan
MuiIrfan Siddiqui
2
VOIP

• What is VoIP?
• Business Security Concerns
• Security Threats
• Security Measures
• Cost/Risk Analysis
• Legal Consequences

3
What is VOIP?

• Protocol optimized for the transmission of voice
  through the Internet or other packet switched
  networks
• Also referred to as IP telephony, Internet
  telephony, voice over broadband, broadband
  telephony, and broadband phone.

4
How fast is VoIP growing?

• Per a study conducted by IBISWorld
• Industrys forecast is to experience the largest
  revenue growth in the telecommunications sector
  over the next five years, at an annual growth
  rater of 25.
• Business subscriptions will grow by 44, compared
  with consumer subscription growth of 21.

4
5
How fast is VoIP growing?

• Per a study conducted by IBISWorld
• U.S. will have 25 million paying VoIP customers
  by 2012.
• Total industry revenues in 2008 are forecast at
  3.2 billion, reaching 5 billion by 2012.

5
6
Business Concerns

• Integrity Voice quality should be excellent
• Availability User needs dial-tone 365/24/7
• Confidentiality All communication should remain
  confidential
• Authenticity Valid service subscribers should
  be able to access the service providers network
• Federal and State regulatory compliance

7
Security Threats
Configuration weaknesses in VoIP devices and
underlying operating systems can enable denial of
service attacks, eavesdropping, voice alteration
(hijacking) and toll fraud (theft of service),
all of which can result in the loss of privacy
and integrity. Unscrupulous telemarketers could
use VoIP (via soft PC based phones) to access
customer credit and privacy details.
7
8
Security Threats
Today, the biggest VoIP-related security threats
are inside a company's firewall, such as changing
a configuration setting to make the CEO's phone
ring at a disgruntled employee's desk.
Eavesdropping is another potential problem.
8
9
Security Threats

• Launch a Denial of Service attack by placing a
  large number of calls, either as an authorized or
  unauthorized user, to flood the network.
• SPIT (spam over Internet telephony or VOIP)
  advertising that appears in a VoIP voice mailbox.

9
10
Security Threats
Vishing, the process of persuading users to
divulge personal information such as Social
Security and credit card numbers. Attackers can
"spoof" the caller ID that users see to make the
call appear to come from a legitimate
organization.
11
Security Measures

• Bolster encryption by encoding and decoding
  information securely, both the conversation and
  the call numbers.
• Encrypt VoIP communications at the router or
  other gateway, not at the individual endpoints.
  Since some VoIP telephones are not powerful
  enough to perform encryption, placing this burden
  at a central point ensures all VoIP traffic
  emanating from the enterprise network will be
  encrypted.

11
12
Security Measures

• IP Phone must register to make phone calls.
• When a phone tries to register, the registrar
  sends a challenge.
• Phone correctly encrypts the challenge, digital
  certificate from phone manufacturer, and Media
  Access Control (MAC) address.
• Manufacturer certificate cannot be forged because
  it is burnt into the phones non-volatile RAM and
  cannot be retrieved.

12
13
Security Measures

• Separate VoIP network from data network by
  logically segregating the voice and data networks
  using vLAN-capable switches.
• Don't allow interaction between
  Internet-connected PCs and VoIP components.

13
14
Security Measures

• Install an Intrusion Prevention System (IPS) at
  the network's perimeter to scan for known
  signatures while blocking or allowing traffic
  based on application content rather than IP
  addresses or ports.An IPS can dynamically
  modify firewall rules or terminate a network
  session when necessary.

14
15
Security Measures
Session Border Controllers (SBC) prevent someone
(most likely a computer program) from generating
abnormal number of calls from a legitimate VoIP
account within a threshold period.A violation
of the threshold policy rule suspends additional
call placement from an account for specified
period of time.A session key is maintained for
the whole of the conversation for security and
encryption purposes.
15
16
Security Measures

• Implement a voice-aware (VoIP-ready) firewall,
  which is optimized by voice, allowing the opening
  of ports only when a connection must be
  established.Stateful packet inspection can be
  used to drop attack packets because they are not
  part of an authenticated connection.

16
17
Security Measures

• In order to mitigate the latency issues caused by
  security measures, add QoS to all devices
  processing the calls, i.e. turn on this feature
  on the service providers data switch and the
  data router, as opposed to a phone switch located
  within the subscribers LAN where the call
  terminates.

17
18
A look at the VoIP infrastructure
18
19
Security Threat to Come

• A lot of the security measures taken today are
  based on experience with restricting access to
  data networks.
• To date, not a single virus is reported that is
  specific to infecting the VoIP packets. However,
  it is to come without a doubt.

19
20
Cost/Risk Analysis
Cost/Risk analysis vary from industry to industry
and business to business. The best judgment of
risk exposure is collective assessment of both
immediate and future monetary losses to an
organization. Organizations today can utilize
research based calculators for estimating the
potential cost of a data security breach for any
number of 'at risk' records. The same concept can
be applied to VoIP.
20
21
Cost/Risk Analysis
A sample identity theft or data breach Cost
calculator can be found at www.IdentityTheftAmeric
a.com/databreachcalculator.asp
21
22
Legal Consequences
Businesses need to be aware that the laws and
rulings governing interception or monitoring of
VoIP lines, and retention of call records, may
differ from those of conventional telephone
systems. These issues should be reviewed with
legal advisers. Virus attacks delivered through
use of VoIP services, such as Skype, may not be
held accountable.
22
23
VoIP Security
Questions?
23