Successfully reported this slideshow.

The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoIP Security?"

1

Share

Loading in …3
×
1 of 85
1 of 85

The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoIP Security?"

1

Share

Download to read offline

Does anyone really care about VoIP security? Why should they? What are the main issues? At the 2011 Real-Time Communications Conference sponsored by the Illinois Institute of Technology (IIT), Dan York spoke about all these questions and gave a view of the overall state of the industry.

A video recording of the Oct 5, 2011, session will be available and will be able to be found at http://www.voipsa.org/blog/ when it is ready.

Does anyone really care about VoIP security? Why should they? What are the main issues? At the 2011 Real-Time Communications Conference sponsored by the Illinois Institute of Technology (IIT), Dan York spoke about all these questions and gave a view of the overall state of the industry.

A video recording of the Oct 5, 2011, session will be available and will be able to be found at http://www.voipsa.org/blog/ when it is ready.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoIP Security?"

  1. 1. The State Of VoIP Security, a.k.a.! ! “Does Anyone Really Give A _____ About VoIP Security?” Dan York, CISSP! Chair, VoIP Security Alliance October 5, 2011
  2. 2. © 2011 VOIPSA http://www.flickr.com/photos/willpate/46488553/
  3. 3. Does Anyone Really ! Give A _____ About! VoIP Security? © 2011 VOIPSA
  4. 4. Does Anyone Really ! Give A _____ About! VoIP Unified Communications Security? © 2011 VOIPSA
  5. 5. Technical Solutions © 2011 VOIPSA
  6. 6. Widely Deployed © 2011 VOIPSA
  7. 7. TLS-Encrypted SIP © 2011 VOIPSA
  8. 8. Secure RTP (SRTP) © 2011 VOIPSA
  9. 9. MORE Secure! Than PSTN © 2011 VOIPSA
  10. 10. © 2011 VOIPSA http://www.flickr.com/photos/mattblaze/2275723713/
  11. 11. MORE Secure! Than Ever Before © 2011 VOIPSA
  12. 12. Almost All Venders! Have Support © 2011 VOIPSA
  13. 13. Almost All Customers! Don’t Turn It On © 2011 VOIPSA
  14. 14. Why Not? © 2011 VOIPSA
  15. 15. Complexity © 2011 VOIPSA
  16. 16. Fingerpointing, a.k.a. “One Throat To Choke” PSTN PBX Gateways Physical Voicemail Wiring © 2011 VOIPSA
  17. 17. Fingerpointing - 2011 Mobile Devices IM Application Internet Servers Networks Operating Systems PSTN IP-PBX Gateways VoIP Web IP Social Firewalls Servers Network Networks Physical Directory Voicemail Wiring Servers Desktop Email PCs Database Servers CRM Servers Systems Session Border Controllers © 2011 VOIPSA
  18. 18. “UC” © 2011 VOIPSA
  19. 19. Debugging © 2011 VOIPSA
  20. 20. Turn It Back On? © 2011 VOIPSA
  21. 21. SIP Is So Simple, Right? © 2011 VOIPSA
  22. 22. Riiiiiigggghhhttt… (Fingerpointing Redux) © 2011 VOIPSA
  23. 23. Evolution © 2011 VOIPSA
  24. 24. The Old Boys’ Club Carrier Carrier Carrier PSTN Carrier Carrier Carrier Carrier © 2011 VOIPSA
  25. 25. The Wild West… ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP PSTN ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP © 2010 VOIPSA and Owners as Marked © 2011 VOIPSA
  26. 26. Evolution of Attacks © 2011 VOIPSA
  27. 27. DoS © 2011 VOIPSA
  28. 28. DDoS © 2011 VOIPSA
  29. 29. Fraud © 2011 VOIPSA
  30. 30. If 1 Is Good, Why Not 3? © 2011 VOIPSA
  31. 31. Geography © 2011 VOIPSA
  32. 32. Internet LAN © 2011 VOIPSA
  33. 33. PC UC System Firewall Internet Home Firewall IP Corp  HQ   Phone Home   © 2011 VOIPSA
  34. 34. Laptop UC client WiFi UC System Firewall Internet Café Router Corp  HQ   Mobile Data Network Mobile UC client © 2011 VOIPSA
  35. 35. Corporate Internet Network IVR Voicemail IM IM IM Presence Presence Presence Call Call Call Control Control Control Conferencing Corp  HQ   Office  A   Office  B   PSTN © 2011 VOIPSA
  36. 36. © 2011 VOIPSA
  37. 37. Benefits (for us… and for attackers) © 2011 VOIPSA
  38. 38. DDoS! (the old-fashioned kind)! (Asterisk & Amazon EC2, anyone?) © 2011 VOIPSA
  39. 39. SPIT! (“SPam for Internet Telephony”) SPAM © 2011 VOIPSA
  40. 40. Complexity © 2011 VOIPSA
  41. 41. Fingerpointing - 2011 Mobile Devices IM Application Internet Servers Networks Operating Systems PSTN IP-PBX Gateways VoIP Web IP Social Firewalls Servers Network Networks Physical Directory Voicemail Wiring Servers Desktop Email PCs Database Servers CRM Servers Systems Session Border Controllers © 2011 VOIPSA
  42. 42. The Device Formerly! Known As A! “Phone” © 2011 VOIPSA
  43. 43. Mobility © 2011 VOIPSA
  44. 44. RTCWEB / WebRTC © 2011 VOIPSA
  45. 45. Complexity © 2011 VOIPSA
  46. 46. Fingerpointing - 2011 Mobile Devices IM Application Internet Servers Networks Operating Systems PSTN IP-PBX Gateways VoIP Web IP Social Firewalls Servers Network Networks Physical Directory Voicemail Wiring Servers Desktop Email PCs Database Servers CRM Servers Systems Session Border Controllers © 2011 VOIPSA
  47. 47. Interoperability © 2011 VOIPSA
  48. 48. “The Hitchiker’s Guide! To SIP” © 2011 VOIPSA
  49. 49. Forgotten! Simple Things © 2011 VOIPSA
  50. 50. Biggest Financial Threat? © 2011 VOIPSA
  51. 51. Toll Fraud © 2011 VOIPSA
  52. 52. IT Security 101 © 2011 VOIPSA
  53. 53. PIN = “1234” © 2011 VOIPSA
  54. 54. Password = “password” © 2011 VOIPSA
  55. 55. Default password list © 2011 VOIPSA
  56. 56. VoIP = bits © 2011 VOIPSA
  57. 57. IT Security 101 © 2011 VOIPSA
  58. 58. Does Anyone Really ! Give A _____ About! VoIP Security? © 2011 VOIPSA
  59. 59. WHEN Will They Care? © 2011 VOIPSA
  60. 60. EVENT © 2011 VOIPSA
  61. 61. Identity Theft © 2011 VOIPSA
  62. 62. Celebrity © 2011 VOIPSA
  63. 63. Trusted Leader © 2011 VOIPSA
  64. 64. “VoIP Is Insecure!!!” © 2011 VOIPSA
  65. 65. depl oyed tupi dly S “VoIP Is Insecure!!!” ^ © 2011 VOIPSA
  66. 66. “VoIP Is Insecure!!!” © 2011 VOIPSA
  67. 67. Cover Your ____ © 2011 VOIPSA
  68. 68. SOLUTIONS? © 2011 VOIPSA
  69. 69. IT Security 101 © 2011 VOIPSA
  70. 70. Audit, Audit, Audit © 2011 VOIPSA
  71. 71. Enable What You Have © 2011 VOIPSA
  72. 72. Interoperability © 2011 VOIPSA
  73. 73. www.sipit.net © 2011 VOIPSA
  74. 74. Identity © 2011 VOIPSA
  75. 75. Simplicity © 2011 VOIPSA
  76. 76. Fabric © 2011 VOIPSA
  77. 77. Air © 2011 VOIPSA
  78. 78. © 2011 VOIPSA
  79. 79. Secure By Default © 2011 VOIPSA
  80. 80. Education © 2011 VOIPSA
  81. 81. What is the Industry Doing to Help? Security Vendors VoIP Vendors “The Sky Is Falling!” “Don’t Worry, Trust Us!” (Buy our products!) (Buy our products!) © 2011 VOIPSA
  82. 82. www.voipsa.org/Resources/tools.php © 2011 VOIPSA
  83. 83. Security Links •  VoIP Security Alliance - http://www.voipsa.org/ –  Threat Taxonomy - http://www.voipsa.org/Activities/taxonomy.php –  VOIPSEC email list - http://www.voipsa.org/VOIPSEC/ –  Weblog - http://www.voipsa.org/blog/ –  Security Tools list - http://www.voipsa.org/Resources/tools.php –  Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com •  NIST SP800-58, “Security Considerations for VoIP Systems” –  http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf •  Network Security Tools –  http://sectools.org/ •  Hacking Exposed VoIP site and tools –  http://www.hackingvoip.com/ •  Seven Deadliest Unified Communications Attacks –  http://www.7ducattacks.com/ © 2011 VOIPSA
  84. 84. Thank You For! Giving A _____ © 2011 VOIPSA
  85. 85. Thank you! Q & eh? www.voipsa.org 7ducattacks.com Dan York - dan.york@voipsa.org! +1-802-735-1624 DisruptiveTelephony.com danyork.com! blueboxpodcast.com twitter.com/danyork © 2011 VOIPSA

×