Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The State Of VoIP Security, a.k.a.!                   !“Does Anyone Really Give A _____ About           VoIP Security?”   ...
© 2011 VOIPSA                http://www.flickr.com/photos/willpate/46488553/
Does Anyone Really !                Give A _____ About!                  VoIP Security?© 2011 VOIPSA
Does Anyone Really !        Give A _____ About!           VoIP Unified     Communications Security?© 2011 VOIPSA
Technical Solutions© 2011 VOIPSA
Widely Deployed© 2011 VOIPSA
TLS-Encrypted SIP© 2011 VOIPSA
Secure RTP (SRTP)© 2011 VOIPSA
MORE Secure!                 Than PSTN© 2011 VOIPSA
© 2011 VOIPSA                http://www.flickr.com/photos/mattblaze/2275723713/
MORE Secure!                Than Ever Before© 2011 VOIPSA
Almost All Venders!                  Have Support© 2011 VOIPSA
Almost All Customers!                  Don’t Turn It On© 2011 VOIPSA
Why Not?© 2011 VOIPSA
Complexity© 2011 VOIPSA
Fingerpointing, a.k.a. “One Throat To Choke”                              PSTN                   PBX       Gateways       ...
Fingerpointing - 2011                                            Mobile                                            Devices...
“UC”© 2011 VOIPSA
Debugging© 2011 VOIPSA
Turn It Back On?© 2011 VOIPSA
SIP Is So Simple, Right?© 2011 VOIPSA
Riiiiiigggghhhttt… (Fingerpointing Redux)© 2011 VOIPSA
Evolution© 2011 VOIPSA
The Old Boys’ Club                                  Carrier                                                 Carrier       ...
The Wild West…                                                                     ITSP                                   ...
Evolution of Attacks© 2011 VOIPSA
DoS© 2011 VOIPSA
DDoS© 2011 VOIPSA
Fraud© 2011 VOIPSA
If 1 Is Good, Why Not 3?© 2011 VOIPSA
Geography© 2011 VOIPSA
Internet   LAN© 2011 VOIPSA
PC                    UC                  System                                 Firewall   Internet    Home              ...
Laptop                                                                         UC                                         ...
Corporate                                                                   Internet                             Network  ...
© 2011 VOIPSA
Benefits                (for us… and for attackers)© 2011 VOIPSA
DDoS!                     (the old-fashioned kind)!                                                               (Asteris...
SPIT!                                                              (“SPam for Internet Telephony”)                        ...
Complexity© 2011 VOIPSA
Fingerpointing - 2011                                            Mobile                                            Devices...
The Device Formerly!                    Known As A!                     “Phone”© 2011 VOIPSA
Mobility© 2011 VOIPSA
RTCWEB / WebRTC© 2011 VOIPSA
Complexity© 2011 VOIPSA
Fingerpointing - 2011                                            Mobile                                            Devices...
Interoperability© 2011 VOIPSA
“The Hitchiker’s Guide!                       To SIP”© 2011 VOIPSA
Forgotten!                Simple Things© 2011 VOIPSA
Biggest Financial Threat?© 2011 VOIPSA
Toll Fraud© 2011 VOIPSA
IT Security 101© 2011 VOIPSA
PIN = “1234”© 2011 VOIPSA
Password = “password”© 2011 VOIPSA
Default password list© 2011 VOIPSA
VoIP = bits© 2011 VOIPSA
IT Security 101© 2011 VOIPSA
Does Anyone Really !                Give A _____ About!                  VoIP Security?© 2011 VOIPSA
WHEN Will They Care?© 2011 VOIPSA
EVENT© 2011 VOIPSA
Identity Theft© 2011 VOIPSA
Celebrity© 2011 VOIPSA
Trusted Leader© 2011 VOIPSA
“VoIP Is Insecure!!!”© 2011 VOIPSA
depl oyed            tupi dly        S                “VoIP Is Insecure!!!”                 ^© 2011 VOIPSA
“VoIP Is Insecure!!!”© 2011 VOIPSA
Cover Your ____© 2011 VOIPSA
SOLUTIONS?© 2011 VOIPSA
IT Security 101© 2011 VOIPSA
Audit, Audit, Audit© 2011 VOIPSA
Enable What You Have© 2011 VOIPSA
Interoperability© 2011 VOIPSA
www.sipit.net© 2011 VOIPSA
Identity© 2011 VOIPSA
Simplicity© 2011 VOIPSA
Fabric© 2011 VOIPSA
Air© 2011 VOIPSA
© 2011 VOIPSA
Secure By Default© 2011 VOIPSA
Education© 2011 VOIPSA
What is the Industry Doing to Help?       Security Vendors                  VoIP Vendors       “The Sky Is Falling!”      ...
www.voipsa.org/Resources/tools.php© 2011 VOIPSA
Security Links    •  VoIP Security Alliance - http://www.voipsa.org/          –  Threat Taxonomy      - http://www.voipsa....
Thank You For!                Giving A _____© 2011 VOIPSA
Thank you!               Q & eh?                www.voipsa.org                                                   7ducattac...
Upcoming SlideShare
Loading in …5
×

The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoIP Security?"

10,012 views

Published on

Does anyone really care about VoIP security? Why should they? What are the main issues? At the 2011 Real-Time Communications Conference sponsored by the Illinois Institute of Technology (IIT), Dan York spoke about all these questions and gave a view of the overall state of the industry.

A video recording of the Oct 5, 2011, session will be available and will be able to be found at http://www.voipsa.org/blog/ when it is ready.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoIP Security?"

  1. 1. The State Of VoIP Security, a.k.a.! !“Does Anyone Really Give A _____ About VoIP Security?” Dan York, CISSP! Chair, VoIP Security Alliance October 5, 2011
  2. 2. © 2011 VOIPSA http://www.flickr.com/photos/willpate/46488553/
  3. 3. Does Anyone Really ! Give A _____ About! VoIP Security?© 2011 VOIPSA
  4. 4. Does Anyone Really ! Give A _____ About! VoIP Unified Communications Security?© 2011 VOIPSA
  5. 5. Technical Solutions© 2011 VOIPSA
  6. 6. Widely Deployed© 2011 VOIPSA
  7. 7. TLS-Encrypted SIP© 2011 VOIPSA
  8. 8. Secure RTP (SRTP)© 2011 VOIPSA
  9. 9. MORE Secure! Than PSTN© 2011 VOIPSA
  10. 10. © 2011 VOIPSA http://www.flickr.com/photos/mattblaze/2275723713/
  11. 11. MORE Secure! Than Ever Before© 2011 VOIPSA
  12. 12. Almost All Venders! Have Support© 2011 VOIPSA
  13. 13. Almost All Customers! Don’t Turn It On© 2011 VOIPSA
  14. 14. Why Not?© 2011 VOIPSA
  15. 15. Complexity© 2011 VOIPSA
  16. 16. Fingerpointing, a.k.a. “One Throat To Choke” PSTN PBX Gateways Physical Voicemail Wiring© 2011 VOIPSA
  17. 17. Fingerpointing - 2011 Mobile Devices IM Application Internet Servers Networks Operating Systems PSTN IP-PBX Gateways VoIP Web IP Social Firewalls Servers Network Networks Physical Directory Voicemail Wiring Servers Desktop Email PCs Database Servers CRM Servers Systems Session Border Controllers© 2011 VOIPSA
  18. 18. “UC”© 2011 VOIPSA
  19. 19. Debugging© 2011 VOIPSA
  20. 20. Turn It Back On?© 2011 VOIPSA
  21. 21. SIP Is So Simple, Right?© 2011 VOIPSA
  22. 22. Riiiiiigggghhhttt… (Fingerpointing Redux)© 2011 VOIPSA
  23. 23. Evolution© 2011 VOIPSA
  24. 24. The Old Boys’ Club Carrier Carrier Carrier PSTN Carrier Carrier Carrier Carrier© 2011 VOIPSA
  25. 25. The Wild West… ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP PSTN ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP© 2010 VOIPSA and Owners as Marked© 2011 VOIPSA
  26. 26. Evolution of Attacks© 2011 VOIPSA
  27. 27. DoS© 2011 VOIPSA
  28. 28. DDoS© 2011 VOIPSA
  29. 29. Fraud© 2011 VOIPSA
  30. 30. If 1 Is Good, Why Not 3?© 2011 VOIPSA
  31. 31. Geography© 2011 VOIPSA
  32. 32. Internet LAN© 2011 VOIPSA
  33. 33. PC UC System Firewall Internet Home Firewall IP Corp  HQ   Phone Home  © 2011 VOIPSA
  34. 34. Laptop UC client WiFi UC System Firewall Internet Café Router Corp  HQ   Mobile Data Network Mobile UC client© 2011 VOIPSA
  35. 35. Corporate Internet Network IVR Voicemail IM IM IM Presence Presence Presence Call Call Call Control Control Control Conferencing Corp  HQ   Office  A   Office  B   PSTN© 2011 VOIPSA
  36. 36. © 2011 VOIPSA
  37. 37. Benefits (for us… and for attackers)© 2011 VOIPSA
  38. 38. DDoS! (the old-fashioned kind)! (Asterisk & Amazon EC2, anyone?)© 2011 VOIPSA
  39. 39. SPIT! (“SPam for Internet Telephony”) SPAM© 2011 VOIPSA
  40. 40. Complexity© 2011 VOIPSA
  41. 41. Fingerpointing - 2011 Mobile Devices IM Application Internet Servers Networks Operating Systems PSTN IP-PBX Gateways VoIP Web IP Social Firewalls Servers Network Networks Physical Directory Voicemail Wiring Servers Desktop Email PCs Database Servers CRM Servers Systems Session Border Controllers© 2011 VOIPSA
  42. 42. The Device Formerly! Known As A! “Phone”© 2011 VOIPSA
  43. 43. Mobility© 2011 VOIPSA
  44. 44. RTCWEB / WebRTC© 2011 VOIPSA
  45. 45. Complexity© 2011 VOIPSA
  46. 46. Fingerpointing - 2011 Mobile Devices IM Application Internet Servers Networks Operating Systems PSTN IP-PBX Gateways VoIP Web IP Social Firewalls Servers Network Networks Physical Directory Voicemail Wiring Servers Desktop Email PCs Database Servers CRM Servers Systems Session Border Controllers© 2011 VOIPSA
  47. 47. Interoperability© 2011 VOIPSA
  48. 48. “The Hitchiker’s Guide! To SIP”© 2011 VOIPSA
  49. 49. Forgotten! Simple Things© 2011 VOIPSA
  50. 50. Biggest Financial Threat?© 2011 VOIPSA
  51. 51. Toll Fraud© 2011 VOIPSA
  52. 52. IT Security 101© 2011 VOIPSA
  53. 53. PIN = “1234”© 2011 VOIPSA
  54. 54. Password = “password”© 2011 VOIPSA
  55. 55. Default password list© 2011 VOIPSA
  56. 56. VoIP = bits© 2011 VOIPSA
  57. 57. IT Security 101© 2011 VOIPSA
  58. 58. Does Anyone Really ! Give A _____ About! VoIP Security?© 2011 VOIPSA
  59. 59. WHEN Will They Care?© 2011 VOIPSA
  60. 60. EVENT© 2011 VOIPSA
  61. 61. Identity Theft© 2011 VOIPSA
  62. 62. Celebrity© 2011 VOIPSA
  63. 63. Trusted Leader© 2011 VOIPSA
  64. 64. “VoIP Is Insecure!!!”© 2011 VOIPSA
  65. 65. depl oyed tupi dly S “VoIP Is Insecure!!!” ^© 2011 VOIPSA
  66. 66. “VoIP Is Insecure!!!”© 2011 VOIPSA
  67. 67. Cover Your ____© 2011 VOIPSA
  68. 68. SOLUTIONS?© 2011 VOIPSA
  69. 69. IT Security 101© 2011 VOIPSA
  70. 70. Audit, Audit, Audit© 2011 VOIPSA
  71. 71. Enable What You Have© 2011 VOIPSA
  72. 72. Interoperability© 2011 VOIPSA
  73. 73. www.sipit.net© 2011 VOIPSA
  74. 74. Identity© 2011 VOIPSA
  75. 75. Simplicity© 2011 VOIPSA
  76. 76. Fabric© 2011 VOIPSA
  77. 77. Air© 2011 VOIPSA
  78. 78. © 2011 VOIPSA
  79. 79. Secure By Default© 2011 VOIPSA
  80. 80. Education© 2011 VOIPSA
  81. 81. What is the Industry Doing to Help? Security Vendors VoIP Vendors “The Sky Is Falling!” “Don’t Worry, Trust Us!” (Buy our products!) (Buy our products!)© 2011 VOIPSA
  82. 82. www.voipsa.org/Resources/tools.php© 2011 VOIPSA
  83. 83. Security Links •  VoIP Security Alliance - http://www.voipsa.org/ –  Threat Taxonomy - http://www.voipsa.org/Activities/taxonomy.php –  VOIPSEC email list - http://www.voipsa.org/VOIPSEC/ –  Weblog - http://www.voipsa.org/blog/ –  Security Tools list - http://www.voipsa.org/Resources/tools.php –  Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com •  NIST SP800-58, “Security Considerations for VoIP Systems” –  http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf •  Network Security Tools –  http://sectools.org/ •  Hacking Exposed VoIP site and tools –  http://www.hackingvoip.com/ •  Seven Deadliest Unified Communications Attacks –  http://www.7ducattacks.com/© 2011 VOIPSA
  84. 84. Thank You For! Giving A _____© 2011 VOIPSA
  85. 85. Thank you! Q & eh? www.voipsa.org 7ducattacks.com Dan York - dan.york@voipsa.org! +1-802-735-1624 DisruptiveTelephony.com danyork.com! blueboxpodcast.com twitter.com/danyork© 2011 VOIPSA

×