SecureState is a management consulting firm specializing in information security that offers VoIP assessment services to test for vulnerabilities in clients' VoIP systems and networks. The assessment includes penetration testing to attempt hijacking phone calls, recording calls, tampering with voicemail, and other attacks. SecureState follows standard methodologies and works closely with clients to establish rules of engagement and scope before performing non-intrusive information gathering, vulnerability analysis, and controlled exploitation tests to identify security issues.

1. Security
VoIP Assessment
Carousel leverages the
expertise of SecureState,
a management consulting
firm, specializing in
information security.
WE BELIEVE in a business- oriented
approach to information security
and strive to make the world more
secure. We have a passion to be the
best, measured by our commitment
to do the right thing and help others
achieve their goals.
We have persistently driven
for continuous improvement,
empowering employees with
increasing efficiency, and eliminating
waste in their jobs.
Contact us to learn more
800.401.0760
www.carouselindustries.com
IT SECURITY
VoIP Attack and Penetration Testing
Do you know if your VoIP phones and servers are segmented from the
rest of your network? Even if they are, segmentation alone may not
protect your voice assets. This program includes controlled tests in which
SecureState will attempt to assess several vulnerabilities in VoIP systems
and networks.
Our methodology includes performing validation and testing to ensure
that only “valid” vulnerabilities are reported while:
• Hi-jacking phone calls
• Recording and replaying voice calls
• Voicemail tampering
• Phone registration hi-jacking
• Access to phone administrative capabilities
• Attacking systems within the voice VLANS to gain access to the internal network
• Attacking VoIP client phones
• A VoIP Penetration Test is focused on vulnerabilities on VoIP systems and networks
• SecureState focuses our attacks on vulnerabilities specific to VoIP systems
and networks
• Reduction of the cost, confusion, and complexity of PCI DSS compliance
Process
Following SecureState’s proven
process which was developed
through years of consulting
experience, we can take you
from your CurrentState to your
DesiredState of security and
ultimately build a program that
helps you manage your security
at the SecureState. SecureState
has developed, SecureState will
provide tactical and strategic
recommendations for your organization to improve the security posture of your VoIP
Network or validate that your network is secure.
Copyright ©2014, Carousel Industries® www.carouselindustries.com
SEC-VoIP-ASSESSMENT-1014

2. IT SECURITY
Methodology
The SecureState Profiling Team is well-known and highly regarded as experts in Penetration
Testing. Our approach follows industry accepted testing methodologies such as PTES,
NIST 800-115, and OSSTMM. By following these methodologies, our clients can accurately
replicate the testing SecureState has performed in their own environment to accurately
mitigate identified vulnerabilities. The Profiling Team also helps identify strategic “root
cause” issues through our Penetration Tests. SecureState’s Risk Management Team is
uniquely positioned to work closely with the Profiling Team in order to assist clients with
mitigating these strategic “root cause” issues.
Phase I – Pre-engagement Interaction - In this phase, SecureState works with the client to
establish the rules of engagement as well as the scope and exchange contact information
for both parties. SecureState provides a detailed Project Charter which contains information
on scope and everything that will be required to conduct the testing. The Project Charter is
discussed during the kickoff call prior to the beginning of the engagement.
Phase II – Intelligence Gathering - VoIP Attack and Penetration Tests need to be conducted
with care, due diligence, and a high level of industry knowledge. SecureState performs
specific non-intrusion probing of the VoIP network, using SNMP sweeps and other low level
scans to first map the VoIP network and systems.
Phase III – Vulnerability Analysis - SecureState generates specifically crafted packets in
order to identify specific patch levels, perform banner grabbing, and use various other
techniques in order to identify potential exposures in the client’s VoIP network without
being detected. Specialty tools such as SiVuS, sipsak and SIPSCAN are used to enumerate
specific VoIP devices.
In addition, SecureState will attempt to pull VoIP specific data off the network to see how it
could potentially be manipulated. During this phase, we will attempt to hi- jack and record
phone calls, as well as attempt to insert sounds and conduct other manipulation of VoIP
data streams; including, eavesdropping on VoIP administrative systems. In addition, VLAN
hopping attacks are conducted to ensure segmentation is working properly.
Phase IV – Exploitation - During the course of the engagement, all identified VoIP
vulnerabilities will be assessed as to the likelihood of exploitation. Communication will be
conducted with the client’s Project Lead prior to any type of intrusive activity that could
potentially impact network performance or system stability. Any high or critical risk exploit
also will be communicated to the client upon discovery; so that the client can initiate
corrective actions.
Copyright ©2014, Carousel Industries® www.carouselindustries.com
SEC-VoIP-ASSESSMENT-1014
Proven Security Expertise
Contact us to learn more
800.401.0760
www.carouselindustries.com