Nortel Voice Security

Brian Wilson from my team is back with part 2 of his series on risk management…Lawrence

Risk Management in Voice Solutions: Baseline VoIP Security - Part 2:
Methodology for Selecting Security Controls

The objective of this series of blog posts is to take the reader through the process of designing a baseline security architecture for voice solutions based on a generic implementation. Part 1 of this series focused on how and where security requirements fit in to the Risk Management process. Part 2 focuses on mapping controls to security requirements and ensuring the controls selected are aligned with security standards and industry best practices.

Voice Risk Management Framework
Within the voice security environment, identifying …

Read the rest of this entry »

Brian Wilson, a Senior Security Architect with my team, specializes in the area of Risk Management and Compliance. With this post he begins a series of articles related to identifying and documenting a baseline security architecture for voice systems using a risk management approach. Lawrence

Part 1 – Establishing Security Requirements
The objective of this series of blog posts is to take the reader through the process of designing a baseline security architecture for voice solutions base on a generic Implementation. Part 1 of this series will focus on how and where security requirements fit in to the Risk Management process.

The process of risk management (RM) is continuous and is based on defining and establishing an acceptable level of risk. Once …

Read the rest of this entry »

Jeff Lewis from my team joins us with an interesting post on the Woahphone. Lawrence

The idea of open source software running on a phone certainly is not new. Windows Mobile Smart Phones have had this capability since inception. Anyone can write software to run on them, the software development kit is free, and there is plenty of source code around to draw upon. But the operating system (OS) code itself remains closed source. So what would happen if you opened it up and let everyone see under the hood? Well, if Google Android, OpenMoko, Qtopia and other such Linux based projects are successful, we are going to find out. These projects, and others like them, …

Read the rest of this entry »

Tom DeSot from Digital Defense joins us again….Lawrence

The Argument Begins

In my last post I talked primarily about how many organizations are looking to utilize vulnerability assessments to learn what issues are being introduced into their enterprise by newer IP based voice systems. Before I went any further in the discussion, I wanted to cover off on a topic many organizations neglect to consider before assessing their networks, whether voice or data. The topic is risk evaluation and system prioritization.

While I do not think any reader would dispute the need to conduct vulnerability assessments and subsequently patch any systems where issues are discovered, many would debate what systems take priority in the grand scheme of things. …

Read the rest of this entry »

Jeff Lewis is back with a post on TDM Voice Systems — Lawrence

A colleague of mine, just tipped me off on a fantastic article written by Vassilis Prevelakis and Diomidis Spinellis over at the IEEE Spectrum Online. It is an absolutely enthralling read about a real life example of voice systems espionage, and I highly recommend it.

Voice security is increasingly being associated with VoIP and Unified Communications. What is being called the “Greek Watergate” shows us quite clearly that legacy TDM systems are just as much at risk, and always have been. But it also shows us that there are individuals that are capable of attacks at level of sophistication we may find surprising, alarming and downright …

Read the rest of this entry »

I am becoming very amazed at the number of people (Analysis: Hacking VoIP, As Easy As 1-2-3) that are equating the presence of vulnerabilities in voice systems to the voice system being compromised (AKA hacked). It is true that a vulnerability increases the possibility of a system being compromised but it does not equate to it. This is a very important distinction.

Let’s look at what has to happen before a vulnerability can be successfully exploited. I am reminded of the consecutive steps in the Three-mile Island Accident of 1978 that all had to happen for the accident to occur – breaking any of the steps would have mitigated the accident. Despite diligent efforts to discover and …

Read the rest of this entry »

Today’s post is from Jeff Lewis. Jeff is a Security Architect on my team, and has more than 10 years experience in voice communications technology, including technical support of global voice networks, product verification, software integration, and most predominantly, carrier grade voice application software development. He was involved in some of the very first ground breaking voice over IP calls performed in Nortel’s laboratories in Germany. Lawrence

The discussion over the usefulness and applicability of taking a Risk Management (RM) based approach to voice security is an interesting one to say the least. Welcome to the front line.

Let’s begin by considering why a company might decide that RM is the wrong way to go. Perhaps the process is seen …

Read the rest of this entry »

The Nortel Voice Security Blog will regularly feature posts by members of Nortel’s Voice Security Ecosystem. Today Tom DeSot, the Chief Compliance Officer for Digital Defense, Inc., will be our featured blogger. Digital Defense is a network security firm based in San Antonio, Texas, that specializes in working with organizations to meet their compliance and security goals through the use of a multitude of Software as a Service (SaaS) delivered services.

Why Vulnerability Assessments Matter…

While the use of ongoing and recurring vulnerability assessments to uncover issues on data networks has been in place for quite some time now, these activities are still somewhat new, to some, in respect to their use within voice networks.

In times past, voice and data …

Read the rest of this entry »

In the last post we looked at 3 of the most common techniques for disclosure of security vulnerabilities. Today, we will examine which is best suited for the Voice Security industry, as well what some other firms are doing. We will also touch on some additional important considerations regarding disclosure:

Is there need to have independent 2nd party verification?
What does claiming that a vulnerability exists without details accomplish?
What is disclosure for gain?

Again, the terminology you will find within this post is meant to be consistent with terms used by the Organization for Internet Safety.

To answer the question of which disclosure method is best for Voice Security, we must look first at the sensitivities of such a system. What is …

Read the rest of this entry »

I posted a quick entry last Friday (28 June 2008) on the current issues that have yet again arisen regarding Security Vulnerability Disclosure. In today’s post, the first of two parts, I’ll examine three disclosure options, and look at them from a Voice Security perspective. In part two, I’ll delve into what some other firms are doing and conclude with an introduction to Nortel’s preferred method. Jeff Lewis, a Security Architect from my team, contributed a fair bit to these posts so I am sharing the by-line with him.

The terminology you will find within this post is meant to be consistent with terms used by the Organization for Internet Safety.

It seems that Security Vulnerability Disclosure is always a …

Read the rest of this entry »