By Lawrence Dobranski
2 September 2008
7:01 am EDT
Tom DeSot from Digital Defense joins us again….Lawrence
The Argument Begins
In my last post I talked primarily about how many organizations are looking to utilize vulnerability assessments to learn what issues are being introduced into their enterprise by newer IP based voice systems. Before I went any further in the discussion, I wanted to cover off on a topic many organizations neglect to consider before assessing their networks, whether voice or data. The topic is risk evaluation and system prioritization.
While I do not think any reader would dispute the need to conduct vulnerability assessments and subsequently patch any systems where issues are discovered, many would debate what systems take priority in the grand scheme of things. …
Read the rest of this entry »
By Lawrence Dobranski
27 August 2008
5:10 pm EDT
Like many other professions, security has its demons. One of which is how do we ensure that the products that we use are trustworthy, or have “assurance.” An emerging method of validating the assurance that is present in a solution made up of many different products is the concept of In Situ Security Testing. This testing is periodically done on the running solution without interrupting the normal state of operation. This approach is ideally suited to the high availability, real-time environment of VoIP and Multimedia solutions, specifically solutions made up of many individual products and components.
The National Institute of Standards and Technology (NIST) is overseeing the Information Security Automation Program and The …
Read the rest of this entry »
By Lawrence Dobranski
17 August 2008
9:41 am EDT
Jeff Lewis is back with a post on TDM Voice Systems — Lawrence
A colleague of mine, just tipped me off on a fantastic article written by Vassilis Prevelakis and Diomidis Spinellis over at the IEEE Spectrum Online. It is an absolutely enthralling read about a real life example of voice systems espionage, and I highly recommend it.
Voice security is increasingly being associated with VoIP and Unified Communications. What is being called the “Greek Watergate” shows us quite clearly that legacy TDM systems are just as much at risk, and always have been. But it also shows us that there are individuals that are capable of attacks at level of sophistication we may find surprising, alarming and downright …
Read the rest of this entry »
By Lawrence Dobranski
4 August 2008
10:56 am EDT
I am becoming very amazed at the number of people (Analysis: Hacking VoIP, As Easy As 1-2-3) that are equating the presence of vulnerabilities in voice systems to the voice system being compromised (AKA hacked). It is true that a vulnerability increases the possibility of a system being compromised but it does not equate to it. This is a very important distinction.
Let’s look at what has to happen before a vulnerability can be successfully exploited. I am reminded of the consecutive steps in the Three-mile Island Accident of 1978 that all had to happen for the accident to occur – breaking any of the steps would have mitigated the accident. Despite diligent efforts to discover and …
Read the rest of this entry »
By Lawrence Dobranski
21 July 2008
6:25 pm EDT
Besides posters from Nortel’s Voice Security Eco System, I will be having members of Nortel’s technical community post as well. Today, Stephan Varty of my Advanced Security Solutions R&D Team joins us. Stephan has been at Nortel for more than 10 years in various security related roles. He holds the CISSP certification. Lawrence
Many people assume a certain level of confidentiality is assured when they use their phone. Concerns have been raised about the increased risk of someone eavesdropping on a VoIP call compared to a traditional PSTN call. Although the concern applies similarly to other VoIP protocols such as UNIStim, H.323, or SCCP as well, what follows is an opinion on the …
Read the rest of this entry »
By Lawrence Dobranski
15 July 2008
4:31 pm EDT
The Nortel Voice Security Blog will regularly feature posts by members of Nortel’s Voice Security Ecosystem. Today Tom DeSot, the Chief Compliance Officer for Digital Defense, Inc., will be our featured blogger. Digital Defense is a network security firm based in San Antonio, Texas, that specializes in working with organizations to meet their compliance and security goals through the use of a multitude of Software as a Service (SaaS) delivered services.
Why Vulnerability Assessments Matter…
While the use of ongoing and recurring vulnerability assessments to uncover issues on data networks has been in place for quite some time now, these activities are still somewhat new, to some, in respect to their use within voice networks.
In times past, voice and data …
Read the rest of this entry »
By Lawrence Dobranski
9 July 2008
12:00 pm EDT
In the last post we looked at 3 of the most common techniques for disclosure of security vulnerabilities. Today, we will examine which is best suited for the Voice Security industry, as well what some other firms are doing. We will also touch on some additional important considerations regarding disclosure:
Is there need to have independent 2nd party verification?
What does claiming that a vulnerability exists without details accomplish?
What is disclosure for gain?
Again, the terminology you will find within this post is meant to be consistent with terms used by the Organization for Internet Safety.
To answer the question of which disclosure method is best for Voice Security, we must look first at the sensitivities of such a system. What is …
Read the rest of this entry »
By Lawrence Dobranski
7 July 2008
5:41 pm EDT
I posted a quick entry last Friday (28 June 2008) on the current issues that have yet again arisen regarding Security Vulnerability Disclosure. In today’s post, the first of two parts, I’ll examine three disclosure options, and look at them from a Voice Security perspective. In part two, I’ll delve into what some other firms are doing and conclude with an introduction to Nortel’s preferred method. Jeff Lewis, a Security Architect from my team, contributed a fair bit to these posts so I am sharing the by-line with him.
The terminology you will find within this post is meant to be consistent with terms used by the Organization for Internet Safety.
It seems that Security Vulnerability Disclosure is always a …
Read the rest of this entry »
By Lawrence Dobranski
27 June 2008
12:31 pm EDT
You may have seen that some Nortel products, as well as others, have recently been identified with a few voice system vulnerabilities. This is timely because one of next week’s Voice Security Blog postings will be about responsible disclosure for Voice Security….but let’s start the discussion about the proper process for vulnerability reporting now.
The reporting process followed by some commercial firms involved in this type of research is raising some concerns. Most firms involved with vulnerability reporting will agree that the accepted protocols for disclosure have been well established – and they have been worked out to the satisfaction of vulnerability researchers, manufactures, and users. However the debate over full disclosure versus non-disclosure versus responsible …
Read the rest of this entry »
By Lawrence Dobranski
16 June 2008
7:30 am EDT
Recently a great deal of attention is being paid to vulnerabilities being found in various vendors VoIP systems. Some of the pundits are claiming that these represent major risks and that hackers will exploit them and run a muck with the systems. Are these fears justified or is it a bit of “The sky is falling” issue? For the average CISO, CITSO or CIO struggling to keep their systems patched and up to date this represents a very important question. How do you determine if these vulnerabilities represent real threats? And do they represent a threat that the other CxOs, board members, share holders and customers will care about? How do we answer these …
Read the rest of this entry »
