Security experts have long lamented that enterprise Voice over Internet protocol (VoIP) rollouts are outpacing efforts to harden the technology against thieves, hackers and fraudsters. There has also been little consensus on how to define VoIP-specific threats and develop best practices to fight them.
But one industry group hopes to at least solve the latter problem with a new 36-page .pdf document outlining a threat taxonomy users, vendors, carriers, law enforcement agencies and legislators can use to make the technology more secure.
The document was released Monday by the Voice over IP Security Alliance (VOIPSA). The global organization was formed in February to "find and mitigate VoIP security risks through testing, research and education so that VoIP technology can thrive and propagate," according to its Web site.
Jonathan Zar, senior director of Sunnyvale, Calif.-based SonicWall Inc. and secretary of VOIPSA, said the document is important because it provides a foundation for all future discussions on VoIP security that are both technically and socially informed.
"This gives enterprises, designers and carriers a clear and common understanding of what the problems are, how they might be measured and how they can be dealt with," Zar said. "The idea is also to bring law enforcement, legislators and technologists together on the same page and get them to speak the same language."
Specifically, Zar said, the taxonomy document offers:
- Core definitions that give specific meaning to privacy and security;
- A framework to connects public policy and technology issues;
- Recognition that the human element in threats is distinct from their technical means;
- Specific sets of issues for consideration by legislative bodies and by law enforcement; and
- A detailed structure for technical vulnerabilities across the value chain.
VOIPSA also announced Monday that its membership now exceeds 100 companies and institutions around the world "that represent the entire value chain for VoIP." Zar said members include major carriers, software companies, equipment vendors, large users and system integrators. New members include Juniper Networks Inc., Nokia Corp., Deloitte & Touche USA LLP. and BearingPoint Inc. The group has also unveiled a new Web site with expanded membership services.
Examples of VOIPSA's threat taxonomy
Here are some of the definitions VOIPSA uses to describe the threats users face:
Call-pattern tracking is the unauthorized analysis of traffic to or from any node or collection of nodes on the network. This technique enables unauthorized conduct such as theft, extortion and deceptive practices like phishing.
Traffic capture is the unauthorized recording of traffic by any means and includes packet recording, packet logging and packet snooping. Traffic capture is a basic method for recording a communication without the consent of all the parties.
Number harvesting is an unauthorized means of capturing identity and enabling subsequent unauthorized communication, theft of information and other deceptive practices.
Conversation reconstruction is a technique for collecting, duplicating or extracting information on the audio content of a conversation without the consent of all parties to the communication.
Call black holing is any unauthorized method of dropping, absorbing or refusing to pass IP or other essential elements in any VoIP transmission. This can be used to prevent or terminate a communication. Call black holing is defined to include any VoIP protocol for any form of communication, whether voice only or converged with other media, including video, text and images.
Call rerouting or call sinkholing is any unauthorized method used to redirect an IP signal or other essential element of any VoIP transmission to divert communication. When authorized, call rerouting may also be used as a defensive technique against attack or an enabler for other services.
Fax alteration is any unauthorized modification of any of the information in a facsimile or other document image, including header, cover sheet, status and/or confirmation data.
Conversation alteration is any unauthorized modification of information in the audio, video and/or text portion of any communication, including identity, status or presence information.
Conversation impersonation and hijacking is the injection, deletion, addition, removal, substitution, replacement or other modification of any portion of any communication with information that alters any of its content and/or the identity, presence or status of any of its parties.
False caller identification is the signaling of an untrue identity or presence.