Better VoIP training needed, SANS director says

As director of training and certification for the Bethesda, Md.-based SANS Institute, Stephen Northcutt is always looking for better ways to prepare IT professionals for the threats of cyberspace. This year's SANS Top 20 Attack Targets list has given him more to consider. Product vulnerabilities continue to top the institute's list of threats, but human error also made the list, given users' susceptibility to phishing scams. VoIP insecurity, zero-day flaws and Web application vulnerabilities also topped the list. In this Q&A, Northcutt discusses how the institute's training programs address these problems, and where there's room for improvement.

This year's SANS Top 20 list included human error, particularly users' tendency to fall for phishing scams. What's the take away for IT administrators?
This is a great opportunity for awareness. Every time a systems administrator gets a Wells Fargo email when they don't have a Wells Fargo account, they should copy a screen shot and send it out to the entire organization and warn people that this is the latest phishing scam. Show people what the threat looks like. Once a month, you can send these out and make people aware. And tell your mother. A new item on this year's list is the VoIP threat. What is the SANS Institute doing to bolster awareness in this area?
This is my single-greatest failure. We don't have the kind of intensive "here's what the packets look like" training that's needed. The problem is just massive. A technology like this never should have been rolled out without more thought to security. If I had my way, I would have the creators of VoIP stop everything and redesign this with security in mind from the get-go. What could the institute do in the short term to improve the VoIP security training?
VoIP security:
SANS: VoIP, zero-day threats surge

VoIP protocols: A technical guide


Five VoIP security recommendations

How to prevent VoIP phishing
I have got to hook up with a leading expert who can teach this at the protocol level. Don't get me wrong. We're not ignoring the issue and we do teach the Band-Aid steps. But the knowledge needs to go deeper. What are the Band-Aid steps you're teaching now?
We teach the importance of having a VoIP firewall. You want a barrier between the Internet and your phone system. You should also use hardware encryption between your building in the U.S. and your building in France. The benefit is that the VoIP data is encrypted in a tunnel and the bad guy can't intercept your voice sessions. It gives you a little more protection. And if you're going to do VoIP, do it as much as possible out of band from the rest of the network. Run VoIP as a separate cable, where you'd have one cable for data and another for voice. That way, if someone hits you with a denial of service (DOS), you still have voice and the ability to keep functioning. Or, if VoIP is hit, you still have the rest of the network. VoIP is very susceptible to DOS, so you need to make sure that if one goes down you have the rest.
If I had my way, I would have the creators of VoIP stop everything and redesign this with security in mind from the get-go.
Stephen Northcutt,
director of training and certificationSANS Institute
Are people receptive to that argument?
Some people think the idea is economically stupid. The advocates of VoIP always say the beauty is that you can run your phone with everything else. I say yeah, but you can also kill everything together. The increase of zero-day threats made the list as well. Do you think IT professionals are adequately keeping up? If not, what could they be doing better?
This is one of those unhappy examples of progress. Two years ago we were talking theoretically on zero-day threats. The only thing you can do is isolate and minimize your footprint. IT professionals have to get really serious about the software they allow on their system. System lockdowns are unpopular, but it's important to only allow the 10 business functions users need to do their jobs and nothing more. Smart users know to use an alternative browser like Firefox. Talk about some of the key skills IT pros need to keep up with today's threats. In a previous interview, you mentioned the need for them to be better report writers.
Communication is definitely an overlooked skill. As a manager, I need to be able to give the board the information they need packaged in a way that helps them understand the needs. I also need management skills so people underneath know what to expect from me. Those are some important aspects of the training. It's been said that IT people don't always have the best management or people skills. Is that something you try to address?
That's actually a politically incorrect part of my course. I talk about how you can stereotype technical people. Your Cisco router jocks tend to be a certain sex, age and disposition. They never do well in management because they can't write. They're great at the tech stuff but they talk funny. We talk about these stereotypes and how those who do end up in management must be able to communicate to the people above and below them.

Dig deeper on Wireless Network Protocols and Standards

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close