1 SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference
2 Presentation Overview 1. The Business Challenge 2. Securing Voice over IP Networks 3. The ISA VoIP Security Project 4. Next Steps With SCAP 5. Summary Slide 2.
3 The Business Challenge Cyber Security Operations: Expensive Prone to Failure 96% of Breaches Avoidable through Simple or Intermediate Controls Verizon 2010 Data Breach Report Cyber Security Industry is Caught in Too Busy to Get Better Trap I have additional risk to manage. I have capital budget. There are great new solutions. I don t have more people to manage them. Paraphrase of leading CISOs Slide 3.
4 VoIP Enterprise Risk Network convergence and channel consolidation potentially increase vulnerabilities and the consequences of failure in security. Dennis Blair, Former Director of National Intelligence, Feb (paraphrase) Impact of Convergence Silo Approaches to Security Understood Cross-Silo Vulnerabilities and Attacks Ignored VLANs have vulnerabilities Impact of Channel Consolidation Voice Used as an Out-Of-Band Channel Voice Can be Used to Carry Data Slide 4.
5 Guidance NSA Security Guidance for IPT DISA VVoIP NIST SP Best Practices from Vendors Security Devices SBC Firewall IPS/IDS VoIP Security Today Assessments & Controls Pen testing Monitoring New Vulnerabilities New Devices New Controls New Assessments Configuration Management Change Control Who has time? Slide 5.
6 FISMA and FDCC FISMA VoIP Coverage FIPS 199 and 200 Point to NIST SP-800 Series Implementation of SP Controls Required for Compliance SP Defines VoIP Controls FDCC does not Address VoIP SP Recommends No Soft Phones Only covers Vista and XP OSs Slide 6.
7 ISA VoIP Charter ISA Mission ISA seeks to integrate advanced technology with business economics and effective public policy to create a sustainable system of cyber security. ISA VoIP Project Objective Increase cyber security posture and reduce operational expense through automated VoIP security configuration and compliance. Slide 7.
8 ISA VoIP Security Project Focus on automation of configuration management and compliance 2011 Objective IP PBX Call Manager Final Objective IP Phone Soft Phone IP PBX Call Manager Session Border Controller And more 2010 Objective IP Phone Soft Phone NIST SP , , , , NCP Slide 8.
9 Reference VoIP Network Slide 9.
10 Need To Automate IP Phone Configuration Compliance Widely Distributed New Access Vector Perimeter Security Not Sufficient Default Configuration Weak Will Drift from Baseline Changes to phone settings undetected Manual assessment not practical Convergence with Data Network At Least One Phone Will Be Altered! Slide 10.
11 Telnet / SSH HTTP / HTTPS SNMP Console Element Manager LLDP/CDP Typical Automation For Configuration Compliance Access Methods Vendor specific Inconsistency across data formats and mechanism Lack of open standards Incomplete retrieval of running configuration information / state May conflict with security best practices (i.e., disable protocol) Slide 11. Issues
12 SCAP For VoIP: Today SCAP Component Description Keyword VoIP Search Keyword Phone Search Common Vulnerability Enumeration (CVE) Standard nomenclature and dictionary of security related software flaws 96 matches 336 matches, out of which 102 (Apple iphone), 27 (Cisco), 7(Avaya), 6 (Nortel), 5 (Microsoft), 5 (Snom) Common Configuration Enumeration (CCE) Standard nomenclature and dictionary of software misconfigurations 0 (under development) 0 (under development) Common Platform Enumeration (CPE) Standard nomenclature and dictionary of product naming 22 matches (nortel and cisco) 146 matches Common Vulnerability Scoring System (CVSS) Standard for measuring the impact of vulnerabilities 0 0 extensible Checklist Configuration Description Format (XCCDF) Open Vulnerability and Assessment Language (OVAL) Standard XML for specifying checklists and for reporting results of checklist evaluation 0 0 Standard XML for test procedures 5 matches cisco (V) 16 matches - 13 (V), 3 (I) Slide 12.
13 SCAP For VoIP: Today Several CPE IDs available for IP phones Focus on software flaws / vulnerabilities (CVE) A few systems identify firmware version and do very basic penetration / vulnerability test No CCE IDs No Checklists for VoIP in NCP All configuration settings not accessible for SCAP Few OVAL test definitions available for VoIP No OVAL definitions for configuration compliance Much work remains to SCAP-enable VoIP Slide 13.
14 Status on the VoIP Security Project at ISA Focus: Configuration Compliance & Validation IP Phone is First to be Evaluated Baseline Security Configuration Checklist Done NIST controls mapped to IP phone XCCDF document available In process to submit checklist to National Checklist Program for review Vendor Specific IP Phone Checklists Under Development Slide 14.
15 Assure Baseline Security Signaling Protocol: SIP Media Protocol: RTP/RTCP Configuration Controls For 7 Security Principles 3 Traffic Planes Automated and Manual Rules Expressed using XCCDF One size does not fit all IP Phone Baseline Security Checklist Slide 15.
16 Challenges With SCAP Enabling The IP Phone Perpetual Configuration Drift IP Phone Uses an Embedded OS Today s authenticated configuration scanners focus on Windows and Unix/Linux Retrieval of Entire Running State Not Available Use of remote access protocols varies between vendors No OVAL definition schema available for IP phone configuration compliance Slide 16.
17 Host Based Configuration Scanner Host based agent installed on the phone OVAL definition file to be downloaded to agent Gather, analyze configuration locally Generate and report results Pros Direct access to configuration Standard reporting format available with OVAL Cons Regular updates for IP phones across enterprise Resource consumption could impact call quality Slide 17.
18 Network Based Configuration Scanner Centralized platform probes IP phones for configurations No agent on phone Gather configuration from phone Analyze and generate report on centralized scanner Pros Eliminate need to update agent on all phones Cons Visibility of entire configuration questionable Lack of common data structure & remote access method Slide 18.
19 Hybrid Based Configuration Scanner Lightweight, host based agent installed on each phone Configuration gathered within each phone Centralized assessment platform to analyze/report results Pros Small memory (resource) footprint required for agent Eliminate need to update agent on all phones Direct access to configuration Extensive analysis and reporting available No significant impact to functionality and performance Cons None Slide 19.
20 Next Steps Automation Using OVAL Preliminary XCCDF content completed OVAL definitions for IP phone Apply OVAL compliance check to static phone configuration file stored on IPT server Ability to query entire configuration running state Apply OVAL compliance check to running state configuration on IP phone Report the results of the assessment Slide 20.
21 Industry Adoption Using SCAP to automate configuration compliance of IP phone is possible Vendor support is needed to make this a reality Develop specific product checklists based on an industry developed IP phone baseline checklist (i.e., ISA VoIP checklist). Develop an industry standard interface to query the entire running state of the phone configuration. Possibility of a standard data format structure for IP phone configuration Slide 21.
22 Summary Challenge today is VoIP configuration compliance rely on manual processes with limited operational resources Numerous VoIP security guidelines but no master list of all security requirements (i.e., IP phone checklist) focus on automation Adoption of standard based approach using SCAP is right tool to address VoIP configuration compliance challenge Configuration compliance must be a fundamental capability of an IP phone, not an optional nice-to-have feature NIST review & National Checklist Program VoIP vendor involvement is critical Slide 22.
23 Contact Information Co-chair of ISA VoIP Project and Technical Director at VeriSign Thomas Grill (703) Co-chair of ISA VoIP Project and CEO of Salare Security Paul Sand (312) Slide 23.
1 1 1 1 1 Applicability of the Security Control Automation Protocol (SCAP) to Voice over Internet Protocol (VoIP) Systems Version 0. 1 Page 1 of 1 1 1 1 1 1 1 1 0 1 This publication is for informational
Checklist to Assess Security in IT Contracts Federal Agencies that outsource or contract IT services or solutions must determine if security is adequate in existing and new contracts. Executive Summary
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Towards security management in the cloud utilizing SECaaS JAN MÉSZÁROS University of Economics, Prague Department of Information Technologies W. Churchill Sq. 4, 130 67 Prague 3 CZECH REPUBLIC email@example.com
Virtual Patching: Lower Security Risks and Costs A Trend Micro White Paper, 2012 Trend Micro Deep Security Trend Micro, Incorporated» Hundreds of software vulnerabilities are exposed each month, and timely
PHYSICAL SECURITY OVER INFORMATION TECHNOLOGY GUIDANCE DOCUMENT March 2014 This guidance document has been produced by CPNI in conjunction with MWR InfoSecurity. Disclaimer Reference to any specific commercial
Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies October 2009 DISCLAIMER This report was prepared as an account of work sponsored by an agency of
Report Number: I332-016R-2005 Security Guidance for Deploying IP Telephony Systems Systems and Network Attack Center (SNAC) Released: 14 February 2006 Version 1.01 SNAC.Guides@nsa.gov ii This Page Intentionally
A COALFIRE WHITE PAPER Using s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance Implementing s Deep Security Platform in a Payment Card Environment April 2015 Page 1 Executive Summary...
ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information
An Enterprise Continuous Monitoring Technical Reference Architecture 12/14/2010 Presenter: Peter Mell Senior Computer Scientist National Institute of Standards and Technology http://twitter.com/petermmell
Operational Guidelines for Industrial Security Proposals and recommendations for technical and organizational measures for secure operation of plant and machinery Version 2.0 Operational Guidelines for
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
BlackBerry Enterprise Solution for Microsoft Exchange Security Analysis Fraunhofer SIT Certification Report 06-104302 Copyright Notice The content of this document is owned by Fraunhofer Gesellschaft e.
INL/EXT-05-00477 Attack Methodology Analysis: Emerging Trends in Computer- Based Attack Methodologies and Their Applicability to Control System Networks Bri Rolston June 2005 The INL is a U.S. Department
Firewall Strategies June 2003 (Updated May 2009) 1 Table of Content Executive Summary...4 Brief survey of firewall concepts...4 What is the problem?...4 What is a firewall?...4 What skills are necessary
Special Publication 800-95 (Draft) Guide to Secure Web Services Recommendations of the National Institute of Standards and Technology Anoop Singhal Theodore Winograd Karen Scarfone NIST Special Publication
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
Payment Card Industry (PCI) Data Security Standard Approved Scanning Vendors Program Guide Version 2.0 May 2013 Document Changes Date Version Description February 11, 2010 1.0 May 2013 2.0 Approved Scanning
Federal Communications Commission Information Technology Strategic Plan Implementing technology today to meet FCC business needs tomorrow Office of the Managing Director Information Technology Center July
Unified Security Monitoring Best Practices June 8, 2011 (Revision 1) Copyright 2011. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of
Mobile Device Security Information for IT Managers July 2012 Disclaimer: This paper is intended as a general guide only. To the extent permitted by law, the Australian Government makes no representations
Best Practices for Mitigating Risks in Virtualized Environments April 2015 2015 Cloud Security Alliance All Rights Reserved All rights reserved. You may download, store, display on your computer, view,
Securing Enterprise Applications Version 1.1 Updated: November 20, 2014 Securosis, L.L.C. 515 E. Carefree Highway Suite #766 Phoenix, AZ 85085 T 602-412-3051 firstname.lastname@example.org www.securosis.com Author
IT@Intel White Paper Intel IT IT Best Practices Cloud Computing and Information Security January 2012 Virtualizing High-Security Servers in a Private Cloud Executive Overview Our HTZ architecture and design
DRAFT, Version 0.9, March 2013 ii About ENISA The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private