[VOIPSA Best Practices] Call for Volunteers - Section Leaders needed... your chance for fame, glory, and... well... helping the security community out
dan_york at Mitel.com
dan_york at Mitel.com
Fri Jan 19 14:21:42 CST 2007
Best Practices team,
----
WARNING -> Long msg ahead. Probably not terribly fun to read on a
Blackberry or other similar device.
----
Okay, so with a document structure in hand, we are looking for a few good
section leaders! Currently, three people have stepped forward: Eric
Chen, Jerry Mangiarelli and Peter Kuebler. Eric called #2, "Call Control"
and Jerry said he'll do either #5, "servers/o/s" or #7, "TCP/IP network".
Peter has not yet indicated his choice.
1. Securing Voice and Media stream
- not yet assigned
2. Securing Call Control
- Eric Chen
3. Securing Management Interfaces and APIs
- not yet assigned
4. Securing PSTN Interfaces and Traditional Telephony Issues (i.e.
don't forget toll fraud)
- not yet assigned
5. Securing Servers and Operating Systems
- Jerry Mangiarelli is open to this or #7
6. Securing IP Endpoints (ex. sets, softphones, etc.)
- not yet assigned
7. Securing the TCP/IP network (ex. VLANs, 802.1X, wireless, etc.)
- Jerry Mangiarelli is open to this or #5
8. Physical Security, including backups, power, etc.
- not yet assigned
So we're now looking for 5 more people to step up and volunteer as Section
Leaders. Note that some sections may have only a few best practices and
others may have a lot.
So what does it mean to be a "Section Leader"?
On
http://wiki.voipsa.org/tiki-index.php?page=Volunteer+Opportunities%2FTeam+Structure
I wrote this:
----
If we can identify one volunteer who agrees to be responsible for each
section, then we basically have a "core team" that can lead the effort. I
would NOT expect a "section leader" to write the text, but rather to help
find people to write pieces and ensure that the section is being completed
- and then perhaps most importantly dealing with comments that reviewers
may leave. These folks also being able to say to everyone else when help
is needed or when there's a conflict that has to be sorted out.
To be a section leader, I don't think you necessarily have to be a subject
matter expert on that particular section, although it may certainly be
helpful. It is probably more important to be a good communicator and not
tell people they are flaming idiots and scare any volunteers away. (No
worries, any such project leaders will be ejected! :-)
----
One other aspect - the section leaders should either be okay with working
in a wiki website or be willing to learn. (It's not difficult.)
Here's how I see it working. Let's take the section on voice encryption.
There's going to be some basic best practices statements like:
1. All voice and media streams should be encrypted.
2. Voice encryption should be performed with Secure RTP (SRTP) using at
least 128-bit AES encryption.
3. Secure traversal of a firewall should be accomplished via an
application-layer gateway.
The section leader's first task is to come up with some statements like
that through things like:
- Putting some basic statements up on their section wiki page (either
that they know or have gleaned from other best practices documents)
- Asking for input from this mailing list.
- Reading comments left on the wiki pages
This last point is important. Section leaders, editors and other
volunteers will be given the ability to edit the wiki and make changes to
the actual pages. Everyone else, including random people reading the
pages, will have the ability to *comment* on the page through the comments
tab. The section leader will be responsible for monitoring those
comments, incorporating changes/suggestions/etc.
The second task of the section leader is to forge agreement around whether
those statements are complete. Should they be merged? Should they be
separated? Are there other points? Again, through this mailing list
and/or comments to the wiki and potentially through private dialog as
well.
For instance, in my example, should the first two bullets be merged into
"All voice and media streams should be encrypted with Secure RTP (SRTP)
using at least 128-bit AES encryption"? Maybe, maybe not. That's for the
section leader to help sort out.
In my example, is the third statement true? (I can already feel a couple
of firewall vendors I know getting elevated blood pressure. :-) Maybe the
statement holds. Maybe it needs to be modified. Maybe it needs to be
dropped. Those are the type of conversations the section leader needs to
engage in.
The section leader also needs to escalate an issue to the larger list if
we should have any practice that gets mired in conflict. (ex. "Best
Practices members, we're in a bit of deadlock in the wiki comments about
whether this statement on application-layer gateways should even be in
here. Can any of you who have an opinion please weigh in? Thanks,
<Section 1 leader>")
The final task of the section leader will be to facilitate the creation of
the documentation around the individual best practice statements once the
general statements have been agreed upon. Up on
http://wiki.voipsa.org/tiki-index.php?page=Development+Process I suggested
that we needed to have this information for each best practice:
Title
One-line summary (if title is not descriptive enough.)
Brief description of best practice. Is it a process? a technology? how is
it commonly implemented?
Cross-reference to Threat Taxonomy - which treats in the TT are
eliminated, mitigated or reduced by this best practice? (ex. encryption
x-ref'd to eavesdropping)
Which common security test/attack tools would this best practice protect
against? or reduce the effectiveness of? (ex. encryption protects against
Wireshark RTP re-assembly)
List of references - what "neutral" sources of information are available
about this practice? (ex. Wikipedia articles, government reports, etc.)
The "brief description" might be only a few sentences or it might be
several paragraphs (or more). I'm sure it will vary. We need to gather
it. Whether the section leader writes it or finds the links themselves,
or whether he/she finds other people to help... the key is that they are
taking responsibility for those areas.
I'm sure there will be comments on the text, suggestions for other
tools/sources/etc. and those comments/suggestions need to be addressed and
incorporated where appropriate.
That's how I see it working. Depending up the section, it may or may not
be a large amount of work... some sections may only have a few best
practice statements and they will all be non-controversial. Others may
have many and/or may have controversial statements.
So what do you get in return for volunteering as a section leader? Well,
this large computer manufacturer will be sending you a new laptop equipped
with the latest.... er... no. VOIPSA will write you a large check in the
sum of... well... what do we get if divide the VOIPSA budget for the Best
Practices project among all section leaders? Since that budget is
effectively $0... I guess that's out.
In truth, you'll get the satisfaction of knowing you will be helping a
whole lot of people out there make their systems more secure. You will
also be mentioned prominently in the credits of the document which may
lead to more recognition in your industry or in the security industry in
general. (see pages 5 and 6 of the Threat Taxonomy for an example -
http://www.voipsa.org/Activities/VOIPSA_Threat_Taxonomy_0.1.pdf ) This
may or may not be helpful for career advancement.
I think you'll probably learn a good bit (even if only how to edit in
TikiWiki!) and we should have some fun along the way.
So... who's in? Looking for 5 more folks willing to put in some time
over the next couple of months. Please let me know if you are interested
(and if so, in which of the unassigned sections).
Thanks - and have a great weekend,
Dan
--
Dan York, CISSP
Dir of IP Technology, Office of the CTO
Mitel Corp. http://www.mitel.com
dan_york at mitel.com +1-613-592-2122
PGP key (F7E3C3B4) available for
secure communication
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://voipsa.org/pipermail/bestpractices_voipsa.org/attachments/20070119/596b9bed/attachment.htm>
More information about the bestpractices
mailing list