[VOIPSEC] [SearchSecurity.com] Better VoIP training needed, SANS director says
craig at reswob.net
Fri Dec 8 20:35:47 GMT 2006
Below is the comment I put at the end of that article...
While I respect Stephen Northcutt a LOT, his view of VoIP in this
interview seems limited. I've been doing VoIP security for the past year
(which doesn't make me an expert, just knowledgeable) and I have read a
lot regarding what is going in the industry. I am glad that SANS is
going to add a focus on VoIP security (a GIAC cert would be nice, hint,
hint), but the concept of separating VoIP onto a separate cable makes no
sense, when the whole POINT of VoIP was to consolidate cables and thus
save money. Instead (as he says elsewhere) we must go and integrate
security into VoIP NOW, while the industry is still young (relatively)
so that Voice and Data (and eventually video as well) can coexist
securely and efficiently on the same wire. VOIPSA was formed to acheive
that purpose (www.voipsa.org) and Stephen Northcutt (or SANS) should
leverage the considerable knowledge gathered there, join in the Best
Practices effort being organized by Dan York (a VOIPSA member) and help
promote what VOIPSA is doing in VoIP. Craig CISSP SANS GSEC
Craig L. Bowser
SANS GSEC (Gold)
SRA International, Inc.
craig.bowser1 at us dot army dot mil
Every wall has a gate through which people can walk; conventional hacking involves breaking this gate down. Social engineering is getting the gate keepers to wave you past with a smile on their faces.
Shawn Merdinger wrote:
> Wow, Stephen Northcutt kinda throws down here...
> TechTarget: A new item on this year's list is the VoIP threat. What
> is the SANS Institute doing to bolster awareness in this area?
> Northcutt: This is my single-greatest failure. We don't have the kind
> of intensive "here's what the packets look like" training that's
> needed. The problem is just massive. A technology like this never
> should have been rolled out without more thought to security. If I had
> my way, I would have the creators of VoIP stop everything and redesign
> this with security in mind from the get-go.
> ...Run VoIP as a separate cable, where you'd have one cable for data
> and another for voice...
> Voipsec mailing list
> Voipsec at voipsa.org
More information about the Voipsec