The Internet Security Alliance, in conjunction with the Department of Homeland Security and the National Institute for Standards and Technology will launch a yearlong program designed to create greater assurance and security in the Voice over Internet Protocol Platform (VoIP), it was announced today.
“VoIP and other converged & multi media networks are being deployed in critical infrastructure and governmental networks at all levels, said ISAlliance President Larry Clinton, and while these technologies have numerous cost and functionality benefits there are also substantial security issues that need to be addressed quickly as a mater of corporate competitiveness and national security. There is a potentially exhaustive list of VoIP and converged network vulnerabilities which can be accessed by organized crime and others to steal confidential data from companies, governments and even the police,” Clinton said. A collaborative effort to secure this popular platform is needed now.”
In order to address these issues ISAlliance will kick off a yearlong project at the 4th Annual Security Automation Conference and Workshop being held at the NIST Campus in Gaithersburg Maryland September 22-25. The program will commence with a panel discussion on September 23 and a full day workshop on the 25th. Project Leader Lawrence Dobranski of Nortel will chair both sessions.
Dobranski outlined the goals and methods the project would pursue as follows. “Our goal is to build a secure and cost effective solution which will enable government and corporate users to deploy VoIP and other converged networks with greater confidence. The method we will use is to apply the Security Compliance Automation Protocol (SCAP and the Information Security Automation Program (ISAP) to these networks. We hope to build a checklist of vulnerabilities which will form a baseline of minimum security that can then be augmented by more product specific and industry specific standards and practices.” Dobranski said.
Dobranski noted that the Office of Management and Budget has already mandated to federal CIO’s that “information technology providers must use SCAP validated tools as they become available” so this methodology is clearly the best path forward. Dobranski also said that the SCAP checklist would be based on existing industry standards with the goal that any newly discovered vulnerabilities would be entered into the National Vulnerability Database and vendors would then work cooperatively to develop mitigation devices to address the vulnerabilities. When the mitigation devices are subsequently certified they would be offered free of charge under the ISAP program.