2009 06 08 barry foer isa and lawrence dobranski nortel isas voip security program update at nist...

7/31/2019 2009 06 08 Barry Foer ISA and Lawrence Dobranski Nortel ISAs VoIP Security Program Update at NIST Conference

1/13

1


2/13

BUSINESS MADE SIMPLE

2

ISAlliance SCAP VoIP Project Update

12 June 2009Lawrence G Dobranski, CISSP-ISSAP, CISM, CSSLPLeader, Security Architecture & ComplianceCarrier VoIP and Applications SolutionsNortel

[email protected](613) 763-6866


3/13

3

Agenda

ISA VoIP Proposal & Status Snapshot Schedule, Deliverables & Status Scope & Objective Statement Resources Next Steps

Program Meeting ScheduleTechnical Working Groups Meeting

BackupVoIP Security StandardsParticipants from IndustryParticipants from Government


4/13

4

ISAlliance VoIP Proposal & StatusSnapshot

ToleadandinfluencethedevelopmentofindustrybasedSCAPchecklistsforVoiceandVoIPSecurityforGovernment,CricalInfrastructureandEnterprises(approvedFeb2008ISAllianceBoDMee9ng)

VoIPSecurityImplementaonandAssuranceWorkshopheld@NIST(complete,Sept22nd--23rd,2008)SCAPVoiceandVoIPChecklists:

PhaseIreportsdueSecurityAutma9onConferenceOct200ApplicabilityofSCAPtoVoIPBaselineStandards

PhaseII--proposedBasedoncurrentindustrystandardsforVoiceandVoIPSecurityDevelopedbyajointGovernment/Industryworkinggroups


5/13

5

Scope, Objective & Deliverables

Objective: The development of industry based Baseline SCAP checklists for Voiceand VoIP Security for Government, Critical Infrastructure and Enterprises

Scope:SCAP Voice and VoIP Checklists Based on current industry standards for Voice and VoIP Security Developed by a joint Government/Industry working group

Deliverables: Policy Checklists for VoIP Security ( XCCDF based)

XML format standardized checklist representing VoIP Security Policy: CPE Platform reference platform configuration based on source VoIP Security standards CCE Miss configuration reference configuration for VoIP systems CVSS Impact reference framework for characteristics and impacts for vulnerabilities in VoIP

Systems

Schema for VoIP Systems (OVAL based) XML format specifying vulnerability and configuration tests or changes A collection of XML schema for representing VoIP Solution system information, expressing

specific machine states, and reporting the results of an assessment Reference implementation for VoIP Systems

API Reference Implementation Reference implementation API for VoIP System Vendors, utilizing management, signaling

and media plan model.

VoIP Solution vendors will implement specific interpretations of the ISAlliancedeliverables for their solutions.


6/13

6

Schedule, Deliverables & Status

Event Plan Status

Kick-offmeengwithNISTtopresentISAProposal&inialparcipants

July2008 Complete

JointlyhostwithNISTaVoIP

SecurityImplementa3onandAssuranceWorkshoptodiscusstheapplicabilityofSCAPtoVoIPandtoestablishtheneedforaSCAPchecklistforVoIPdevelopedbyindustry.

ProposedagendaendofJuly2008

KeyparcipantsIDedmidAugust2008

EventOct2008

AtNISTs4thAnnualInforma3onSecurityAutoma3onConference(Sept22nd23rd)

ISAlliancepresentedattheconference

ISAlliancehostedadaylongworkshopontheapplicabilityofSCAPtoVoIP

ISAleadworkinggroupsformedto:1)assessapplicabilityofSCAPtoVoIP,2)todetermineappropriatereferencestandards

Bi-weeklyvirtualmeengs ReportscompleteendAugust

2009 Reportstobepresentedat5thAnnualInforma3onSecurity

Automa3onConference(Sept

2009)


7/13


8/138

SCAP Baseline Working Group

Status: Yellow Accomplishments To Date:

SCAP 101 and 102 presented Near Term Work Plan (Due 7/4):

Strawman work plan developed Longer Term Work Plan:

Draft Whitepaper (Due 8/10) Produce Presentation (Due 8/31)

Virtual Meetings: Meets every 2nd Thursday @ 1:00 PM Eastern for 1 hour

Leadership Co chair (1): Scott Armstrong, VP at Gideon Technologies Co chair (2): TBD


9/139

Detailed Schedule

Technical Working Group Meetings:1 hour durationApplicability Working Group meets every 2nd Tuesday @ 1:00

PM Eastern

Baseline Working Group meets every 2nd Thursday @ 1:00PM Eastern

Applicability & Baseline Working Groups meet in the sameweek


10/13

10

Participants

Agilent Technologies, Inc.American Century InvestmentsAssuria Ltd.AT&TBoeingCenter For Internet SecurityCity of SeattleCNA InsuranceCompliance Collaborators, Inc.Damac HoldingDepartment of CommerceDepartment of Veterans AffairsDHSDirect Computer ResourcesDisneyDoDeTrade FinancialEWA-CanadaExpediaFDAGideon TechnologiesGlobal UniDocs CompanyHSBC North AmericaIBMICSAlabs, an Independent Division of Verizon BusinessInformation Security and Forensics Management TeamInstitute for Defense AnalysesInvensys Process Systems

Joint Task Force-Global Network OperationsJones DayLone Star College SystemManTechMcAfeeMicrosoftNASANational Security AgencyNortel NetworksNorthrop GrummanOklahoma Office of State FinancePalindrome TechnologiesPearl TechnologyRaytheonRedSealRolls RoyceSalare SecurityScience Applications International Corporation (SAIC)Secure Acuity Networks, LLCTime Warner CableUS Department of TransportationUS-CERTVanguardVeriSignVoIPshield Systems Inc.Waters Edge Consulting


11/13

BUSINESS MADE SIMPLE

11

Backup


12/13

12

Communications Tools -- collaboration site

To join contact Barry Foer: [email protected]


13/13

13

2009 06 08 barry foer isa and lawrence dobranski nortel isas voip security program update at nist...

Documents