Security VoIP Assessment
1 like165 views
SecureState is a management consulting firm specializing in information security that offers VoIP assessment services to test for vulnerabilities in clients' VoIP systems and networks. The assessment includes penetration testing to attempt hijacking phone calls, recording calls, tampering with voicemail, and other attacks. SecureState follows standard methodologies and works closely with clients to establish rules of engagement and scope before performing non-intrusive information gathering, vulnerability analysis, and controlled exploitation tests to identify security issues.
Security VoIP Assessment
- 1. Security VoIP Assessment Carousel leverages the expertise of SecureState, a management consulting firm, specializing in information security. WE BELIEVE in a business- oriented approach to information security and strive to make the world more secure. We have a passion to be the best, measured by our commitment to do the right thing and help others achieve their goals. We have persistently driven for continuous improvement, empowering employees with increasing efficiency, and eliminating waste in their jobs. Contact us to learn more 800.401.0760 www.carouselindustries.com IT SECURITY VoIP Attack and Penetration Testing Do you know if your VoIP phones and servers are segmented from the rest of your network? Even if they are, segmentation alone may not protect your voice assets. This program includes controlled tests in which SecureState will attempt to assess several vulnerabilities in VoIP systems and networks. Our methodology includes performing validation and testing to ensure that only “valid” vulnerabilities are reported while: • Hi-jacking phone calls • Recording and replaying voice calls • Voicemail tampering • Phone registration hi-jacking • Access to phone administrative capabilities • Attacking systems within the voice VLANS to gain access to the internal network • Attacking VoIP client phones • A VoIP Penetration Test is focused on vulnerabilities on VoIP systems and networks • SecureState focuses our attacks on vulnerabilities specific to VoIP systems and networks • Reduction of the cost, confusion, and complexity of PCI DSS compliance Process Following SecureState’s proven process which was developed through years of consulting experience, we can take you from your CurrentState to your DesiredState of security and ultimately build a program that helps you manage your security at the SecureState. SecureState has developed, SecureState will provide tactical and strategic recommendations for your organization to improve the security posture of your VoIP Network or validate that your network is secure. Copyright ©2014, Carousel Industries® www.carouselindustries.com SEC-VoIP-ASSESSMENT-1014
- 2. IT SECURITY Methodology The SecureState Profiling Team is well-known and highly regarded as experts in Penetration Testing. Our approach follows industry accepted testing methodologies such as PTES, NIST 800-115, and OSSTMM. By following these methodologies, our clients can accurately replicate the testing SecureState has performed in their own environment to accurately mitigate identified vulnerabilities. The Profiling Team also helps identify strategic “root cause” issues through our Penetration Tests. SecureState’s Risk Management Team is uniquely positioned to work closely with the Profiling Team in order to assist clients with mitigating these strategic “root cause” issues. Phase I – Pre-engagement Interaction - In this phase, SecureState works with the client to establish the rules of engagement as well as the scope and exchange contact information for both parties. SecureState provides a detailed Project Charter which contains information on scope and everything that will be required to conduct the testing. The Project Charter is discussed during the kickoff call prior to the beginning of the engagement. Phase II – Intelligence Gathering - VoIP Attack and Penetration Tests need to be conducted with care, due diligence, and a high level of industry knowledge. SecureState performs specific non-intrusion probing of the VoIP network, using SNMP sweeps and other low level scans to first map the VoIP network and systems. Phase III – Vulnerability Analysis - SecureState generates specifically crafted packets in order to identify specific patch levels, perform banner grabbing, and use various other techniques in order to identify potential exposures in the client’s VoIP network without being detected. Specialty tools such as SiVuS, sipsak and SIPSCAN are used to enumerate specific VoIP devices. In addition, SecureState will attempt to pull VoIP specific data off the network to see how it could potentially be manipulated. During this phase, we will attempt to hi- jack and record phone calls, as well as attempt to insert sounds and conduct other manipulation of VoIP data streams; including, eavesdropping on VoIP administrative systems. In addition, VLAN hopping attacks are conducted to ensure segmentation is working properly. Phase IV – Exploitation - During the course of the engagement, all identified VoIP vulnerabilities will be assessed as to the likelihood of exploitation. Communication will be conducted with the client’s Project Lead prior to any type of intrusive activity that could potentially impact network performance or system stability. Any high or critical risk exploit also will be communicated to the client upon discovery; so that the client can initiate corrective actions. Copyright ©2014, Carousel Industries® www.carouselindustries.com SEC-VoIP-ASSESSMENT-1014 Proven Security Expertise Contact us to learn more 800.401.0760 www.carouselindustries.com