[VOIPSEC] Question on VoIP security requirements in financialsector
Zmolek, Andrew (Andy)
zmolek at avaya.com
Tue Jun 19 16:53:47 CDT 2007
As the author of the regulatory compliance chapter that Eoin linked below (which you can read via Google's caching/html conversion if the Syngress web server is still down as it is at the moment), I can talk to the legal obligations involved. And since I also meet regularly with every one of our large financial customers I can also talk to the typical financial-industry security policies and practices around encrypted signaling and media. You might be surprised by the state of both the financial and telecom industries in this regard.
First, you're not going to find TLS, SRTP, or any other form of encryption specifically mentioned in any regulation. Moreover, no privacy or security regulations are so strictly interpreted as to force all voice conversations interacting with the PSTN to leverage encryption (which in most cases won't be available to the end-user anyway). And if a strict legal requirement did exist, you would quickly discover that even with the right enterprise-side equipment, compliance would be problematic since there isn't a single PTT or independent carrier prepared to directly supply you trunks using SIP-TLS or SRTP today (though I've heard a few of them will offer at extra cost a session border controller (SBC) under their control that can terminate an IPSEC tunnel or convert unencrypted sessions to SIP-TLS and SRTP on the hop between your network and theirs).
That being said, many of my largest financial customers are looking at large-scale encrypted VoIP deployments within the enterprise (be it H.323 or SIP-based communications). A few of them are considering policies that would force encryption for all users but in most cases their policies allow room for selective deployment. Nevertheless, I can't think of a single customer that today is actively operating more than 1,000 VoIP endpoints from any vendor's call server with both signaling and media encryption enabled on all of them (i.e. large-scale real operational deployments that have been running for 6 months or more, not just planned or early-phase deployments or selective use of encryption--there are plenty of those around).
None of this should be surprising given the slow rate of VoIP adoption in the financial industry overall, plus the push many of our financial customers are making to SIP-based protocols coupled with the reality of today's unfortunate SIP interoperability vs. security dynamic (I was surprised to see last month that Avaya was the only major vendor willing to show up to the Interop iLabs SRTP event this year and discovered in the process that many of the small vendors who did participate weren't following SIP standards on the usage of the sips: URI or had no way to manage trust relationships with TLS certificates). Plus most financial customers still have far more traditional digital sets deployed than VoIP phones, particularly in call centers. I even have a few financial customers that see no added value in encryption since their VoIP deployments take place completely within the confines of their already hardened internal networks and they use both logical and physical separation to keep the voice traffic separate.
That said, the security questionnaires on the RFPs we see from our financial customers continue to expand in scope and--apart from media and signaling encryption--I'm aware of dozens of other regulatory-driven security requirements that our financial customers do implement consistently (such as password complexity and expiration requirements). In general, these requirements have little to do with VoIP itself and are driven by IT-wide security standards for servers, databases, and the like. So it's not like there aren't a lot of regulatory-driven conversations going on at financial organizations around VoIP, it's just that SIP-TLS and SRTP are rarely at the top of their compliance priority list (and that's no less true for the banking regulators themselves who ultimately drive those priorities).
/\\//\Y/\ Andy Zmolek | zmolek at avaya.com | 303-538-6040
Senior Manager, Security Planning & Strategy
GCS Security Technology Development | Avaya, Inc.
-----Original Message-----
From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On Behalf Of Fleming, Eoin (DSCP)
Sent: Monday, June 18, 2007 5:26 AM
To: voipsec at voipsa.org
Subject: Re: [VOIPSEC] Question on VoIP security requirements in financialsector
I am not aware of any regulations concerning VOIP specifically (the regulations will probably never refer to VOIP anyway but to telephony/telecommunications networks normally...). Encryption is not mentioned in connection with VOIP certainly but if you are dealing with personal financial information or personally identifiable information then encryption would be considered a mandatory requirement under the banner of exercising due care in the protection of financial records (but this is by inference only...) The only area that I am sure affects VOIP is call recording requirements for certain dealing and call centre operations.
This link might shed some light http://www.syngress.com/book_catalog/372_PRAC_VoIP/sample.pdf
But like most things in the regulatory world it's all open to some degree of interpretation i.e. even if you implement encryption so it's available for the use of your customers you have no guarantee that the other end of the conversion will use it, similarly in the PSTN you have no control over the possibility that your carrier might route some of your calls over VOIP....so the only thing you can really do is risk assess and encourage the use of encryption.
Cheers,
Eoin D. Fleming
-----Original Message-----
From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On Behalf Of Roland Auckenthaler
Sent: 18 June 2007 10:35
To: voipsec at voipsa.org
Subject: [VOIPSEC] Question on VoIP security requirements in financial sector
Hello,
I'm trying to find some information regarding security policies or legal obligations with regards to the use of VoIP in the financial sector. Does anybody know if the use of SRTP and/or TLS are mandatory requirements for some financial transactiosn (i.e. phone banking)? I'm especially looking for information that relates to europe but if you got something from other regions that that would be helpful too.
best regards
Roland Auckenthaler
Sales Engineer CEEME, NMS Communications
Address: Richard Strauss Strasse 71, D-81679 Munich, Germany
Phone: +49 89 945484-78, Fax: +49 89 945484-70
MSN-IM: rauckenthaler at hotmail.com
Amtsgericht Muenchen: HRB 132404, Geschäftsführer: Herb Shumway
voipsec-request at voipsa.org
Sent by: voipsec-bounces at voipsa.org
19.01.2007 13:00
Please respond to
voipsec at voipsa.org
To
voipsec at voipsa.org
cc
Subject
Voipsec Digest, Vol 25, Issue 4
Send Voipsec mailing list submissions to
voipsec at voipsa.org
To subscribe or unsubscribe via the World Wide Web, visit
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
or, via email, send a message with subject or body 'help' to
voipsec-request at voipsa.org
You can reach the person managing the list at
voipsec-owner at voipsa.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Voipsec digest..."
Today's Topics:
1. EUSecWest 2007 Papers (Dragos Ruiu)
----------------------------------------------------------------------
Message: 1
Date: Thu, 18 Jan 2007 16:07:22 -0800
From: Dragos Ruiu <dr at kyx.net>
Subject: [VOIPSEC] EUSecWest 2007 Papers
To: Voipsec at voipsa.org
Message-ID: <200701181607.22142.dr at kyx.net>
Content-Type: text/plain; charset="us-ascii"
(Nico already beat me to telling you folks, but
there is some other info in this message that
may interest some folks here --dr:)
Hi,
For those who asked, we are still processing the submissions for
CanSecWest
and the call closed, please stand by. The paper selections are back from
the
reviewers for EUSecWest, in London on March 1-2.
In absolutely random order:
Threats against and protection of Microsoft's internal network - Greg
Galford,
Microsoft
Linux Kernel == Security Nightmare - Marcel Holtmann, Red Hat
/GS and ASLR in Windows Vista - Ollie Whitehouse, Symantec
Fuzzing: history, perspectives and limits - Christian Wieser, Oulu
university
The new OWASP Web Application Penetration Testing Methodology - Matteo
Meucci
& Alberto Revelli, OWASP-Italy
Reverse Engineering Malicious Javascript - Jose Nazario, Ph.D., Arbor
Bypassing NAC Systems - Ofir Arkin, Insightix
RFID - Adam Laurie, trifinite
Protecting Next-Gen Networks @ Nx10G link sizes - Jim Deleskie, Teleglobe
Video Conferencing Security - Navid Jam, Sandia National Laboratories
Software Virtualization Based Rootkits - Sun Bing
VoIP Attacks! - Dustin D. Trammell, TippingPoint
Windows Vista Exploitation Countermeasures - Richard Johnston, Microsoft
OSX Security - Daniel Cuthbert, Corsaire
Distributed drone-based malware propagation and deployment automation -
Emmanuel H
We have added a new RFID dojo in London with Adam, and Nico
has a new VoIP Security dojo amongst the new dojos to be announced
for CanSecWest along with the paper selections. Dojos for London
have final schedules now.
cheers,
--dr
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
London, U.K. Mar 1-2 - 2007 http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp
------------------------------
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
End of Voipsec Digest, Vol 25, Issue 4
**************************************
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
More information about the Voipsec
mailing list