Socio-technical Security Assessment of a VoIP System

In this paper, we introduce a method and a tool for systematically assessing the security of complex systems. We gather data from interviews, network documentation as well as active and passive network measurements and combine them in a semantic model with our tool, Graphingwiki. We tested our methodology on an active large-scale VoIP system. The multifaceted data gathering and analysis method was fast and extensive and proved to be effective in finding the weaknesses of the system. The method provided a repeatable method of measuring and ensuring the security of the system. The largest benefit of the method is in quick and efficient data collection from several, differing, data sources and the resulting analyses of the combined data.

[1]  Thomas J. Walsh,et al.  Security Considerations for Voice Over IP Systems , 2005 .

[2]  J.V.H. Sanderson IEEE Recommended Practice for Protection and Co-ordination of Industrial and Commercial Power Systems , 1989 .

[3]  C. B. Cooper,et al.  IEEE Recommended Practice for Electric Power Distribution for Industrial Plants , 1987 .

[4]  Milos Manic,et al.  CIMS: A Framework for Infrastructure Interdependency Modeling and Analysis , 2006, Proceedings of the 2006 Winter Simulation Conference.

[5]  Robert A. Martin Managing Vulnerabilities in Networked Systems , 2001, Computer.

[6]  Timo Ojala,et al.  Clarified Recorder and Analyzer for Visual Drill Down Network Analysis , 2009, PAM.

[7]  Miles A Redfern,et al.  Protection against loss of utility grid supply for a dispersed storage and generation unit , 1993 .

[8]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[9]  Anita Raja,et al.  Critical Infrastructure Integration Modeling and Simulation , 2004, ISI.

[10]  Jay Liebowitz,et al.  Linking social network analysis with the analytic hierarchy process for knowledge mapping in organizations , 2005, J. Knowl. Manag..

[11]  C. J. Mozina,et al.  Interconnection protection of IPP generators at commercial/industrial facilities , 2000, Conference Record of the 2000 IEEE Industry Applications Conference. Thirty-Fifth IAS Annual Meeting and World Conference on Industrial Applications of Electrical Energy (Cat. No.00CH37129).

[12]  Catherine M. Mattison Protective relaying for the cogeneration intertie revisited , 1995, IAS '95. Conference Record of the 1995 IEEE Industry Applications Conference Thirtieth IAS Annual Meeting.

[13]  M. Laakso,et al.  A case for protocol dependency , 2005, First IEEE International Workshop on Critical Infrastructure Protection (IWCIP'05).

[14]  Juha Röning,et al.  Software Vulnerability vs. Critical Infrastructure - a Case Study of Antivirus Software , 2009 .

[15]  W. E. Feero,et al.  Intertie protection of consumer-owned sources of generation, 3 MVA or less: summary report of an IEEE working group report , 1990 .

[16]  Juha Röning,et al.  Graphingwiki - a Semantic Wiki extension for visualising and inferring protocol dependency , 2006, SemWiki.