Employing penetration testing as an audit methodology for the security review of VoIP: Tests and examples

Internet Research

Volumn 17, Issue 1, 2007, Pages 61-87

  Tryfonas, Theodore ^a   Sutherland, Iain ^a   Pompogiatzis, Ioannis ^b  

^a UNIVERSITY OF GLAMORGAN   (United Kingdom)

^b COSMOTE SA ^*  (Greece)

Author keywords

Auditing; Communication technologies; Internet; Tests and testing

Indexed keywords

EID: 33846706416     PISSN: 10662243     EISSN: None     Source Type: Journal    
DOI: 10.1108/10662240710730506     Document Type: Article

References (20)

1. Abbasi, A. (2003), Voice over IP A Discussion of Business and IT Challenges: Voice over IP and IP Telephony Trends available at: http://searchnetworking.techtarget.com/whitepaperPage/0,293857,sid7gci94502,00. html (accessed 6 June 2005).
2. Arora, R. (2004), Voice over IP: Protocol and Standards: RTP and RTCP available at: www.cse.wustl.edu/ ∼ jain/cis788-99/ftp/voipprotocols/index. html (accessed 3 June 2005).
3. Barrett, N. (2003), "Penetration testing and social engineering hacking", Information Security Technical Report, Vol. 8 No. 4, p. 57, Elsevier Ltd, Barking.
4. Cisco Systems (2004), Cisco SS7 Interconnect for Voice Gateways: Core Components - Call Controller, available at: www.cisco.com/univercd/cc/td/doc/ product/access/sc/rel7/soln/voip13/ (accessed 30 May 2005).
5. Deloitte Research (2004), Getting of the Ground: VoIP Goes Mainstream, available at: www.deloitte.com/dtt/research/0,1015, sid%253D1012%2526cid%253D64018,00.html (accessed 6 June 2005)253D64018,00.html (accessed 6 June 2005).
6. Endler, D. and Collier, M. (2006), Hacking VoIP Exposed, Black Hat Briefing, available at: www.hackingexposedvoip.com/index.php (accessed 29 August 2006).
7. Herzog, P. (2003), Open-Source Security Testing Methodology: The Rules of Engagement available at: www.isecom.org (accessed 23 June 2005).
8. (The) Institute for Security and Open Methodologies (ISECOM) (n.d.) available at: www.isecom.org.
9. Krutz, R. and Vines, R. (2001), The CISSP Prep Guide: Mastering the Ten Domains of Computer Security: Law Investigation and Ethics, Wiley, New York, NY.
10. McElroy, C. (2003), Principles of Speech Coding, available at: www.jaynta.com/technology/principlesofspeechcoding.pdf (accessed 2 June 2005).
11. Ransome, J. and Rittinghouse, J. (2005), VoIP Security: VoIP Security Best Practices, Elsevier Digital Press, Burlington, MA.
12. US National Infrastructure Advisory Council (2004), Common Vulnerability Scoring System, available at: www.dhs.gov/interweb/assetlibrary/ NIACCVSSFinalRpt12-2-04.pdf (accessed 11 July 2005).
13. US National Security Agency (NSA) Security Configuration Guides (n.d.), available at: www.nsa.gov/snac/.
14. US National Vulnerability Database (2005), (online), available at: http://nvd.nist.gov/ (accessed between 23 August and 9 September 2005).
15. Voice over Packet Security Forum (2005), SiVus - The VoIP Vulnerability Scanner, available at: www.vopsecurity.org/html/tools.html (accessed 22 July 2005).
16. eEye Digital Security (2005), Retina Network Security Scanner, available at: www.eeye.com/html/products/Retina/.
17. Baskin, B., Chaffin, L., Cross, M., Kancliz, J., Rosela, A., Shim, C. and Zmolek, A. (2006), Practical VoIP Security, Syngress Publishers, New York, NY.
18. Cisco Systems (2003), Safe Blueprint: IP Telephony Security in Depth, available at: www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safipwp.pdf.
19. European Parliament and the Council (1995), "Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data", Journal of the European Communities, Vol. L No. 281, p. 31.
20. Great Britain Parliament (1988), The Data Protection Act 1988, (online), available at: www.opsi.gov.uk/acts/acts1998/19980029.htm.