Advanced
Development of Indicators for Information Security Level Assessment of VoIP Service Providers
Development of Indicators for Information Security Level Assessment of VoIP Service Providers
KSII Transactions on Internet and Information Systems (TIIS). 2014. Feb, 8(2): 634-645
Copyright © 2014, Korean Society For Internet Information
  • Published : February 28, 2014
Download
PDF
e-PUB
PubReader
PPT
Export by style
Share
Article
Author
Metrics
Cited by
TagCloud
About the Authors
Seokung Yoon
Korea Internet Security Center, Korea Internet & Security Agency IT Venture Tower, Jungdaero 135, Songpa, Seoul, Korea, 138-950
Haeryong Park
Korea Internet Security Center, Korea Internet & Security Agency IT Venture Tower, Jungdaero 135, Songpa, Seoul, Korea, 138-950
Hyeong Seon Yoo
Computer and Information Engineering, Inha University 100 Inharo, Namgu, Incheon, Korea, 402-751

Abstract
VoIP (Voice over Internet Protocol) is a technology of transmitting and receiving voice and data over the Internet network. As the telecommunication industry is moving toward All-IP environment with growth of broadband Internet, the technology is becoming more important. Although the early VoIP services failed to gain popularity because of problems such as low QoS (Quality of Service) and inability to receive calls as the phone number could not be assigned, they are currently established as the alternative service to the conventional wired telephone due to low costs and active marketing by carriers. However, VoIP is vulnerable to eavesdropping and DDoS (Distributed Denial of Service) attack due to its nature of using the Internet. To counter the VoIP security threats efficiently, it is necessary to develop the criterion or the model for estimating the information security level of VoIP service providers. In this study, we developed reasonable security indicators through questionnaire study and statistical approach. To achieve this, we made use of 50 items from VoIP security checklists and verified the suitability and validity of the assessed items through Multiple Regression Analysis (MRA) using SPSS 18.0. As a result, we drew 23 indicators and calculate the weight of each indicators using Analytic Hierarchy Process (AHP). The proposed indicators in this study will provide feasible and reliable data to the individual and enterprise VoIP users as well as the reference data for VoIP service providers to establish the information security policy.
Keywords
VoIPMRAAHP
1. Introduction
T he VoIP service is one of the social media based Internet telephony service that uses IP based packet type voice transfer technology. It is growing as the communication industry technology continuous to advance based on All-IP with growth of broadband Internet network. Despite its low fee, the VoIP service failed to gain popularity because of low QoS, inability to receive calls as the phone number could not be assigned and inadequate accessibility. However, it has become the leading convergence technology in the broadcasting/communication market due to increasing subscribers and expanding market as the service based operators entered the market, cost-saving in long distance and international phone calls, and improving network efficiency as the voice and data are transferred over a network (IP nework) [1] . A report forecasted that the total market size of VoIP equipments for corporation was KRW 240 billion in 2012 and is predicted to be KRW 285 billion in 2016 [2] .
Although interest on VoIP service is increasing in Korea, more security threats against VoIP and security incidents have also been reported. Therefore, it is important to prepare and carry out the security policy to create the safe usage environment of VoIP. However, there were no indicators that required VoIP service providers to measure their information security level. Consequently, they are having difficulty establishing their security policy and they are potentially exposed to numerous security threats.
In this study, we developed reasonable security indicators through questionnaire study and statistical approach. To achieve this, we made use of 50 items from VoIP security checklists. Then, we verified the suitability and validity of the assessed items through Multiple Regression Analysis (MRA) using SPSS 18.0. As a result, we drew 27 indicators and calculate the weight of each indicators using Analytic Hierarchy Process (AHP). The proposed indicators will provide feasible and reliable data to the individual and corporate VoIP users as well as the reference data for VoIP service providers to establish the information security policy.
We present in Section 2 some related work. Section 3 looks into the research method and Section 4 describes result of the analysis. Lastly, Section 5 discusses the study result, implication and future study direction.
2. Related Work
- 2.1 Security Issues in VoIP
Since VoIP technology delivers service over an IP network, it is vulnerable to attacks related with IP. Accoring to the VoIP security guideline [3] , attacks can be classified into four types.
First is the DoS attack. DoS is a type of attack that monopolizes the system resources to disable the original functionality. It can interrupt the operation of VoIP service or even shut it down. Its leading examples include the flooding attack, which send a large volume of message in a specific period to shown the VoIP service or degrading the call quality and BYE message attack or CANCEL message attack which terminate the active calls by force.
The second attack is the session interception. It is a method of stealing the privilege from users or using it illegally. Since it changes the route of the voice data of the active call to wiretap all messages of the participating host and intercept the session data, users’ registration data can also be leaked.
Third is eavesdropping. It is the act of illegally listening to another user’s call without consent. In the VoIP service environment, calls between the users can be wiretapped using the vulnerability of the system or terminal. The easiest way is to collect the packets through the ARP poisoning attack in the same LAN environment. Collected packets contain the call establishing message packet, voice RTP packet, user authentication data packet, etc., and the voice RTP packet can be analyzed to wiretap the call.
Fourth is VoIP spam. VoIP spam takes advantage of relatively low Internet cost and utilizes the spam generation automation tool to activate the phone service to a large number of users. When such VoIP spam increases, it can violate privacy and degrade reliability of VoIP service.
- 2.2 VoIP Security Checklists
continuously. To achieve this, there is an urgent need for an institutional stanard to assess VoIP service providers information security level. Also, it is important to check their service periodically based on the standard and to remove the security threats according to the result. Korea Communication Committee (KCC) and Korea Information & Security Agency (KISA) enacted VoIP security guideline together security experts from government, laboratory, academy and industrial world. It contains VoIP security checklists seperated by three categories: technical, managerial, and physical as shown in Table 1 . To get 50 items, we carried out literature research and Delphi surveys three times targeting thirty VoIP security experts and professors. The Delphi survey is a effective method when it is impossible to make decision making based on objective and accurate information. It gathers the opinions of experts and makes decision through consensus of expert opinions [4] . Yoon et al analyzed the factor of VoIP security checklists using AHP [5] .
VoIP security checklists (50 items)
PPT Slide
Lager Image
VoIP security checklists (50 items)
- 2.3 AHP
AHP developed by Saaty in 1970 could help effective decision making to simplify the procedures [13] . AHP also provides a comprehensive method by considering quantitative factors and qualitative factors simultaneously based on evaluators’ consistent decision through pairwise comparison [14] . AHP could measure the reliability of questionnaire response based on consistency ratio (CR). The consistency of data and weight of each factores are considered meaningful when the value of CR is less than 0.1 [13 , 15] . With these characteristics, AHP is widly used to decide the importance of security indicators. In this paper, AHP is used to decide the weight of each indicators.
3. Research Method
This study verifies the suitability and validity of the assessed items through hierarchy and objective method of survey of VoIP service providers and security experts.
First, this study selected 50 items from VoIP security checklists. Before SMR, we performed Delphi surveys for considering the independence of indicators under VoIP service environment.
Second, we organized 50 items into a hierarchy and conducted the first survey of 100 VoIP service providers and security experts. Then, internal consistency analysis and step-by-step multiple regression analysis (SMR) were performed to reduce the assessed items from 50 to 23.
Third, Anlaytic Hierachy Process (AHP) was applied to calculate the weight factor for each assessed item.
4. Analysis Result
- 4.1 MRA Result
To verify reliability, the composite scale reliability index (CSRI), which is similar to Cronbach’s Alpha was calculated. If CSRI value is 0.7 or higher, the variable measurement is considered to be internally consistent [16] . Since CSRI values of all variables are 0.7 or higher, measured indicators of this study are considered to be reliable. Reliability and validity of the measured indicators were verified by the analysis of the measurement model. Using the model, significance test of each indicator in the multiple regression analysis was performed to verify the hypothesis. VoIP service provider inspection indicators adopted for information security indicators to be used in multiple regression analysis were 10 technical protective measures, 10 managerial protective measures, and 3 physical protective as shown in Table 2 . The 27 dropped indicators are also shown in Table 3 .
Adopted items after SMR (23 items)
PPT Slide
Lager Image
Adopted items after SMR (23 items)
Dropped items after SMR (27 items)
PPT Slide
Lager Image
Dropped items after SMR (27 items)
- 4.2 AHP result
Based on hierarchy tree as shown in Fig. 1 , we calculated the weight of each indicators through questionnaire survey. The questionnaire survey is carried out targeting 15 security experts during one month (2012.9~2012.10). The 15 security experts consist of 10 VoIP service carriers and 5 security consultants. They not only have an impressive academic and business background but they have an ability to influence decision making for VoIP service.
PPT Slide
Lager Image
A hierarchy tree for Information Security Level Assessment for VoIP service providers
After questionnaire survey, we collected 15 answer sheets and selected 13 answer sheets after calculating the CR value of each answer sheet. And we calulated weight of indicators using geometic mean with 13 answer sheets. We analyzed the CR value of merged data using Expert Choice 2000, especially analysis function for group determination. The CR value was 0.02 and we verified that the response was within the level of significance [17] . When we synthesized all elements using Expert Choice, we obtained the relative importance shown in Fig. 2 . Considering technical, managerial and physical aspects, ‘locking system for access control’ and ‘integrated management system of VoIP security equipment’ are relatively important among indicators. It means that specialists for information security are highly considered as key factors for constructing a secure VoIP environment.
PPT Slide
Lager Image
Synthesis for the problem of Information Security Level Assessment of VoIP Service Providers
Table 4 shows the priority orders of indicators regarding opinions of VoIP security experts. In terms of the weight factor for each indicator, Network Security, Terminal Security, and User Information Protection were the highest for technical inspection indicators respectively.
The analysis result of priority order between indicators
PPT Slide
Lager Image
The analysis result of priority order between indicators
Security Organization Setup and Operation, Security Planning Establishment and Management, Manpower Security and IT Asset Management were the highest for managerial protective measure respectively. Entry/Exit and Access Control and Accessory Equipment and Facility Operation were the highest for physical protective measure respectively.
In case of technical inspection, an indicator - Is the integrated management system of VoIP security equipment? - is the highest order among indicators. It means that it is important to operate the integrated management system such as ESM for preventing incidents targeting VoIP. In the case of managerial inspection, an indicator - Is a Chief Information Security Officer (CISO) assigned? – is highest the order among indicators. It means that the will of top management is important to establish and operate the security policy. In the case of physical inspection, an indicator - Is the locking system installed so that unauthorized people cannot enter? - is the highest order among indicators. It means that it is important to detect and block the unauthorized person for preventing VoIP facilities. This indicator is also the hightest order between all indicators.
5. Conclusions
This study selected 50 items, organized them into a hierarchy, and verified suitability and validity of evaluated items using the objective method of survey of service providers and security experts. And then we drew 23 indicators and calculated the weight of each indicators using Analytic Hierarchy Process (AHP).
To summary the result, it is important for VoIP security to operate the integrated management system, assign Chief Information Security Officer (CISO), and install the locking system for preventing the unauthorized people.
Since VoIP service uses the existing IP environment, it is vulnerable to various security problems of the IP environment. Leakage of confidential information through eavesdropping of the call is particularly one of the critical security issues, and it requires special protection. To do so, application of VoIP security protocol is essential. The number of users of VoIP service is expected to rapidly increase in the future because of its low cost and the proliferation of various types of devices supporting VoIP. For such increasing VoIP service users, not only must the security measures of existing vulnerabilities of VoIP services be developed but also the security technologies to cope with newly appearing attacks.
In future study, the validity of the study result needs to be improved by conducting face-to-face interview or exploratory research such as observation in parallel, and then comparing the results.
BIO
Seokung Yoon received his Bachelors degree in Industrial Automation Engineering in 1998 from Inha University and his Masters degree in Computer Science and Engineering from Inha University in 2003. Since August 2006, Mr. Yoon is a general researcher at KISA (Korea Internet & Security Agency). His current research interests include security of IT convergence services and applications.
Haeryong Park received his BS degree in Mathematics from Chonnam National University, Korea, in 1999. In 2001, he received his MS degree in Mathematics from Seoul National University, Korea. In 2006, he received his PhD degree in Information Security from Chonnam National University, Korea. He is a manager of Information Security Technology Team at Korea Internet & Security Agency (KISA). His current research interests include the design and analysis of cryptographic algorithm and the security of IT convergence services..
Hyeong Seon Yoo received his Bachelors degree in Mechanical Engineering in 1974 from Inha University and his Ph.D from Ghent University, Belgium in 1983. Dr. Yoo is a professor in the school of Computer science and information technology at Inha University. His research interests include computer securities, applied cryptography and scientific computations.
References
Kim D. 2009 “Analysis of Game Theoretical Effect of Internet Telephone (VoIP) Quality Assurance Policy and Number Transfer Policy” Business Research 38 (1) 35 - 49
IDC Korea
Korea Communication Commission and Korea Internet & Security Agency 2007 “VoIP Security Guideline”
Turoff M. 2002 “The policy delphi. In the delphi method: Techniques and applications”
Yoon S. , Park H. , Yoo H. 2012 “Factor Analysis of VoIP Security Checklists using AHP” Journal of the Korea Institute of Information Security & Cryptology 22 (5) 1115 - 1122
Samarati P. , Vimercati S. 2001 “Access control: Policies, Models, Mechanisms” Lecture Notes in Computer Science 2171 (137)
Gordon L.A. , Loeb M.P. 2002 “The economics of Information Security Investment” ACM Transactions on Information and System Security Article(CrossRef Link) 5 (4) 438 - 457    DOI : 10.1145/581271.581274
Kuhn D. Richard , Walsh Thomas J. , Fries Steffen 2005 “Special Publication 800-58: Security Considerations for Voice Over IP Systems” National Institute of Standards and Technology
Bodin L.D. , Gordon L.A. , Loeb M.P. 2005 “Evaluating Information Security Investments Using the Analytic Hierarchy Process” Communications of the ACM Article (CrossRef Link) 48 79 - 83    DOI : 10.1145/1042091.1042094
Korea Communication Commission and Korea Internet & Security Agency 2012 “Information Security Check Service Manual”
Falk Rainer , Fries Steffen 2008 “Security Governance for Enterprise VoIP Communication” Emerging Security Information, Systems and Technologies (SECURWARE) 279 - 286
2012 Cisco IP Telephony Security Framework Cisco Press
Saaty T.L. 1980 The Analytic Hierarchy Process McGraw Hill New York
Jung H. 2010 “A study on importance on Evaluation Index of Personal Information security using AHP” J Korean Data Anal Soc 12 (3 (B)) 1499 - 1510
Saaty T.L. , Luis G.V. 1998 “Diagnosis with Dependent Symptoms: Bayes Theorem and the Analytic Hierarchy Process” Operation Research Article (CrossRef Link) 46 (4) 491 - 502    DOI : 10.1287/opre.46.4.491
Fornell C. , Larcker D.F. 1981 Journal of Marketing Research 18 (1) 39 - 50    DOI : 10.2307/3151312
Kong H. , Kim T. , J. Kim 2010 “An analysis on effects of information security investments: a BSC perspective” Journal of Intelligent Manufacturing Article (CrossRef Link) 23 (4) 941 - 953    DOI : 10.1007/s10845-010-0402-7