Font Size

- Aa +

Sun 10 May 2009 04:00 AM

Font Size

- Aa +

Weakest link

Operators must take a comprehensive look at their networks to ensure maximum security as they migrate towards IP architecture.

Weakest link
Choudhury says operators should educate their customers about security threats.
Weakest link
Young highlights the proliferation of data as a key security challenge.

Operators must take a comprehensive look at their networks to ensure maximum security as they migrate towards IP architecture.

While telecom professionals are familiar with the many benefits brought by advances in technology, from 3G to IP networks and LTE, less attention is paid to the huge security challenge that accompanies this progress.

But those involved in helping prevent harm to telecom networks from threats including malware and internal fraud are convinced that the changing nature of telecommunications demands a shift in mindset from operators.

Part of the challenge is that while the traditional legacy TDM networks faced mainly localised threats, modern telecom operations face threats from multiple sources around the world.

The shift towards IP architecture means that telecom operations are exposed to all types of malware across the entire network, while the proliferation of mobile devices such as the Blackberry and iPhone mean that valuable data can easily fall into the wrong hands if a device is a lost, stolen or hacked.

One person familiar with the complex nature of the security challenge facing operators is Stephen Sargood, solution architect, carrier networks, for Nortel in the EMEA region.

In terms of the actual network, Sargood says that one of the main challenges operators face is that as they migrate towards IP architecture, the entire network is potentially more vulnerable to attack, as multiple services are essentially on the same platform.

"When we get into a VoIP world, from the security point of view, you have got all of your ONM (optical network management), signaling and media all into one pipe," Sargood says. "That is the first thing to think about when moving to VoIP."

One of the main threats that IP operators tend to focus on is denial of service attacks, according to Sargood. This type of attack, in which an individual or group of people tries to force a network into an overload situation in order to prevent legitimate traffic from using the network, is a particular concern because they have a direct and immediate effect on revenues and network quality.

"Typically most operators are concerned about denial of service, because it affects their revenue streams. So if their network is being attacked by someone who has totally taken over the network with illegitimate traffic, the real traffic, the real traffic that they make their money from can't come through."

To counteract this type of attack, Sargood says operator should work to a programme of "security in depth" whereby the entire breadth of the network is scrutinised and potential threats of all types are filtered as early as possible.

"There are different places where you put protection in place. You start at the edge of the network. For denial of service attacks, one of the things you want to do is get rid of the illegitimate traffic as close to the edge of the network as you can. If the denial of service makes it to the call server you have carried all of that illegitimate traffic through your entire network, so you need to intercept it at the edge of the network," he says.

Sargood, whose team works with operators including STC, Du and Telecom Egypt, says that one of the basic premises a service provider has to make is that anybody connecting to the network from the outside world is an untrustworthy connection.

"You have to put the user through various authentication methods depending on what protocol method you are using, by putting out session border controls or other devices at the edge of the network," he says.

Operators can also limit points of entry for attacks by turning on only those services and ports that are actually required. "On our platform we don't need to run any mail applications, so there is no point having a mail server running. On the actual platform, you should close the applications you don't need," he adds.

Operators should also know who exactly has access to switches, so that they know who has access to the network. "We have to make sure that when someone connects to a switch to make a change, we know who they are. Also we encrypt all that information going between that person's PC and the network."

Operators can also work toward centralising access to the network, so that all input from technicians goes through a central point, Sargood adds. "We establish one central point where all of the users enter.

"Then we fan out from there as opposed to the users going to all the network elements directly. They go through a central point. The whole point is to keep the switch up and running and generating revenue," he adds.

Tareque Choudhury, head of business continuity and security practice, BT Group, Middle East and Africa, adds that "a huge influx" of malware continues to be a headache for operators. He says that while operators are aware of the problem, they could benefit from focusing more attention on the threat.

"As these telecom operators are building their next generation networks, they are becoming more exposed to the malicious hackers who are creating this malware, viruses and spam."

Operator’s perspective: Turk Telekom and Zain GroupTurk Telekom is one operator that has risen to the challenge of ensuring its network is well protected. Security became more challenging for the Turkish incumbent as it progressed to using a combination of different technologies such as wired and wireless, as well as moving further into IP with the introduction of IPv6.

The company is handling security threats with a security program incorporating risk analysis, security policy and procedures compatible with ISO/IEC 27001. It has implemented technologies such as firewall, intrusion prevention systems, network security scanning and monitoring.

"Firstly, we determine some prevention methods for the threats we detect in the risk analysis. Then, we initiate the appropriate process for handling threats and risks," says Cengiz Dogan of Turk Telekom.

"To prevent from network attacks, we make the necessary security configuration on network devices that are distributed in the field according to security standards. For central systems, we use firewall and IPS. 20 people work on our network protection strategy."

He added that the most critical attacks for operators are denial of service attacks, worms such as SQL slammer, spam, phishing, viruses and vendor-specific bugs.

Zain Group meanwhile has a group-wide information security policy aligned with industry best practices (ISO 27001, BS 25999 and BS25777) to ensure that proper measures and controls are being implemented to secure of its networks in the Middle East and Africa, according to Abdul-Ghaffar Setareh, group risk director, Zain Group.

"On an operational level, every one of our 23 operations has a risk function owning and implementing controls and measures specific to that operation, depending on size, services, topology and complexity," he says.

"We perform regular audits and reviews, internal and external penetration testing, as part of the business continuity management strategy, ISO certification and internal audit requirements. This enables us to detect any deficiencies in our defenses."

Choudhury adds that operators in the GCC countries are generally handling security threats well, by hiring the right people and installing the right technology.

But in other less developed countries in the Middle East and Africa, operators are failing to pay enough attention to the issue.

"We are trying to educate them that as their network grows into next generation, that security is a base line for that, and as they build it, they have to build the security processes along with it," he adds. Acquired threats

This has particular relevance for acquisitive operators in the region, which need to consider security as they merge new acquisitions into their operation. "There are a few operators locally based in the Middle East that have acquired operators in Sub Saharan Africa and it is very difficult. First there is a cultural barrier, but also trying to implement the business processes is a challenge," Choudhury says.

"The first thing some of the operators tried to do when they acquired Sub Saharan African operators was implement ISO 270001, which is best practices for security because when you have got that in place then the technology comes naturally," he adds.

This is a challenge that Kuwait-based operator Zain has first hand experience of. "As our footprint and visibility grow, our exposure increases to different types of threats, ranging from electronic attacks to loss of resources and vandalism," says Abdul-Ghaffar Setareh, group risk director, Zain Group.

The company, which has acquired numerous operations across the MEA region in the past few years, keeps a "risk register" to identify threats it faces at a local and group wide level. These registers are updated at least twice a year or in response to a specific threat or major change in technology.

The company also assesses security threats before making acquisitions. "As part of our due diligence performed before an acquisition or a green field entry, a risk assessment is performed and a gap analysis maps that acquisition against our group standards," Setareh adds.

"As for the green fields, the group policies and guidelines are implemented from the beginning, for example, geo-redundancies for critical systems and Network elements including HLRs, INs, MSCs."

Banking on trust

But it is not just a push into new geographical markets that exposes operators to more risks. They also face fresh challenges as they enter new market segments, such as mobile banking. It is a situation that Christopher Young, senior vice president, products, at RSA, the security division of EMC, is familiar with.

"Mobile companies are becoming more like banks, which comes with a whole set of responsibilities around protecting networks from threats, protecting sensitive information, identity assurance and the like," he says.

This is also an important area where some operators may lag behind in terms of security. While Young stresses that there is plenty of protection in place to protect services such as mobile banking, there remain some vulnerabilities. The difficult part for operators, he says, is managing threats that may emerge in the future, as well as existing threats.

"The challenge is not necessarily to focus on whether something is secure today but whether we are thinking about the right model that is going to protect it against future attacks," Young adds.

Educating customers

But one simple way in which operators could improve overall security is by helping to educate the consumer, according to BT Group's Choudhury. "Sometimes they offer them products such as firewalls, and they need to offer them education as well, in the form of news letters to their customers. We don't see that happening in the Middle East like in the UK, US and Canada," he says.

He points to the Conficker worm as a prime example. Despite this malware being a huge problem, most operators in the region failed to alert their customers. Furthermore, the problem of malware is likely to increase in the region as its economies grow. Choudhury points out that while most malware comes from the US, China, and then Eastern Europe, a growing amount also comes from Saudi Arabia.

Saudi Arabia was once far back in a list of top 100 countries detailing where malware comes from. "In the past year, it appeared in the top 10. This region is booming economically but it is also where a lot of attacks will happen," Choudhury adds.

Information overloadAnother less obvious security challenge for operators is how to deal with an ever growing mass of digital information. Christopher Young, senior vice president, products, at RSA, the security division of EMC, sees this as a key challenge, and one that should be treated with equal conviction as threats such as malware.

"We call it information sprawl," he says. "Information is everywhere. It gets created, it gets destroyed, it gets moved, and it touches all parts of the IT networks, the infrastructure. It is replicated in databases, it is stored, it gets moved off site for back up purposes. Copies get created when you email it around. It is everywhere. It even exists on the end points on user's computers.

"The challenge, as information becomes more valuable and more sensitive, is how do you protect that value?" He adds that operators need to develop information governance policies to handle this challenge.

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.