Telcos: Security Is Not In Your DNA
Although I've done business in the US and worked with Americans for 30 years -- and even married one of them -- I've never been motivated to invoke the veritable icon of American culture that is the Twelve Step Recovery Program.
Until now, that is. Those who know it will recognize that Step 1 is the hardest. It requires confronting your own inner demons of denial that have you pinned down in destructive behaviors and beliefs, and escaping them to admit you have a problem.
Telcos have a problem they need to confront and from which they need to escape. Other than among their own security professionals -- most of whom know better -- telco professionals all too easily allow themselves to believe the mantra "security is in our DNA."
Per the title of this blog, telcos please repeat after me: "Security is not in our DNA."
OK, maybe there are some exceptions. When it comes to assuring the availability of the telecom network infrastructure, and assuring the confidentiality of data in transit across that telecom infrastructure, telcos do indeed do a pretty good job against traditional telco security benchmarks.
Of course, they don't all do this flawlessly all of the time: Even the best telcos suffer DDoS outages, for example. And despite solutions having been available for years, many still haven't fixed signalling vulnerabilities that have started to be exploited to expose customer data. But those failings are still black marks at the margins of an otherwise very good track record.
Here's a test, though. The next time a telco executive tells you that security is in his or her company's DNA, ask them the following:
1) Which level of the Security Capability Maturity Model is your company at currently? What are the primary actions needed to elevate the company to the next level? And in what timeframe are these actions going to be implemented?
If you get blank looks, try this second question:
2) Can you even tell me what the Security Capability Maturity Model is?
That may sound unfair, unkind or even sarcastic but, honestly, it's only sarcastic. To have any chance of carrying off a claim that your telco employer has security in its DNA convincingly, being able to answer both questions is a bare minimum requirement.
There's worse to come, I'm afraid. (Relax, Step 1 is always like this -- it gets worse before it gets better). Take a look at the Security Capability Maturity Model below. It's HardenStance's abbreviated version of a very common industry model relating to the five different stages of security maturity.
I would submit -- and I don't think it's very controversial -- that most telcos rank as a level two or level three today. Think of it this way: In martial arts, a red belt is red, not black, right? So, if you're a level two or three at something on a scale that goes up to five, can you really think of that something being in your DNA? See how insidious this whole denial thing can be?
Keep in mind that the Security Capability Maturity Model takes account of the totality of an organization's assets and infrastructure. For a telco, that doesn't just mean the telecom infrastructure: It also includes the IT that supports the telecom infrastructure -- the enterprise IT domain, as well as the customer-facing web IT domain.
Across those other domains, telcos face the exact same myriad of threats that other organizations face, of which the following is just a subset:
Telcos have featured among the victims of all the above attacks and breaches -- and many more -- in recent years, often as a result of very poor basic security hygiene that wouldn't arise in an organization with security truly in its DNA.
Adversaries also attack telcos across multiple domains. Four years ago, an attack by Iranian threat actors on North African and Middle Eastern telcos started in the enterprise IT domain. It began with a social engineering attack via LinkedIn that lured operations personnel into a trusted relationship. Next came the sharing of malware-infected documents with the aim of gaining access to the telco's operations environment. This provided a bridge into manipulating the telecom network itself. This porousness or ability to move laterally within and between domains is exacerbated by telcos as they undergo digital transformation.
I hate to say it, but it gets worse still. Even in the domain of telecom infrastructure security, in which telcos have historically been able to take a lot of pride, the goal posts are shifting now. The proliferation of attacks, endpoints, software-driven everything and edge use cases is ramping up: Now look at what telcos hope to achieve with 5G vertical use cases from a security perspective.
As well as getting better at applying basic security controls, telcos have to adapt security to the way their business is changing. Telco security doesn't just need to protect the availability of the network and the confidentiality of data in transit anymore. The security model needs to protect the confidentiality, integrity and availability of data at rest throughout the various domains of a telco's business, as well as in transit.
None of this should be alarming. As with other providers of critical infrastructure, telcos just have a big job to do to adjust to changes in the threat landscape and the new vulnerabilities that open up at the same time as new opportunities. With the right leadership and investment, they can certainly get there. It's no more complex or alarming than that. The critical starting point is to recognize that by today's standards, security is just not in a telco's DNA. The only thing that should cause alarm is a failure to recognize that.
— Patrick Donegan, Principal Analyst, HardenStance