& cplSiteName &

Telcos: Security Is Not In Your DNA

Patrick Donegan
6/25/2019
50%
50%

Although I've done business in the US and worked with Americans for 30 years -- and even married one of them -- I've never been motivated to invoke the veritable icon of American culture that is the Twelve Step Recovery Program.

Until now, that is. Those who know it will recognize that Step 1 is the hardest. It requires confronting your own inner demons of denial that have you pinned down in destructive behaviors and beliefs, and escaping them to admit you have a problem.

Telcos have a problem they need to confront and from which they need to escape. Other than among their own security professionals -- most of whom know better -- telco professionals all too easily allow themselves to believe the mantra "security is in our DNA."

Per the title of this blog, telcos please repeat after me: "Security is not in our DNA."

OK, maybe there are some exceptions. When it comes to assuring the availability of the telecom network infrastructure, and assuring the confidentiality of data in transit across that telecom infrastructure, telcos do indeed do a pretty good job against traditional telco security benchmarks.

Of course, they don't all do this flawlessly all of the time: Even the best telcos suffer DDoS outages, for example. And despite solutions having been available for years, many still haven't fixed signalling vulnerabilities that have started to be exploited to expose customer data. But those failings are still black marks at the margins of an otherwise very good track record.

Here's a test, though. The next time a telco executive tells you that security is in his or her company's DNA, ask them the following:

1) Which level of the Security Capability Maturity Model is your company at currently? What are the primary actions needed to elevate the company to the next level? And in what timeframe are these actions going to be implemented?

If you get blank looks, try this second question:

2) Can you even tell me what the Security Capability Maturity Model is?

That may sound unfair, unkind or even sarcastic but, honestly, it's only sarcastic. To have any chance of carrying off a claim that your telco employer has security in its DNA convincingly, being able to answer both questions is a bare minimum requirement.

There's worse to come, I'm afraid. (Relax, Step 1 is always like this -- it gets worse before it gets better). Take a look at the Security Capability Maturity Model below. It's HardenStance's abbreviated version of a very common industry model relating to the five different stages of security maturity.

I would submit -- and I don't think it's very controversial -- that most telcos rank as a level two or level three today. Think of it this way: In martial arts, a red belt is red, not black, right? So, if you're a level two or three at something on a scale that goes up to five, can you really think of that something being in your DNA? See how insidious this whole denial thing can be?

Keep in mind that the Security Capability Maturity Model takes account of the totality of an organization's assets and infrastructure. For a telco, that doesn't just mean the telecom infrastructure: It also includes the IT that supports the telecom infrastructure -- the enterprise IT domain, as well as the customer-facing web IT domain.

Across those other domains, telcos face the exact same myriad of threats that other organizations face, of which the following is just a subset:

  • Spear or whale phishing attacks hitting the inboxes of regular employees and C-level execs

  • Leaky APIs disclosing customer information from company websites (which can then be leveraged to carry out SIM fraud in the case of a mobile operator)

  • Insider theft of customer data

    Telcos have featured among the victims of all the above attacks and breaches -- and many more -- in recent years, often as a result of very poor basic security hygiene that wouldn't arise in an organization with security truly in its DNA.

    Adversaries also attack telcos across multiple domains. Four years ago, an attack by Iranian threat actors on North African and Middle Eastern telcos started in the enterprise IT domain. It began with a social engineering attack via LinkedIn that lured operations personnel into a trusted relationship. Next came the sharing of malware-infected documents with the aim of gaining access to the telco's operations environment. This provided a bridge into manipulating the telecom network itself. This porousness or ability to move laterally within and between domains is exacerbated by telcos as they undergo digital transformation.

    I hate to say it, but it gets worse still. Even in the domain of telecom infrastructure security, in which telcos have historically been able to take a lot of pride, the goal posts are shifting now. The proliferation of attacks, endpoints, software-driven everything and edge use cases is ramping up: Now look at what telcos hope to achieve with 5G vertical use cases from a security perspective.

    As well as getting better at applying basic security controls, telcos have to adapt security to the way their business is changing. Telco security doesn't just need to protect the availability of the network and the confidentiality of data in transit anymore. The security model needs to protect the confidentiality, integrity and availability of data at rest throughout the various domains of a telco's business, as well as in transit.

    None of this should be alarming. As with other providers of critical infrastructure, telcos just have a big job to do to adjust to changes in the threat landscape and the new vulnerabilities that open up at the same time as new opportunities. With the right leadership and investment, they can certainly get there. It's no more complex or alarming than that. The critical starting point is to recognize that by today's standards, security is just not in a telco's DNA. The only thing that should cause alarm is a failure to recognize that.

    — Patrick Donegan, Principal Analyst, HardenStance

    (0)  | 
    Comment  | 
    Print  | 
  • Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
    More Blogs from Column
    Operators are challenged with finding a tech-agnostic approach and a data-driven upgrade strategy that will stand the test of time.
    While sports content piracy is growing at an alarming rate, hurting the industry and dampening down the value of sports TV rights, solutions are available.
    Rather than ignoring password sharing or solely seeking ways to prevent it, service providers are now in position to monetize it thanks to advances in behavioral analytics and machine learning.
    Cloud service providers and network operators have the scale and talent to help protect enterprises from state-sponsored hacking attempts.
    Featured Video
    Flash Poll
    Upcoming Live Events
    September 17-19, 2019, Dallas, Texas
    October 1-2, 2019, New Orleans, Louisiana
    October 10, 2019, New York, New York
    October 22, 2019, Los Angeles, CA
    November 5, 2019, London, England
    November 7, 2019, London, UK
    December 3, 2019, New York, New York
    December 3-5, 2019, Vienna, Austria
    March 16-18, 2020, Embassy Suites, Denver, Colorado
    May 18-20, 2020, Irving Convention Center, Dallas, TX
    All Upcoming Live Events