Telcos are in denial if they think they are security experts, says outspoken industry analyst Patrick Donegan.

Patrick Donegan, Founder and Principal Analyst, HardenStance

June 25, 2019

5 Min Read
Telcos: Security Is Not In Your DNA

Although I've done business in the US and worked with Americans for 30 years -- and even married one of them -- I've never been motivated to invoke the veritable icon of American culture that is the Twelve Step Recovery Program.

Until now, that is. Those who know it will recognize that Step 1 is the hardest. It requires confronting your own inner demons of denial that have you pinned down in destructive behaviors and beliefs, and escaping them to admit you have a problem.

Telcos have a problem they need to confront and from which they need to escape. Other than among their own security professionals -- most of whom know better -- telco professionals all too easily allow themselves to believe the mantra "security is in our DNA."

Per the title of this blog, telcos please repeat after me: "Security is not in our DNA."

OK, maybe there are some exceptions. When it comes to assuring the availability of the telecom network infrastructure, and assuring the confidentiality of data in transit across that telecom infrastructure, telcos do indeed do a pretty good job against traditional telco security benchmarks.

Of course, they don't all do this flawlessly all of the time: Even the best telcos suffer DDoS outages, for example. And despite solutions having been available for years, many still haven't fixed signalling vulnerabilities that have started to be exploited to expose customer data. But those failings are still black marks at the margins of an otherwise very good track record.

Here's a test, though. The next time a telco executive tells you that security is in his or her company's DNA, ask them the following:

1) Which level of the Security Capability Maturity Model is your company at currently? What are the primary actions needed to elevate the company to the next level? And in what timeframe are these actions going to be implemented?

If you get blank looks, try this second question:

2) Can you even tell me what the Security Capability Maturity Model is?

That may sound unfair, unkind or even sarcastic but, honestly, it's only sarcastic. To have any chance of carrying off a claim that your telco employer has security in its DNA convincingly, being able to answer both questions is a bare minimum requirement.

There's worse to come, I'm afraid. (Relax, Step 1 is always like this -- it gets worse before it gets better). Take a look at the Security Capability Maturity Model below. It's HardenStance's abbreviated version of a very common industry model relating to the five different stages of security maturity.

Figure 1:

I would submit -- and I don't think it's very controversial -- that most telcos rank as a level two or level three today. Think of it this way: In martial arts, a red belt is red, not black, right? So, if you're a level two or three at something on a scale that goes up to five, can you really think of that something being in your DNA? See how insidious this whole denial thing can be?

Keep in mind that the Security Capability Maturity Model takes account of the totality of an organization's assets and infrastructure. For a telco, that doesn't just mean the telecom infrastructure: It also includes the IT that supports the telecom infrastructure -- the enterprise IT domain, as well as the customer-facing web IT domain.

Across those other domains, telcos face the exact same myriad of threats that other organizations face, of which the following is just a subset:

  • Spear or whale phishing attacks hitting the inboxes of regular employees and C-level execs

    • Leaky APIs disclosing customer information from company websites (which can then be leveraged to carry out SIM fraud in the case of a mobile operator)

    • Insider theft of customer data

      Telcos have featured among the victims of all the above attacks and breaches -- and many more -- in recent years, often as a result of very poor basic security hygiene that wouldn't arise in an organization with security truly in its DNA.

      Adversaries also attack telcos across multiple domains. Four years ago, an attack by Iranian threat actors on North African and Middle Eastern telcos started in the enterprise IT domain. It began with a social engineering attack via LinkedIn that lured operations personnel into a trusted relationship. Next came the sharing of malware-infected documents with the aim of gaining access to the telco's operations environment. This provided a bridge into manipulating the telecom network itself. This porousness or ability to move laterally within and between domains is exacerbated by telcos as they undergo digital transformation.

      I hate to say it, but it gets worse still. Even in the domain of telecom infrastructure security, in which telcos have historically been able to take a lot of pride, the goal posts are shifting now. The proliferation of attacks, endpoints, software-driven everything and edge use cases is ramping up: Now look at what telcos hope to achieve with 5G vertical use cases from a security perspective.

      As well as getting better at applying basic security controls, telcos have to adapt security to the way their business is changing. Telco security doesn't just need to protect the availability of the network and the confidentiality of data in transit anymore. The security model needs to protect the confidentiality, integrity and availability of data at rest throughout the various domains of a telco's business, as well as in transit.

      None of this should be alarming. As with other providers of critical infrastructure, telcos just have a big job to do to adjust to changes in the threat landscape and the new vulnerabilities that open up at the same time as new opportunities. With the right leadership and investment, they can certainly get there. It's no more complex or alarming than that. The critical starting point is to recognize that by today's standards, security is just not in a telco's DNA. The only thing that should cause alarm is a failure to recognize that.

      — Patrick Donegan, Principal Analyst, HardenStance

Read more about:

EuropeAsia

About the Author(s)

Patrick Donegan

Founder and Principal Analyst, HardenStance

Patrick is the Founder and Principal Analyst of HardenStance Ltd, a leading analyst firm providing best in class research, analysis and insight in telecom and IT security. A lot of Patrick's research is focused on best practise for telecom operators in securing their own networks and providing security services to end customers. In recent years his research has focused increasingly on the security opportunities and threats presented by the telecom sector's efforts to evolve to more software controlled networking including the evolution in network security requirements from 4G to 5G. Patrick has worked in the telecom sector for over 25 years, including in strategic planning roles for Motorola as well as for Nortel's mobile infrastructure business. Prior to forming HardenStance Ltd in January 2017, he worked for eleven years at Heavy Reading, the last three as Heavy Reading's Chief Analyst.

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like