& cplSiteName &

Telcos: Security Is Not In Your DNA

Patrick Donegan

Although I've done business in the US and worked with Americans for 30 years -- and even married one of them -- I've never been motivated to invoke the veritable icon of American culture that is the Twelve Step Recovery Program.

Until now, that is. Those who know it will recognize that Step 1 is the hardest. It requires confronting your own inner demons of denial that have you pinned down in destructive behaviors and beliefs, and escaping them to admit you have a problem.

Telcos have a problem they need to confront and from which they need to escape. Other than among their own security professionals -- most of whom know better -- telco professionals all too easily allow themselves to believe the mantra "security is in our DNA."

Per the title of this blog, telcos please repeat after me: "Security is not in our DNA."

OK, maybe there are some exceptions. When it comes to assuring the availability of the telecom network infrastructure, and assuring the confidentiality of data in transit across that telecom infrastructure, telcos do indeed do a pretty good job against traditional telco security benchmarks.

Of course, they don't all do this flawlessly all of the time: Even the best telcos suffer DDoS outages, for example. And despite solutions having been available for years, many still haven't fixed signalling vulnerabilities that have started to be exploited to expose customer data. But those failings are still black marks at the margins of an otherwise very good track record.

Here's a test, though. The next time a telco executive tells you that security is in his or her company's DNA, ask them the following:

1) Which level of the Security Capability Maturity Model is your company at currently? What are the primary actions needed to elevate the company to the next level? And in what timeframe are these actions going to be implemented?

If you get blank looks, try this second question:

2) Can you even tell me what the Security Capability Maturity Model is?

That may sound unfair, unkind or even sarcastic but, honestly, it's only sarcastic. To have any chance of carrying off a claim that your telco employer has security in its DNA convincingly, being able to answer both questions is a bare minimum requirement.

There's worse to come, I'm afraid. (Relax, Step 1 is always like this -- it gets worse before it gets better). Take a look at the Security Capability Maturity Model below. It's HardenStance's abbreviated version of a very common industry model relating to the five different stages of security maturity.

I would submit -- and I don't think it's very controversial -- that most telcos rank as a level two or level three today. Think of it this way: In martial arts, a red belt is red, not black, right? So, if you're a level two or three at something on a scale that goes up to five, can you really think of that something being in your DNA? See how insidious this whole denial thing can be?

Keep in mind that the Security Capability Maturity Model takes account of the totality of an organization's assets and infrastructure. For a telco, that doesn't just mean the telecom infrastructure: It also includes the IT that supports the telecom infrastructure -- the enterprise IT domain, as well as the customer-facing web IT domain.

Across those other domains, telcos face the exact same myriad of threats that other organizations face, of which the following is just a subset:

  • Spear or whale phishing attacks hitting the inboxes of regular employees and C-level execs

  • Leaky APIs disclosing customer information from company websites (which can then be leveraged to carry out SIM fraud in the case of a mobile operator)

  • Insider theft of customer data

    Telcos have featured among the victims of all the above attacks and breaches -- and many more -- in recent years, often as a result of very poor basic security hygiene that wouldn't arise in an organization with security truly in its DNA.

    Adversaries also attack telcos across multiple domains. Four years ago, an attack by Iranian threat actors on North African and Middle Eastern telcos started in the enterprise IT domain. It began with a social engineering attack via LinkedIn that lured operations personnel into a trusted relationship. Next came the sharing of malware-infected documents with the aim of gaining access to the telco's operations environment. This provided a bridge into manipulating the telecom network itself. This porousness or ability to move laterally within and between domains is exacerbated by telcos as they undergo digital transformation.

    I hate to say it, but it gets worse still. Even in the domain of telecom infrastructure security, in which telcos have historically been able to take a lot of pride, the goal posts are shifting now. The proliferation of attacks, endpoints, software-driven everything and edge use cases is ramping up: Now look at what telcos hope to achieve with 5G vertical use cases from a security perspective.

    As well as getting better at applying basic security controls, telcos have to adapt security to the way their business is changing. Telco security doesn't just need to protect the availability of the network and the confidentiality of data in transit anymore. The security model needs to protect the confidentiality, integrity and availability of data at rest throughout the various domains of a telco's business, as well as in transit.

    None of this should be alarming. As with other providers of critical infrastructure, telcos just have a big job to do to adjust to changes in the threat landscape and the new vulnerabilities that open up at the same time as new opportunities. With the right leadership and investment, they can certainly get there. It's no more complex or alarming than that. The critical starting point is to recognize that by today's standards, security is just not in a telco's DNA. The only thing that should cause alarm is a failure to recognize that.

    — Patrick Donegan, Principal Analyst, HardenStance

    (0)  | 
    Comment  | 
    Print  | 
  • Related Stories
    Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
    More Blogs from Column
    The MEF 70 service attribute standard for the SD-WAN industry is good… but is it enough?
    It's like Mad Max in the optical networking space, with every group of participants – optical transceiver vendors, chip manufacturers, systems OEMs and even end customers – all fighting their own war.
    An analyst firm is at odds with industry execs on how quickly the market for LiDAR applications will take off. Several companies that supply the telco industry are making bets that LiDAR will pay off soon.
    A new study from BearingPoint shows that CSPs have a lot of work ahead of them if they are to appeal to enterprise customers.
    The optical networking industry has seen its fair share of customers show up to the party and then leave without warning. One analyst ponders what's going to be different in the next 12 months.
    Featured Video
    Upcoming Live Events
    December 3-5, 2019, Vienna, Austria
    December 3, 2019, New York, New York
    March 16-18, 2020, Embassy Suites, Denver, Colorado
    May 18-20, 2020, Irving Convention Center, Dallas, TX
    All Upcoming Live Events
    Partner Perspectives - content from our sponsors
    How China's 5G Launch Will Gear Up the Global 5G Industry
    By Daisy Zhu, Head of Marketing Operations, Huawei Wireless Network
    5G Business Case Revisited
    By Hayim Porat, CTO, ECI
    All Partner Perspectives