x
Heavy Reading Research

Telenor's Executives Rue Cyber-Attack

No matter how often you are nagged about the steps you need to repeat over and over again to protect your interests – floss and brush your teeth twice a day (don't forget the mouthwash), get your boiler serviced regularly, make sure you spend time with your kids – there really is nothing like feeling the full force of the error of your neglect than having the consequences descend upon you, personally, up close and personal. "I'm afraid you have gum disease" from your dentist; "Honey, the boiler's packed up and they can't get anyone to us until Wednesday" from your spouse; or a cold fixed stare and a "You mean nothing to me" from your surly teenager, all have a unique way of making the echoes of those warnings from yesteryear double you up with discomfort in the here and now. Senior executives at Norway's incumbent telco, Telenor, are probably experiencing feelings a little like these right now, after the Norwegian newspaper Aftenposten reported on Sunday that they have recently been the victims of a highly successful cyber-attack resulting in a lot of their private data and correspondence being stolen from their own PCs. (See Euronews: Telenor Suffers Hack Attack.) The technique? According to an English-language translation of the story on the website "Views and News from Norway," the attack consisted of a relatively common attack vector, using an email with rogue ZIP file attachments that, "when opened, installed hidden trojans on their machines with malicious coding that emptied information and sent it out." Too many telcos still tend to think of themselves as unwitting conduits for cyber-attacks – they think of their pipes being maliciously used by third parties to deliver DDoS attacks or malware to their own or other carriers' enterprise customers or individual consumers. Too often, the assumption is still that while the carrier itself may suffer a little from damage to its brand reputation or zero-revenue consumption of network resources, it's the end customer that is easily the hardest hit. And too often, the assumption within the executive layer is that in an imperfect world, some of these risks fall within acceptable levels of tolerance. But when the telco executive layer itself is hit like this, that perspective becomes quite a lot harder to sustain. Norway isn't the U.S.; nor is it China. So Telenor may not have needed to be a Verizon or a China Telecom from a security standpoint. But by Norwegian standards, and by the standards of most network operators around the world, Telenor's security stance relative to cyber-attacks was likely not just on a par with others, but probably above average. When you look at the security of the mobile network, for example, the gap in security practices between fixed and mobile incumbents such as Telenor and pure-play mobile operators is often quite large due to the depth of security smarts that reside in the incumbent's wireline arm. So if these attackers were able to penetrate the PCs of Telenor's senior executives, picking off their opposite numbers in less security-savvy challenger mobile operators is likely to be a bit of a walk in the park. Telco executives that are at the very cutting edge of the mobile broadband revolution recognize that significant security vulnerabilities in any part of the mobile ecosystem – including their own security practices and processes – materially undermine their prospects of monetizing the next big opportunities in highly security-sensitive areas such as mCommerce and mHealth. In May 2012, for example, AT&T Chairman, CEO and President Randall Stephenson told an audience at The Milken Institute that "the long pole in the tent" when it comes to capturing these new mobile broadband opportunities "is going to be getting the ecosystem to be robust in protecting data and making sure you control who sees the data, how it's shared and how it's transmitted. Until you get it right, there is going to be inherent apprehension and concern by all of us about this." A couple of years ago, shortly after I first started to research mobile network security in earnest, I found myself carrying out a custom assignment for a client on the subject of threat detection and mitigation solutions. It became clear early in the research that a lot of mobile operators are procuring the two separately – they're typically buying the detection capability first and the mitigation capability subsequently. "Why is that?" I wondered. In turns out that in so many cases, the mobile operator has little or no idea just how much malicious traffic there actually is in its network. It has little or no idea what a rich diversity of maliciousness there is within that traffic. And it has little or no idea of the sophistication with which attackers are able to disguise attacks and bypass the operator's legacy security defenses. Hence the operators so often need to invest in seeing it and believing it – detecting it – first. Only then will they think about investing in mitigation to doing something about it. Most mobile operators still have an incomplete, often wholly inadequate, perspective as regards the detection side of the equation as their network evolves to all-IP. They are even further behind when it comes to efficiently mitigating these threats at the level of the network, the cloud, the end-user device and the end user himself. The bottom line is that if an operator can't protect its own executives, then consumers, enterprises and third-party partners will fear that it can't fully protect them, either. And who can blame them? And while we're on quasi-rhetorical questions: Who's prepared to bet against a security reorg of some kind at Telenor in the next six months? And who's prepared to bet against a significant spike in the budget allocated to security? One way or another, I reckon Telenor's security guys can be assured of getting a lot more executive management attention going forward. The question that remains is how will the security guys fare now in other operators? – Patrick Donegan, Senior Analyst, Heavy Reading
Be the first to post a comment regarding this story.
HOME
Sign In
SEARCH
CLOSE
MORE
CLOSE