SIP Trunk Plus CEO Jonathan Rodwell in Part two of his posts on Telecoms and IT Security
Fraud week sponsored by Netaxis continues with part two of Jonathan Rodwell’s post on Telecoms and IT Security. In part one Jonathan discussed “Telecoms and IT security in the UK” together with “Technical best practice”.
The second post concludes with “the human wild card” and says “we need a new way of thinking”
The weak link?
The elephant in the room is the weak link in all telecoms/network scenarios. Us human beings. The bigger question being that if the ‘human’ wildcard element cannot be controlled, can any network (Telecoms or otherwise) ever be truly secure?
I suspect that even some of the most technically astute individuals cut corners. We just can’t help ourselves sometimes. Using similar passwords on email accounts perhaps? Not bothering with voicemail passwords? User log on credentials that are not sufficiently robust? No matter how robust a technical architecture is when people cut corners they expose their business to another’s malicious intent.
Larger organisations certainly have more tools at their disposal to exercise greater control over protecting their services, or offering training and technical solutions to manage passwords and so forth. But even they face challenges, particularly when staff bring their own devices onto the network. Larger organisations often present a more attractive target to groups of individuals intent on hacking. It is generally accepted that if a group of skilled individuals with sufficient resources wants to penetrate your security, they will undoubtedly find a way. TalkTalk can tell you all about it.
As Telecoms providers, we know that as our service is predominantly IP Based, our clients and our businesses are exposed to potentially massive costs.
Both The Federation of Communication Services (FCS) and the Internet Telephony Service Providers Association (ITSPA) understands these challenges and is working with industry experts, the police and stakeholders across the board to try and help mitigate the potential risks. The FCS have a Fraud panel dedicated to working with industry professionals to help deliver best practice. ITSPA work closely with the likes of Action Fraud and the Metropolitan Police.
FCS’s experience is instructive: less than two years ago, fraud was a taboo subject at FCS meetings. No business CP liked to talk about it, for fear of admitting weakness to their competitors. Today it’s the industry’s number one pain-point.
These trade associations provide a single voice for their members to Ofcom and to policy-makers. This protects members from the risk of individual damage to their brands.
What can we do?
This all seems somewhat daunting, particularly for the small business owner – remember, the challenges for a multi-national are immense, too. So where do we start? A good place is the set of recommendations from GCHQ: The Cyber Essentials Scheme. Essentially, this focuses on protecting against Internet-Originated attacks against IT/IP Comms services. Cyber Essentials focuses on five key controls:
- Boundary Firewalls and Internet Gateways – devices designed to prevent unauthorised access, and setting them up effectively.
- Secure Configuration – of systems relative to the needs of the organisation.
- Access Control – Ensuring appropriate permissions within systems, with sensible passwords.
- Malware Protection – Ensuring it is installed and correctly maintained.
- Patch Management – Ensuring they are applied and utilised this is particularly pertinent for users of all PBXs. They need to be patched as much as any other network device.
This is all perfectly sensible and a good starting point, especially if your staff are office-based, but many businesses in 2014 support flexible working environments, such as staff who work from home and so forth. Indeed, some businesses do not have offices at all; so consider item 3: how do you control access when a home internet service is provided by BT or Sky and they have direct access to the router? If your IT support is provided by a third party, what happens if their own security is penetrated; are you vulnerable too?
BYOD (Bring Your Own Device) adds a further layer of complexity when employee or visitor devices are allowed access to the network. Companies must balance the benefits versus the risks and what mitigation can be implemented (realistically) on a technical basis.
Suppliers must emphasise and help implement best practice when it comes to the protection of PBX and handset architecture. Granted, some end clients are more willing than others to be proactive on this front, but suppliers have an obligation to emphasise the security protocols that can best protect the PBX and handsets (essentially network devices). Suppliers should also take some expert advice when it comes to their client contracts, with terms and conditions requiring specific attention paid to liabilities in case clients simply do not implement best practice.
Carriers and Telecommunications providers are in an interesting and powerful position in the equation. The carrier position is interesting because they can in theory, actually benefit from Telecoms Security breaches – a £20,000 phone bill still has to be paid after all, be it by the resale partner or by the client. Moral issues aside, the dilemma arise when fraudulent activity places the client’s business in jeopardy: if a business folds, then recovering the money becomes a much harder proposition. This is not to suggest that carriers encourage fraud, rather that history has shown that the responsibility of managing security and cost has always been pushed down the supply chain. Most carriers, at best, offer simple credit limiting or algorithmic analysis of traffic patterns.
The industry has a responsibility to do more, not just from an ethical point of view, but by offering enhanced protection at the Carrier level. Doing so means changing the whole dynamic between resellers and end clients. If we can empower both the end client, and the reseller to control in real time the volume of minutes to every possible global destination (or group of destination), we can ensure end clients will always know what their maximum liability would be. This is minute limiting for the global business environment that is both dynamic and at the control of both key stakeholders – the business and supplier chain.
Consider now the dynamic of the supplier / client relationship if ‘cost of fraud’ wasn’t an issue. How would your approach to IT and Telecoms security change if a business-crippling financial penalty wasn’t threatening to be the end result of a security breach?
If the acceptance of ‘risk’ becomes easier to tolerate because there is a layer of protection and mitigation delivered through the telecoms supply chain by partners who are proactive, rather than reactive, then choices made by end clients become simpler, and could actually be different.
This can be taken a step further, so much so that if we accept that there is no perfect system and there is always a risk, then we can decide which method of working, or what telephony connectivity represents an acceptable level of ‘risk’. Clients can then assess the practicality of a heavily locked down infrastructure versus the ability to be dynamic and innovative in working practice.
We are not advocating businesses becomes an open door to hacks, rather that the whole supply chain can be chosen to facilitate a sensible approach to IT and Telecoms security that is simple to manage and doesn’t become a rod to the back of a business.
Thought leaders for the future
So what do we do about it? Well first of all, there is no perfect solution. If you admit to yourself and accept that people by nature will always be the weak link when it comes to telecoms security, then how you deal with peoples’ nature will be the defining aspect of IT and Telecoms security for your business, either globally or domestically.
Accept the view that once a file is emailed, voicemail sent out, or words have left your mouth, you have ultimately lost control over them. From that point on they can be copied, re-purposed and distributed without your permission on an exponential scale. Within Telecoms security however, you can at least limit the financial damage to an almost negligible level.
We are therefore in a more fortunate position than our friends in the IT and Data security industry where personal information, intellectual property and company data stores are also at risk.
It is time for the telecommunications industry to regain the initiative, the ‘old way’ of doing things, and the old business paradigms the industry that apply brakes to progress. Instead of playing catch-up and adopting a siege mentality, we have to change the way with think about security. Acceptance of risk, balanced with technical mitigation solutions should be weighed against the potential cost of a security penetration.
Suppliers and clients must be both pragmatic in the implementation of security protocols, and both parties must understand their responsibilities and the corresponding risks of waiving them. This is certainly an matter of education, and business owners have a responsibility to take the time to understand what those risks are, as there are currently no formal benchmarks in the industry currently that relate to telecoms security to guide selection.
A crucial step to understanding your risks and developing a strategy that suits your business is obviously working with the right supply chain: Partners can be trusted advisors to business owners and IT specialists, that offer the right solutions, even if those solutions don’t necessarily come from an established brand that has been around for decades. Telecommunications has become a managed service.
We are now, more than ever, part of a corporate ecosystem of applications. The more you lock it down, the more you dampen the dynamism and creativity within a business. So think carefully about how you deliver services to your clients. Deliver value and don’t be afraid of breaking from tradition. Learn from the past, but don’t be shackled by it.
This is telecom fraud week on trefor.net, edited by Manuel Basilavecchia of Netaxis. Read our other fraud posts this week:
Colin Duffy on “is encryption the answer to data loss”
Manuel Basilaveccia on Missing Trader VAT Fraud
Dave Dadds – “telecom fraud is industry’s problem not the customer’s“
Manuel Basilavecchia on “A mobile operator fraud case study”
Jonathan Rodwell on “Telecoms and IT Security”
This second post is an adaptation of an article first published by Jonathan Rodwell last year in the Journal of the Institute of Telecoms Professionals but is only available to members behind a firewall.