SIP Trunk Plus CEO Jonathan Rodwell in Part two of his posts on Telecoms and IT Security

Fraud week sponsored by Netaxis continues with part two of Jonathan Rodwell’s post on Telecoms and IT Security. In part one Jonathan discussed “Telecoms and IT security in the UK” together with “Technical best practice”.

The second post  concludes with  “the human wild card” and says “we need a new way of thinking”

The weak link?

The elephant in the room is the weak link in all telecoms/network scenarios. Us human beings. The bigger question being that if the ‘human’ wildcard element cannot be controlled, can any network (Telecoms or otherwise) ever be truly secure?

I suspect that even some of the most technically astute individuals cut corners.  We just can’t help ourselves sometimes. Using similar passwords on email accounts perhaps?  Not bothering with voicemail passwords?  User log on credentials that are not sufficiently robust?  No matter how robust a technical architecture is when people cut corners they expose their business to another’s malicious intent.

Larger organisations certainly have more tools at their disposal to exercise greater control over protecting their services, or offering training and technical solutions to manage passwords and so forth. But even they face challenges, particularly when staff bring their own devices onto the network.  Larger organisations often present a more attractive target to groups of individuals intent on hacking. It is generally accepted that if a group of skilled individuals with sufficient resources wants to penetrate your security, they will undoubtedly find a way. TalkTalk can tell you all about it.

As Telecoms providers, we know that as our service is predominantly IP Based, our clients and our businesses are exposed to potentially massive costs.

Both The Federation of Communication Services (FCS) and the Internet Telephony Service Providers Association (ITSPA) understands these challenges and is working with industry experts, the police and stakeholders across the board to try and help mitigate the potential risks. The FCS have a Fraud panel dedicated to working with industry professionals to help deliver best practice. ITSPA work closely with the likes of Action Fraud and the Metropolitan Police. 

FCS’s experience is instructive:  less than two years ago, fraud was a taboo subject at FCS meetings.  No business CP liked to talk about it, for fear of admitting weakness to their competitors.  Today it’s the industry’s number one pain-point.  

These trade associations provide a single voice for their members to Ofcom and to policy-makers. This protects members from the risk of individual damage to their brands. 

What can we do?

This all seems somewhat daunting, particularly for the small business owner – remember, the challenges for a multi-national are immense, too. So where do we start? A good place is the set of recommendations from GCHQ: The Cyber Essentials Scheme. Essentially, this focuses on protecting against Internet-Originated attacks against IT/IP Comms services. Cyber Essentials focuses on five key controls:

1. Boundary Firewalls and Internet Gateways – devices designed to prevent unauthorised access, and setting them up effectively.
2. Secure Configuration – of systems relative to the needs of the organisation.
3. Access Control – Ensuring appropriate permissions within systems, with sensible passwords.
4. Malware Protection – Ensuring it is installed and correctly maintained.
5. Patch Management – Ensuring they are applied and utilised this is particularly pertinent for users of all PBXs. They need to be patched as much as any other network device.

 

This is all perfectly sensible and a good starting point, especially if your staff are office-based, but many businesses in 2014 support flexible working environments, such as staff who work from home and so forth. Indeed, some businesses do not have offices at all; so consider item 3: how do you control access when a home internet service is provided by BT or Sky and they have direct access to the router? If your IT support is provided by a third party, what happens if their own security is penetrated; are you vulnerable too?

BYOD (Bring Your Own Device) adds a further layer of complexity when employee or visitor devices are allowed access to the network. Companies must balance the benefits versus the risks and what mitigation can be implemented (realistically) on a technical basis.

Suppliers must emphasise and help implement best practice when it comes to the protection of PBX and handset architecture. Granted, some end clients are more willing than others to be proactive on this front, but suppliers have an obligation to emphasise the security protocols that can best protect the PBX and handsets (essentially network devices). Suppliers should also take some expert advice when it comes to their client contracts, with terms and conditions requiring specific attention paid to liabilities in case clients simply do not implement best practice.

Carriers and Telecommunications providers are in an interesting and powerful position in the equation. The carrier position is interesting because they can in theory, actually benefit from Telecoms Security breaches – a £20,000 phone bill still has to be paid after all, be it by the resale partner or by the client. Moral issues aside, the dilemma arise when fraudulent activity places the client’s business in jeopardy: if a business folds, then recovering the money becomes a much harder proposition. This is not to suggest that carriers encourage fraud, rather that history has shown that the responsibility of managing security and cost has always been pushed down the supply chain. Most carriers, at best, offer simple credit limiting or algorithmic analysis of traffic patterns.

The industry has a responsibility to do more, not just from an ethical point of view, but by offering enhanced protection at the Carrier level.  Doing so means changing the whole dynamic between resellers and end clients. If we can empower both the end client, and the reseller to control in real time the volume of minutes to every possible global destination (or group of destination), we can ensure end clients will always know what their maximum liability would be. This is minute limiting for the global business environment that is both dynamic and at the control of both key stakeholders – the business and supplier chain.

Consider now the dynamic of the supplier / client relationship if ‘cost of fraud’ wasn’t an issue. How would your approach to IT and Telecoms security change if a business-crippling financial penalty wasn’t threatening to be the end result of a security breach?

If the acceptance of ‘risk’ becomes easier to tolerate because there is a layer of protection and mitigation delivered through the telecoms supply chain by partners who are proactive, rather than reactive, then choices made by end clients become simpler, and could actually be different.

This can be taken a step further, so much so that if we accept that there is no perfect system and there is always a risk, then we can decide which method of working, or what telephony connectivity represents an acceptable level of ‘risk’. Clients can then assess the practicality of a heavily locked down infrastructure versus the ability to be dynamic and innovative in working practice.

We are not advocating businesses becomes an open door to hacks, rather that the whole supply chain can be chosen to facilitate a sensible approach to IT and Telecoms security that is simple to manage and doesn’t become a rod to the back of a business.

Thought leaders for the future

So what do we do about it? Well first of all, there is no perfect solution. If you admit to yourself and accept that people by nature will always be the weak link when it comes to telecoms security, then how you deal with peoples’ nature will be the defining aspect of IT and Telecoms security for your business, either globally or domestically.

Accept the view that once a file is emailed, voicemail sent out, or words have left your mouth, you have ultimately lost control over them. From that point on they can be copied, re-purposed and distributed without your permission on an exponential scale. Within Telecoms security however, you can at least limit the financial damage to an almost negligible level.

We are therefore in a more fortunate position than our friends in the IT and Data security industry where personal information, intellectual property and company data stores are also at risk.

It is time for the telecommunications industry to regain the initiative, the ‘old way’ of doing things, and the old business paradigms the industry that apply brakes to progress. Instead of playing catch-up and adopting a siege mentality, we have to change the way with think about security. Acceptance of risk, balanced with technical mitigation solutions should be weighed against the potential cost of a security penetration.

Suppliers and clients must be both pragmatic in the implementation of security protocols, and both parties must understand their responsibilities and the corresponding risks of waiving them. This is certainly an matter of education, and business owners have a responsibility to take the time to understand what those risks are, as there are currently no formal benchmarks in the industry currently that relate to telecoms security to guide selection.

A crucial step to understanding your risks and developing a strategy that suits your business is obviously working with the right supply chain: Partners can be trusted advisors to business owners and IT specialists, that offer the right solutions, even if those solutions don’t necessarily come from an established brand that has been around for decades. Telecommunications has become a managed service.

We are now, more than ever, part of a corporate ecosystem of applications. The more you lock it down, the more you dampen the dynamism and creativity within a business. So think carefully about how you deliver services to your clients.  Deliver value and don’t be afraid of breaking from tradition.  Learn from the past, but don’t be shackled by it.

This is telecom fraud week on trefor.net, edited by Manuel Basilavecchia of Netaxis. Read our other fraud posts this week:

Colin Duffy on “is encryption the answer to data loss”
Manuel Basilaveccia on Missing Trader VAT Fraud
Dave Dadds – “telecom fraud is industry’s problem not the customer’s“
Manuel Basilavecchia on “A mobile operator fraud case study”
Jonathan Rodwell on “Telecoms and IT Security”

This second post is an adaptation of an article first published by Jonathan Rodwell last year in the Journal of the Institute of Telecoms Professionals but is only available to members behind a firewall.

Telecoms and IT security in the UK and Technical best practice

In an excellent and wide ranging two part series, SIP Trunk Plus CEO Jonathan Rodwell dives into the world of telecom fraud. In this first post he looks at Telecoms and IT security in the UK and Technical best practice.

Executive Summary

Telecoms and IT security is a massive industry in 2015, but the lack of security and the results thereof are talked about much more quietly. Instead service providers and technology delivery partners prefer to speak of uptime, and resilience. It is hardly surprising that what we don’t hear mentioned is who suffers from fraud. Big consumer data breaches hit the headlines frequently though only vast corporations like Target, TalkTalk and Sony really hit the headlines of the business community. Target was the result of a third party supplier breach but the snowball effect affects the entire business community.

Fraud is perpetrated every day. We fear being the victim but the reality is that often we are the problem as much as we are the solution. The IT and Telecommunications industry’s challenge is to effectively address the “elephant in the room”.  Talking about fraud with clients is interesting because service providers don’t want to sell on ‘fear’. Yet, at the same time, when they provide only one aspect of client infrastructure (e.g. telecoms), they may have no direct control over the infrastructure or the end user’s business or employees. When ‘fraud’ is perpetrated the initial and historical reaction is ‘fire fighting’ by identifying the cause and implementing a solution. Finally, they determine who gets the blame. One thing is certain, regardless of ‘fault’, the provider’s brand is damaged simply by association.

This first post is an examination of:

1. The Telecoms and IT security in the UK
2. Technical best practice

 

The second post  addresses:

1. The human wild card
2. We need a new way of thinking

 

Perfect solutions may not be available, but by removing the most painful and immediate result of a telecoms security breach – the financial cost – companies can change the way they approach security. Removing the risk of an expensive pay-out – which a service provider does not want to request, nor a client receive – massively changes the dynamic of the whole security equation.

By removing the risk, core stakeholders can then (in theory at least) work together in a cooperative, and constructive ways to firstly, ensure that a process of best practice is implemented, but also ensure that the cause of most hacks – human error – means that scapegoating and blame can be turned into a justification and positive reinforcement exercise that strengthens the client’s focus on increasing their information and network security across the board. Happy clients mean happy service providers and protection for the industry’s reputation.

Telecoms and IT security in the UK – where are we today?

In 2015, Telecoms and IT security are one and the same. A Legacy or IP PBX, or IP handsets are simply network devices that can provide huge business benefit and are crucial to most business operations. They are, however, devices that must be managed carefully along with every other network device so that they are not open to misuse. Similarly to the Local Network, infrastructure services like ISDN and SIP Trunks must also be managed, and some legacy services such as ISDN have more inherent risks associated. PBX security does not happen ‘out of the box’, it requires careful planning and control of both the network and connectivity.

Worldwide spending on Information Security showed an increase of 7.9 percent on 2013 and is predicted reach $71.1 billion in 2014 and to grow a further 8.2 percent in 2015, with roughly 10% of security capabilities delivered through cloud services¹. Malware and processing power are available on an industrial scale at relatively low cost and businesses must prepare themselves to prevent becoming targets.

An enormous telephony bill at the end of the month, for some, could be the only indication that they are the victim of Telecommunications fraud. A frightening situation for anyone – be it the business owner or the IT Manager responsible for making sure that such a situation doesn’t happen. What is the initial reaction? Apportion blame? Deny liability for the costs? Fire a supplier or an employee? Contact the police or seek remedy in court? Two things are certain, a business will not be happy to pay such costs; and the resulting fallout can destroy even the longest standing business relationships.

The first question is what we can define fraud as? Is it simply exploitation of third party resources for financial gain? Or does it also extend to company employees costing their employer more, by extending their use of services provided by the company for personal benefit? We work on the basis of the full definition and focus on any expenditure that would not have been authorised by a company (in relation to their Telecommunication systems) is fraud.

Experience to date shows that the costs of fraud often never see the light of day. The reporting rate to the police the Action Fraud Bureau is just the tip of the iceberg. The Telecoms industry has been forced into a position where liability is the responsibility of the end clients simply to protect their own businesses, which in turn stimulated the development of the entire Info Security industry.

European Commissioner Neelie Kroes, Vice President for the Digital Agenda, was typically direct in her views of the Telecommunications industry: ‘Sometimes I think the telecoms sector is its own worst enemy.’ She went on to ask whether we will be leading the industry or whether we will be dragged ‘kicking and screaming’². This may seem negative, but the Telecommunications industry has been around for over a hundred years, and like many mature industries, change can come very slowly.  While consumer telecoms, driven by the likes of Apple and Samsung, has commoditised the industry and radically adjusted consumer perception, the more traditional business to business market moves much more slowly.

The business and technical challenges

The fact is that we, as providers of telecommunications services, are providers of business critical services; the security of which we don’t necessarily have control over. This seems counter intuitive, doesn’t it? However, the challenge does not end there; types of exposure to fraudulent activity can vary significantly depending on a number of factors, not the least of which is the actual size of organisations.

For example, a company with 5 employees may have no IT expertise in house; they could rely on outsourced network support (or no network support at all) and leave themselves exposed on a variety of levels. A FTSE100 company on the other hand, may have an IT department consisting of dozens (or even hundreds) of staff, with a multimillion pound budget, but the sheer volume of devices that access their network and potential complexity of the network alone doesn’t offer them certain protection. Consider the recent cases of Home Depot and Target in the US, for example, who were penetrated at the point of sale at a cost to their own brand and their bottom line.

So what are the key considerations when it comes to telecoms security?

An onsite PBX is inherently vulnerable.

Physicality – As we know, unless equipment is in a secure environment with biometric and prescribed access control procedures, the PBX can be accessed and call routing tables amended. Note that organisations such as the NICC refer to a plethora of documentation in respect to best practice for such installations; however, how many companies are in a position to adopt such best practice?

Unauthorised access can be gained by anyone, from a systems administrator to a cleaner.

Remotely – many PBX’s are connected to the internet to enable remote access from their providers and to interface with cloud servers such as Jabber for IM and contact centre technologies, for example.

The first challenge is securing the local network, such as blocking port 5060; however, who controls the network? Is it the IT support company (in-house or contracted) or the communications provider? More often than not it is both – two brains potentially acting separately. This creates grey areas of responsibility as demonstrated by a recent High Court case where £35K of fraud was held against the communications provider.

There are two principal methods by which fraud is perpetrated:

1. Hacks over the internet
2. Dial-through fraud – Hacks via voicemail pin

 

Both of these methods aim to divert traffic to premium rate numbers (usually international) whereby the fraudsters are rewarded with the profit generated from such numbers.

What about at a national and global level?

Typical Methods of Prevention

The Telecoms supply chain can be very complex.  A carrier provides minutes to a sub-carrier and in turn to a reseller and in turn to, say, a SIP trunk provider and then again to the end client, or indeed another reseller. There are many combinations and permutations in the supply network.

What about at a Carrier Level?

Responsible carriers will offer protection using two principal methods:

1. Referring to a fraudulent number repository – and blocking calls to such destinations
2. Algorithmic – detecting unusual traffic patterns and blocking calls accordingly.

 

At Sub-Carrier Level

1. Credit Limits – Imposing credit limits on resellers globally

 

The only real way to protect against fraud is the intelligent and real time monitoring of call traffic via Call Detail Records, or the logging of minutes. The challenge the reseller community has is that they are reliant on carrier provided monthly CRDs which only deliver the information after an incident has taken place, over a period of time. A very large cost can be accumulated in the space of an hour, let alone a month.

There is a major consideration too for the reseller community: They will have a company credit / supply limit with their SIP Trunk carrier globally. If that reseller hits their credit limit an automatic block on their services is implemented (automatically); that could potentially mean a block on all of their clients trunk services – a total service outage in effect. It is absolutely crucial the telecoms channel be able to manage their client base at a granular level and in real time.

This is telecom fraud week on trefor.net, edited by Manuel Basilavecchia of Netaxis. Read our other fraud posts this week:

Colin Duffy on “is encryption the answer to data loss”
Manuel Basilaveccia on Missing Trader VAT Fraud
Dave Dadds – “telecom fraud is industry’s problem not the customer’s“
Manuel Basilavecchia on “A mobile operator fraud case study”

This post is an adaptation of an article first published by Jonathan Rodwell last year in the Journal of the Institute of Telecoms Professionals but is only available to members behind a firewall.

In his second post, to be published tomorrow at 1pm Jonathan conclude by looking at

1. The human wild card and
2. We need a new way of thinking

 

¹ Gartner Press Release, Sydney, Australia, August 22nd 2014
² Adapt or die: What I would do if I ran a telecom company, FT ETNO Summit 2014, Brussels, October 1st 2014