Cyber security: an opportunity to plug leaks without waiting for a ‘digital Pearl Harbor’

By Kris Szaniawski

Cyber security is receiving more than its fair share of attention at the moment. A major national security review by the UK government attracted attention this week by naming cyber attacks as a major security threat. This follows in the footsteps of the US where the National Security Agency and Department of Defense have also been focusing on the issue for some time now.

The heatedness of the debate hinges to a large extent on definitions and the attempt to broaden the concept of cyber security to also encompass more routine security issues associated with IT, telecoms and utility networks. Leaving aside the contentious issue of whether there is a real and immediate threat of someone bringing down a national electricity grid or not, there is clearly an increasing need to protect IT and telecoms networks especially with the shift from circuit-switched to IP networks. And there is already plenty of valuable if often low-key work being done to address the increasing variety of security threats faced by telecoms operators.

The increasingly influential TeleManagement Forum (TMF) for example has been attempting to make this topic area its own over the last few years by expanding its focus from IT support systems into broader security issues whether from the telecoms industry or governmental perspective. The TMF has done so in both its working groups also in its major conferences. So much so that next month’s Management World Americas conference being held in Orlando, Florida will have a major cyber security focus, with IT and defense companies as well as government representatives discussing long-standing issues around network security and standardization as well as newer concerns such as those surrounding cloud and policy-based management.

One telecoms IT vendor that has been active in the security area for some time now is New Jersey-based Telcordia, so it is not surprising that at an industry analyst event last week it made a point of highlighting its activities in the security area as well as encouraging a lively discussion around some of the key security issues.

Admittedly at one or two points during the event there was the mention of the potential for a “digital Pearl Harbor” attack that might seriously impact smart grids or other sorts of networks. But overall the security discussion was mercifully free of the “cyber Armageddon” and “cyber attack” vocabulary that seems to have infected political discourse. The focus was more on immediate solutions to identifiable IT and telecoms security issues.

Telcordia has been active in standards bodies as it sees standardization and the need to simplify architectures as one the key building blocks to addressing security issues. In addition to the work the TMF has been doing on security management there are multiple groups active in the area, in fact so many that the number of players active in this space as well as lack of sufficient coordination is one of the problems. John Kimmins, security services and solutions fellow at Telcordia, points out that agencies addressing security standards issues include the 3GPP, the Alliance for Telecommunications Industry Solutions (ATIS), the Internet Engineering Task Force (IETF), the ITU, as well as numerous government agencies.

In addition to the standardization issues there are also legal ones. According to James Payne, senior vice president and general manager of Telcordia’s national security and cyber infrastructure group, there are lessons to be learned from what was done to address potential Y2K software issues, where legislation was introduced to protect companies that admitted vulnerabilities. As things stand if you have a vulnerability then you have a liability and so can be potentially sued, which is hardly conducive to honest discussion of security issues with customers.

Overall, it could be argued that because the industry has been going through such an intense development phase, policy and standards have simply not kept pace with technology developments.

At last week’s event Telcordia chose to also highlight some specific areas where it sees the most immediate problems and where obviously it feels the company can contribute most with its research and consulting activities. Of the four groups that make up Telcordia, it is the Advance Technology Solutions (ATS) group that focuses most on security issues, and the three areas that ATS is currently most active in are: detection of malware, configuration management and security for wireless.

Of these three areas malware has probably received the most public attention, which is not surprising given that industry opinion and surveys suggest that not only is the problem growing but also it may be the case that 50 per cent of malware is not being detected in the first place. Telcordia activity in this area includes vulnerability assessment, seeking ways to detect malicious code, identify defenses against malware, intrusions and denial of service attacks and finding ways to protect software integrity. Other solutions discussed at the event included increased testing of software products before they are released on the market – rather than relying on customers to iron out the flaws – and more speed and discipline in developing and deploying patches to address vulnerabilities.

Configuration management has received less public attention. Problems with configuration management may have a less sexy ring to them than viruses, worms and nefarious bot masters but they are every bit as significant. According to Petros Mouchtaris, executive director in Telcordia’s information assurance and security group, over 50 per cent of the downtime on IP networks is to do with misconfiguration of servers. This is often due to human error and various sources quote operator error as the root cause of as many as half of network and computer system failures. This is not surprising given that configuring a network is complex and can involve configuring hundreds of routers. The results of a survey carried out by Tufin Technologies at the DEF CON 18 conference only a few months ago make sobering reading – according this survey 73 per cent of IT security professionals said that they came across a misconfigured network on a regular basis and 76 per cent of the same sample saw a misconfigured network as the easiest IT resource to exploit.

Clearly poor configuration management has financial and performance implications but it also has security ones as these sorts of errors can compromise networks. Telcordia is promoting a more disciplined approach to configuration management testing and addressing configuration mistakes before they can be exploited. The issue can also be addressed by automating configuration and security management. But clearly something needs to be done as in this context the best-effort model is simply not good enough.

Thirdly, in the wireless security area Telcordia is currently focusing a lot on smartphones. The structure of smartphones makes them easier to hack into, and a shift away from closed architectures towards more open ones will make it even easier. The same threats that plague computer operating systems can also impact smartphones via email, pictures, social media sites, etc. Location-based services are another specific source of concern. According to Telcordia one of the specific issues with smartphones is the drain on battery power that comes part and parcel with security measures, so one way to address this might be to move some of the security into the cloud.

Finally a lot of billing and security issues are interrelated if only because billing to a large extent is so closely associated with customer identity, and so this is also something that potentially favors telecoms IT vendors like Telcordia when it comes to positioning themselves as security solutions-providers.

Telcordia has just appointed a new head of its ATS group, Brent Greene, whose previous experience includes not just Bell Labs and Northrop Grumman Information Systems but also the Department of Homeland Security, and a career in the US Navy that included commanding a nuclear submarine. Other telecoms IT vendors are unlikely to join a rush to appoint former nuclear submarine commanders to head up their key divisions but they will do well to treat security as seriously as Telcordia and to recognize that security has the potential to be not just a cost center but also an enabler and differentiator.