First, the good news. The telecoms sector is in the top three when benchmarked against other industries for security, according to a former hacker turned telco vendor.
The bad news is they still have a long way to go to put their own houses in order, let alone be some sort of global standard.
Security was one of the key topics at this week’s TM Forum Live! event. Any pretence that operators have to be leaders in the field – and to be fair to those present, they did not – was shattered by some of the examples shared.
KPN’s Chief Privacy Officer Rence Damming revealed that the Dutch incumbent had been hacked by “a 17 year-old kid” who got “quite deep” into the operator’s systems before anyone realised.
Damming, who did not reveal when the attack happened, said it was thwarted before the hacker got his hands on any personal data.
Some security breaches are less headline grabbing, but equally disastrous. A printer at KPN HQ that was churning out bills got stuck, meaning bills were put into the wrong envelopes and delivered to the wrong people. Around 10,000 customers were affected, Damming said.
“Data leakage can happen anywhere – awareness is key so we have spent time and effort on educating staff,” he warned.
A key recent change to Dutch law has concentrated thinking at KPN. Authorities and customers must be informed of any data leakage with “undue delay”, the legal amendment instructed, and KPN had to implement this amendment in just six months.
This required an overhaul of security protocols at the operator, which led to some surprising discoveries. Damming said a definition of data leakage was missing from its security incident processes.
The role of a customer communications expert must not be underestimated either, according to Damming. Security people “are not very good” at explaining data breaches, he admitted.
Chris Stock, Director of Security Management Programmes at TM Forum, believes all this indicates one thing – a change in culture is still required at operators.
“Chief Security Officers need to be talking on an equal level with the rest of the C-suite. How you sell security to the board is a key challenge that needs to be addressed,” he tells European Communications.
“Security needs to be included as you design new processes… and the first step is education.”
Paul Nguyen, President of Global Security Solutions at CSG Invotas, is in full agreement.
“Security is moving up the agenda as the C-suite is being held more accountable and concern around the protection of consumer data grows,” he explains.
The former hacker said the worst case he has come across in the last few months was an operator losing subscriber data that wasn’t detected until after the attack had happened.
The root cause was related to poor coding practices. “Developers are not educated in security,” he warns.
So what should operators do? Nguyen says they require better detection and response capability. “We talk about improving the ‘mean time to detect/respond’,” he says.
“Detection requires improving both software – including machine automated capability - and processes as operators don’t have the workforce to keep up with the volume of attacks.”
While KPN is addressing the latter, Telenor has found a way of leveraging big data software to improve security.
Henrik Strom, Telenor Norway’s Head of IT Security, outlined in a presentation how it has used an analytics platform from Splunk to detect and respond to threats.
In common with rivals, Strom said Telenor was in possession of “many different systems, so it’s not an easy environment to manage from a security point of view”.
Using the big data platform, it can collect and analyse data from a range of sources including data centres, applications, and the IP and mobile networks.
Security “alarms” go off when an abnormal situation happens, while “hunting” techniques are used to search the data for signs that someone is already inside.
However, he warned that the alarms only work when his team knows what to look for.
Strom cited an incident of people abusing the operator’s service of sending SMS from a webmail account. Thanks for big data platform, Strom was able to work out which accounts were being abused and for how long “in just 30 minutes” while at home on a Sunday afternoon.
From now on, all new systems and services must deliver data to Telenor’s big data platform, while all security monitoring technologies are integrated into it for correlation and cross-tool analysis.
Nguyen warns that operators need to be wary of false positives – scenarios that look like attacks but are not.
Prioritising what can and can’t be done from a security point of view should also be taken into account, he says.
“You can’t do everything… but you should integrate security into the DNA of everything that you do. It must be second nature.”