Security is a challenge for the industry, we all know that, but the speed in which security threats are evolving is creating new headaches every single day for the telcos.
Speaking to Travis Russell, Oracle’s Director for Cybersecurity, at Mobile World Congress, the issue for the telcos is a relatively simple one to identify, but heartachingly difficult to address.
“Risk management and tolerance is the Achilles Heel for telcos,” said Russell. “The telcos are always looking for a smoking gun before changing risk tolerance.”
This has been the issue in recent years, though it is only today the real damage is being dealt. In by-gone years, telcos have been unwilling to address the problem of security until it has become a direct threat to the business. Due to finite resources and increasing pressure on the spreadsheets, telco have had to focus on immediate problems instead of getting ahead of greater threats.
“IP was an enabler to vulnerabilities,” said Russell. “It took a while for the hackers to catch-up, but now they have.”
As Russell points out, prior to IP being introduced to the world of telcos, risks were much smaller. TDM technologies were incredibly secure, but as networks evolved, new problems emerged. These challenges are persistent today, but the main issue is few people understand the community which is the most dangerous threat.
A lazy stereotype of a hacker would be a 17-year computer whizz, sitting in his pants at his laptop with red bull scattered throughout the room, causing chaos on the digital highways in search of kudos on the dark web. This might have been true one-upon-a-time, but the threat has evolved.
Hackers nowadays can herald from the worlds of organized crime. These are not thugs who extort the local corner shop anymore, but nefarious organizations which use the virtual world as a means to make money illegally. Few people think of organized crime mobs or terrorists groups as containing PHD computer genius’, but this is increasingly becoming the new norm as undesirables poke and prod networks for illicit gains.
However, as Russell mentioned before, the challenge has not been adequately addressed because the smoking gun has not been found. Few people consider a data breach as major news anymore, but that is because there have not been enough reported instances of identity fraud as a result of personal information hitting the dark corners of the web. Another example of a new threat is Metro Bank’s recent incident in the UK.
Here, Metro Bank was the victim of SS7 attacks, which allowed anyone with access to reroute text messages and calls. Considering banks use SMS during the two-stage authentication process, this presents a massive risk for many companies in the future. They are becoming much more common.
Elsewhere, the risks are becoming much more sophisticated as well, with open source communities coming under threat. Russell notes that while ecosystems like Linux might be safe, there are plenty of eye balls on code to ensure its legitimacy, lesser known or more niche ecosystems could be at risk. In these cases, vulnerabilities could be placed into the source code before being used elsewhere. It is a risk few consider and demonstrates the sophistication and intelligence of those who are aiming to do harm.
While this might sound like scaremongering, it is a perfectly legitimate point to make. Due to the fact companies have been brushing aside security concerns for years, there is a lot of catching up to do. Governments need to force security ownership on all segments of the community, as well as do more do educate the consumer on the risk of digital society.
The fact of the matter is, each element of the supply chain has to take ownership for security, even if there are elements which are slightly outside of their control. As it stands, each layer, whether they be connectivity providers, operating systems, hardware manufacturers, software providers or the consumer, has to take a more pragmatic approach to security. The security conundrum can only be solved if each element takes a more serious approach, to create an end-to-end landscape of protection. Gone are the days responsibilities can be passed elsewhere.
The hackers have got a head-start, but with new fines enforceable on incidents and substandard security protocols, security might be taken seriously before too long.