Mobile Network Operators face some particularly unique challenges. They have all the normal concerns of a business dependent on IT, plus the added requirement that they must secure the network while making it widely available to their customers and the customers of other operators without compromising the infrastructure, their peers, or the end users and their personal data.
These challenges are set in an environment of changing technology, business models, and industry structure. Couple this with the fact that of outages cost big money, and mobile communications are often highly personal, the stakes are very high for MNOs.
To assist fellow security professionals working in the Mobile sector, 360is have come up with our list of the most common mistakes made by MNOs.
Mistake 1. Over Integration / Under Segregation
One of the tenets of good information security is the separation of networks of differing levels of trust. Unfortunately this practice is easily eroded or rendered ineffective by over-integration of different functions onto a single hardware platform or software infrastructure. Over integration amplifies the effects of any individual security failing .
One sure sign of over integration is that you have difficulty in drawing up truly separate network diagrams for subscriber, management, and telemetry functions. Conversely, if you can easily move data and conduct interactive sessions between those 3 networks without a defined intermediate gateway or bastion stage in the process, this is also a bad sign.
Mistake 2. Misplaced Faith In Encryption
The second mistake and the first are often found together. Software and Hardware vendors have tended to treat encryption as a sort of magical security whitewash, to be sprayed liberally over everything, disguising unsightly flaws or cracks in the architecture. Encryption (implemented properly) is a great way to ensure confidentiality of communications on a shared network but historically it has suffered from poor implementation; weak random number generation, flawed protocols, and endpoint vulnerability.
In practice attackers rarely focus on the encrypted tunnel itself when there are far easier pickings to be had among the authentication system, the tunnel endpoints, and intermediate proxies.
Mistake 3. Not Considering Atypical Behavior
Once handsets were dumb. They had no user-settings, no expansion, and no ability to run code other than their Firmware. Users could make voice calls and send SMS, life was simple for the MNO. Today a "handset" can be a phone, a smart phone, a laptop, even a server. Services extend to voice, SMS, Internet, Corporate VPN, i-mode style portals, and hosted applications like BlackBerry.
MNO's expend huge amounts of time and money testing all these handsets with all these services to ensure a positive experience for their subscribers, but somehow in the testing... security gets ignored. Just because handsets are normally allocated addresses by DHCP and browsers are configured to use your proxy, doesn't mean an attacker with a laptop will follow "regular user behavior". Does your security testing take this into account? Claiming "You can't do that with our (handset/registration process/portal)" is not a very effective defense for your network.
Mistake 4. Incorrect Trust Models
Crashing these mistakes into one-another is becoming a theme. Following on from atypical behavior we come to the problem of trust among network elements, users, and their traffic. The reason why behavior is such a problem is that mobile networks often have their trust models wrong.
A trust model that relies on the handset to behave itself is as bad as those that rely on the user to behave himself. MNO security staff should be very wary of trusting source addresses, the interface traffic appears on, or any credentials passed by systems they do not exclusively control. If somebody says "It's a walled garden, we don't need to worry" you are probably already making mistake 4.
Mistake 5. No consideration of Modes Of Failure
Not planning for the inevitable failure of one or more parts of your security architecture is foolish. Sooner or later a configuration slip-up, a careless/malicious insider, or a new bug in your systems will cause one of your security mechanisms not to work. Does it fail-safe? Are you pro-active in checking all the careful steps you took to avoid mistakes 1-4? What is the extent of your exposure if any one of these mishaps occurs? Vendors hate to answer the question "what about when it doesn't work?" but you as security architects for your MNO must accept such eventualities as inevitable and plan for the worst.
Conclusions
The challenges faced by MNOs are similar to those faced by SCADA users a few years ago. They stem from the increasing pervasiveness of IP, the evolution of handsets from "dumb" single purpose devices to more flexible, complex systems, and the increased variety of services offered to subscribers. In an industry where "air gaps" are a myth, we have found many MNOs making the same mistakes as their cousins in the utility sector.
Equipment vendors must shoulder part of the blame for vulnerability in mobile networks, many of their systems are based on unhardened main-stream Operating Systems. However, MNOs themselves do not escape criticism.
It is common for entire networks to be sourced from a single vendor, radio-side and fixed-side, but this is no excuse for abdicating responsibility for operational security. That burden rests squarely with the operator.
http://www.securitypark.co.uk/security_article261518.html
 Custom Search |
Mobile Network Operators face unique security challenges
CCNA -- Cisco Certified Network Associate Study Guide: Exam 640-802
Cisco networking authority Todd Lammle has completely updated this new edition to cover all of the exam objectives for the latest version of the CCNA exam.
ISO OSI reference model
A comprehensive tutorial is available at tutorialsweb on ISO OSI model. OSI model is the basic building block of CCNA certification preparation, and it is highly required that a CCNA aspirant has a solid understanding of different layers of OSI model. The contents of the tutorial are given below:
The OSI (Open Systems Interconnection) Model
Information Exchange Process
Relationship between the OSI Model and Networking Devices
Repeaters, Bridges, Routers, Gateways and other network components
Glossary of Networking Terms
Read complete tutorial on ISO OSI model for CCNA preparation.
CCNA ICND2 Practice Tests
SimulationExams.com, recently released CCNA ICND2 (Interconnecting Cisco Network Devices 2) practice tests. ICND2 exam counts toward CCNA certification awarded by Cisco Systems®. CCNA ICND2 isintended for candidates who have experience in configuration and troubleshootingof Cisco networking devices.. The practice tests offered by SimulationExamsprovide a simulated test environment for candidates before appearing for thecertification exam.
The advantages of a simulated exam are:
Ability to gauge one's preparedness to take actual certification exam
To strengthen weak areas
To familiarize oneself with actual exam environment (such as timed test, lab practice, relevant practice questions, etc.)
CCNA ICND2 is one of the two qualifying exams available to candidates pursuing a two-exam option for Cisco Certified Network Associate Certification. To achieve CCNA, one need to pass both CCENT (also known as CCNA ICND1), and the CCNA ICND2 exams. Alternatively, one can obtain CCNA certification by passing a single exam, 640-802.
|
Custom Search |