WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Transcription

1 WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012

2 Table of Contents 1. Introduction Need for securing Telecom Networks Security Assessment Techniques Security Testing methodologies in Telecom Networks Telecom Equipment Testing Telecom Network Vulnerability Assessment Fuzz Testing Penetration Testing Remedial actions... 9 GLOSSARY REFERENCES

3 Security Testing in Telecom Network 1. Introduction Circuit-switched PSTN networks, traditionally controlled by the telecom operators are less prone to risks as compared to a packet-switched network based on an open protocol like the IP. However, due to the growing demand for data and video services and the limitations of the circuit-switched technology, telecom operators find it economically prohibitive to expand their circuit-switched networks to meet demand. This has led to a gradual move towards the adoption of packet-based switching technology. Newer 2G and 3G mobile phone systems like GPRS, EDGE and HSPA that are designed for data transmissions are also based on packet-based switching technology. Fig. 1 Transition to NGN Packet-based switching technology used in Next Generation Networks is usually implemented through the use of the IP suite. IP was based on open standards and not originally designed for security implementations. The weaknesses in the IP 2

4 have been exploited since long and therefore risks are involved in adopting an IPbased network. Both the traditional circuit-switched networks and the packet-based next generation networks are exposed to different threats and attacks both from external and internal sources that target the various parts of the telecommunications network. These attacks may be targeted at any part of the telecom network, including the radio path of the access network. Attacks on one telecom operator s network could also spread to multiple networks over the interconnection interfaces. 2. Need for securing Telecom Networks Telecommunication networks are playing a critical role in the economic growth of a country. It has led to government regulations in the telecom industry, which include requirements for ensuring the security of the telecom equipment and networks. The import of telecom equipment from other countries that are antagonistic to a state s strategic interests may lead to security threats by means of embedded logic bombs and malware. The interconnection of the PSTN networks of fixed and mobile phone systems and the next generation network has increased the attack surface of the telecom networks. The wide range of end-user devices that can now connect to the telecom networks has added to the complexity of the networks, thereby increasing the risks and vulnerabilities as well. Hence, the consequences of not implementing adequate security measures to deal with the security threats and challenges to the telecom network could be heavy. Several international standard development organisations like ITU, ISO/IEC, 3GPP, 3GPP2 and ETSI have prescribed standards that are applicable to telecom networks. Also, many countries have legislations and regulations that the telecom operators must comply with, which may require the adoption of specific security standards. 3

5 Telecom operators should adopt a robust, managed security programme to ensure that their networks are protected against malicious attacks, both external and internal, while also ensuring compliance to the local regulatory environment. This requires a holistic approach to implement security measures, based on globally accepted security standards and best practices. 3. Security Assessment Techniques There are various security testing and examination techniques that can be used to assess the security posture of systems and networks. The most commonly used techniques can be grouped into the following three categories: 3.1 Review Techniques : These are examination techniques used to evaluate systems, applications, networks, policies, and procedures to discover vulnerabilities, and are generally conducted manually. They include documentation, log, ruleset, and system configuration review; network sniffing; and file integrity checking. 3.2 Target Identification and Analysis Techniques : These testing techniques can identify systems, ports, services, and potential vulnerabilities, and may be performed manually but are generally performed using automated tools. They include network discovery, network port and service identification, vulnerability scanning, wireless scanning, and application security examination. 3.3 Target Vulnerability Validation Techniques : These testing techniques confirm the existence of vulnerabilities, and may be performed manually or by using automatic tools, depending on the specific technique used and the skill of the test team. Target vulnerability validation techniques include password cracking, penetration testing, social engineering, and application security testing. Since no single technique can provide a complete picture of the security of a system or network, organizations should combine appropriate techniques to ensure robust security assessments. For example, penetration testing usually relies on performing 4

6 both network port/service identification and vulnerability scanning to identify hosts and services that may be targets for future penetration. 4. Security Testing methodologies in Telecom Networks Maintaining a consistent security posture across an organisation s network in the face of the ever changing nature of IT security is a complex and time consuming task. Periodic security testing plays a vital role in assessing and enhancing the security of networks. Some of the Security testing techniques which are more relevant with respect to the telecom networks are discussed below: 4.1 Telecom Equipment Testing Telecommunication networks are likely to have a heterogeneous mix of equipment from various suppliers. A highly credible, trusted third party certification programme must be in place to conduct an assessment to identify and evaluate security weaknesses and vulnerabilities contained in equipment software, firmware and hardware implementations. Certification of the supplier products against the Common Criteria Specifications (ISO 15408) ensures this at the component level. 4.2 Telecom Network Vulnerability Assessment With a large number of vulnerabilities and an increasing number of attacks exploiting them being reported across technology platforms, it is becoming difficult to ensure that the critical elements of a telecommunications network are not vulnerable to these attacks. Vulnerability scanners provide system and network administrators with proactive tools that can be used to: Identify vulnerabilities associated with operating systems and applications Report and assess the vulnerability and its overall consequences Recommend remediation strategies To test compliance with organisational security policies by auditing system configurations Vulnerability scanners can be of two types: network-based scanners and hostbased scanners. Network-based scanners are used primarily for mapping an 5

7 organization's network and identifying open ports and related vulnerabilities. In most cases, these scanners are not limited by the operating system of targeted systems. The scanners can be installed on a single system on the network and can quickly locate and test numerous hosts. Host-based scanners have to be installed on each host to be tested and are used primarily to identify specific host operating system and application misconfigurations and vulnerabilities. Fig. 2 Network based vulnerability scanner Because host-based scanners are able to detect vulnerabilities at a higher degree of detail than network-based scanners, they usually require not only host (local) access but also a root or administrative account. Some host-based scanners offer the capability of repairing misconfigurations. It is very important to organize, express, and measure security-related information in standardized ways. Recommendation ITU-T X.1520 defines the the use of the common vulnerabilities and exposures (CVE), which provides a common nomenclature for publicly known problems in the commercial or open source software used in communications networks, end-user devices,etc. CVE does not contain information such as risk, impact, fix information, or detailed 6

8 technical information. CVE only contains the standard identifier number with status indicator, a brief description, and references to related vulnerability reports and advisories. The repository of CVE Identifiers is available at [cve.mitre.org]. Recommendation ITU-T X.1524 defines the use of the common weakness enumeration (CWE), which provides a common nomenclature to exchange information regarding weaknesses in source code and operating systems. CWE also offers supportive context information about possible risks, impacts, fix information, and detailed technical information about what the software weaknesses could mean to a software system. A comprehensive CWE dictionary is available at [cwe.mitre.org]. Recommendation ITU-T X.1521 provides common vulnerabilities scoring system (CVSS) as a standardized approach for communicating the characteristics and impacts of ICT vulnerabilities. It uses base, temporal and environmental metrics that apply contextual information to more accurately reflect the risk to each user's unique environment. Many organizations are using CVSS internally to make informed vulnerability management decisions. They use scanners or monitoring technologies to first locate host and application vulnerabilities. They combine this data with CVSS base, temporal and environmental scores to obtain more contextual risk information and remediate those vulnerabilities that pose the greatest risk to their systems. 4.3 Fuzz Testing While vulnerability assessments can help identify and mitigate known vulnerabilities, it cannot be used to protect against exploitation of unknown vulnerabilities that are likely in complex networks like telecom networks. A methodology that is now being used to address these unknown vulnerabilities is Fuzz Testing. It is a form of attack simulation where abnormal inputs are used to trigger vulnerabilities. One approach is model-based fuzzing, which uses protocol specifications to target tests at protocol areas most susceptible to vulnerabilities. 7

9 Another approach, traffic capture fuzzing, uses traffic captures to create the fuzzers used for testing. 4.4 Penetration Testing The purpose of penetration testing is to identify methods of gaining access to a system by using common tools and techniques used by attackers. It supplements the vulnerability assessment activities by taking the last step and actually exploiting these vulnerabilities to compromise and gain access to the target systems. A penetration test can be designed to simulate an inside and/or an outside attack. Security testing specialists attempt to infiltrate the client s network, systems and applications using not only common technologies and techniques, but also specialised tools and some unexpected methods, such as combined techniques ( multi-vector attacks). The result is a detailed report identifying key vulnerabilities and suggested protection tactics an action plan to improve the organisation s security posture. There are two types of penetration testing commonly referred to as Blue Teaming and Red Teaming. Blue Teaming involves performing a penetration test with the knowledge and consent of the organization's IT staff. Red Teaming involves performing a penetration test without the knowledge of the organization's IT staff but with full knowledge and permission of the upper management. This type of test is useful for testing not only network security, but also the IT staff's response to perceived security incidents and their knowledge and implementation of the organization's security policy. The Red Teaming may be conducted with or without warning. Penetration testing is important for determining how vulnerable an organization's network is and the level of damage that can occur if the network is compromised. Because of the high cost and potential impact, annual penetration testing may be sufficient. The results of penetration testing should be taken very seriously and discovered vulnerabilities should be mitigated. As soon as they are available, the results should be presented to the organization s managers. Corrective measures can include closing discovered and exploited vulnerabilities, modifying an organization's security policies, creating procedures to improve 8

10 security practices, and conducting security awareness training for personnel to ensure that they understand the implications of poor system configurations and poor security practices. 5. Remedial actions While identifying and categorizing vulnerabilities is important, a security test is much more valuable if it also results in a mitigation strategy being developed and implemented. This requires translating the findings of the testing into remedial actions. A suitable approach required to achieve this may be as follows. Based on the analysis of the findings mitigation recommendations should be developed. These recommendations should be presented as a report to the appropriate authorities and finally, the mitigation activities should be carried out. 5.1 Mitigation Recommendations After completion of all the testing activities final conclusion and mitigation recommendations are developed. There may be both technical recommendations (e.g., applying a particular patch) and nontechnical recommendations that address the organization s processes. Examples of mitigation actions include policy, process, and procedure modifications; security architecture changes; deployment of new security technologies; and deployment of OS and application patches. 5.2 Reporting Upon completion of analysis, a report should be generated that identifies system, network, and organizational vulnerabilities and their recommended mitigation actions. This report should be documented and made available to the appropriate staff, which may include the CIO, CISO, and ISSO as well as appropriate program managers or system owners. Because a report may have multiple audiences, multiple report formats may be required to ensure that all are appropriately addressed. 5.3 Remediation / Mitigation While implementing the remediation, Organizations should follow at least the four steps outlined below. 9

11 i. Before implementing technical modifications to a production asset, testing should be done on test systems in an environment that replicates the network in which the mitigation action would be implemented. For example, before implementing patches on an operational system it should be installed on a similar system in a test environment just to check whether there are any negative implications. Such testing significantly reduces, but does not eliminate, the risk of a system reacting adversely to a technical modification. ii. Changes and their impact to the existing systems, networks, policy, or processes should be communicated to the appropriate authorities before executing any remedial actions. At a minimum, the program manager or system owner should be contacted before executing any remedial actions and should provide approval of the planned mitigation actions before they are implemented. iii. Implementation of mitigation strategies should be verified by conducting an audit of the system. A system audit can be conducted by onsite security personnel or an external security test team. iv. It is important to continuously identify and update mitigation activities that have been accomplished, partially accomplished, or are pending action by another individual or system. 10

12 GLOSSARY IP PSTN GPRS EDGE HSPA ITU ISO IEC 3GPP ETSI CIO CISO Internet protocol Public switched telephone network General Packet Radio Service Enhanced data rates for GSM evolution High Speed Packet Access International telecommunications union International organization for standardisation International electrotechnical commission Third generation partnership project European Telecommunications Standards Institute Chief Information Officer Chief Information Security Officer REFERENCES i. NIST Special Publication ii. NIST Special Publication iii. NIST Special Publication iv. Security in Telecommunications and Information Technology, An overview of issues and the deployment of existing ITU-T recommendations for secure telecommunications, ITUT, June 2006 v. Unknown Vulnerability Management for Telecommunications, Anna-Maija Juuso and Ari Takanen,Codenomicon, February 2011 vi. White paper on Cyber security for virtual and cloud environments by Spirent. 11

13 12