The view from the other side of the fence

IV. SS7 SECURITY ISSUES

Dave Henderson (SEVIS Systems) gave a presentation entitled, "Public
Switched Network is Now Really Public (Attachment 4)." Dave noted he has
spent a number of years working in information warfare and protection. He
noted that his work addresses issues on network security and open network
connection.

Points Noted

10. Dave noted there are concerns with reliability of equipment. He
noted that while the PSTN was formerly relatively closed, it is now wide
open.

11. Dave noted in the past, the internet was relatively safe; however
recent events have opened security issues while teaching vulnerability
lessons. He noted that with an increase in network users, there is also
an increase in vulnerabilities identified by users and decreased ability
to control the network.

12. Dave reviewed the emerging threats to the PSTN. He noted the cost
resulting from fraud is presently $12 billion and growing. With the rapid
development of technology, there is less time for adequate testing. He
noted that the quality of intruder tools is improving and they are
becoming more available. He further noted hacker magazines are writing
SS7 articles.

13. Dave reviewed some of the major threats to individual networks.
Among these he noted theft of SS7 service (calling card numbers, wireless
fraud and rerouting of call traffic) and denial of service.

14. Dave noted the solutions that are presently available for
addressing security issues are inadequate. He noted the present gateway
screening capabilities are unreliable, there is no standard security
guideline for interconnection, there is a progressive skills gap, and
there is currently no mechanisms to control or authenticate traffic on the
network.

15. Dave noted the networks are very fragile with a tremendous number
of vulnerabilities.

16. Dan noted if the network was compromised by a problem caused by a
new piece of equipment, this could be devastating to a company's
reputation.

17. Dave noted in order for convergence to take place interoperation
with different transport and signaling technologies is imperative.

18. Dave noted the industry needs to be more proactive in addressing
the security issues in order to avoid having the government impose
mandates and to ensure the US is protected from information warfare
attacks that could result in the draining of bank reserves and the cutting
off of power sources.

19. Dan noted that like interoperability testing, security testing
discoveries provide insurance against issues that arise. Unfortunately,
until problems arise, people are not quick to act.

This was the industry view 2 years ago. In light of the technological
advances that have been made in the last 2 years regarding the
profileration of packet-switched voice traffic I'm interested to see what
the community thinks.

Let's face it as the industry moves towards a more converged state, we
haven't even really begun to consider the security implications that
present themselves in this new enviroment.

-Scott

With convergence, do you think we will get the best security practices
from both worlds, or the worst?

:With convergence, do you think we will get the best security practices
:from both worlds, or the worst?

Most organizations security policies have grown organically, or by
precedent, as opposed to being 'architected'.

When convergence occurs, the company with the most existing security
infrastructure 'wins'. By this I mean their practices are adopted
by the less organized one.

Also, I have seen some very elaborate, enterprise wide free software security
solutions that were technically elegant, and very robust, but they were
swept aside because the owners of these systems could not adequately
communicate their business value.

It has been my observation that convergence doesn't relate so much to the
integration of technologies to provide new services, as it does the
rationaliztion of differing business models into new ones.

From a big picture security perspective, the security challenges of

a convergence between a telco and a satellite tv company aren't as much
about integrating the various networking technologies and exposing
ground station computers to the Internet, as they would be about
DRM, fraud mitigation, subscriber privacy and infrastructure protection.

The reason I'm mentioning this is because I have heard some security people
talking about the problems with IP gateways to the PSTN, which is
legitimately frightening to many, but the issue isn't about what will
happen when some PBX manufacturer puts an IP stack and an ethernet card
in their product without doing security QA testing.

It is about whether the traditional telcom security models that look alot
like corporate IT, where network people don't touch servers, and vice versa,
will work when the line blurs between the network and the application.

In corporate IT, I am one of those "Internet guys" that thinks he
can manage systems _and_ networks, which is like saying to me that I
play both kinds of music, country _and_ western.

Worst case scenario, we get kafka'esque bureacracy with no standards or
procedures. Best case, we get a hybrid of strong, auditable and enforcable
policy, with an understanding of the systems and networks as a single
service as presented to the customer.

So, as for whether we will see better or worse security policy,
I can garuntee we will see the most cost effective solutions,
meeting the minimum legal requirements, which serve customers needs,
and improve overall ROI for stakeholders.

In other words, not much will change by virtue of convergence alone.
It will take education, possibly regulation, and market incentives to
create better security policy, and I think these things are independant
of the features of new technologies.

Cheers,