Home
...
Security
Mobile Telecom Security Landscape Blog: August 24

Friday 2 August, 2024

Mobile Telecom Security Landscape Blog: August 24

Martin Beauchamp
Senior Industry Security Analyst
GSMA
Welcome to our August blog. This month, we discuss activity underway to boost the security of Border Gateway Protocol (BGP), share some thoughts on the recent AT&T data breach, including security considerations when using third-party managed service suppliers and the need to secure Bring Your Own Device (BYOD) arrangements.

The Federal Communications Commission (FCC) has released a proposal aimed at bolstering the security of US networks against cyberattacks by improving internet routing security.  The new initiative mandates that internet service providers produce confidential reports detailing their efforts and plans to address vulnerabilities in the BGP.  BGP is used to enable routers connecting internet Autonomous Systems (AS) to know how to route to each other.  Some BGP implementations assume that another AS is trusted and is telling ‘the truth’ about connectivity. Anyone is allowed to advertise a better route, whether maliciously or accidentally.  In last month’s blog post, I mentioned that I had been fortunate to hear some great talks at the recent 2024 Telecom & Digital Infrastructure Security Forum.  One of those talks was from the RIPE Network Coordination Centre, which addressed a contribution towards strengthening BGP.  Resource Public Key Infrastructure (RPKI) is a security layer in BGP routing that utilises X.509 certificates as cryptographic trust for routing ownership where the owners have a publicly available identifier.   RPKI can be used to verify the origin of BGP routing announcements.  RPKI provides part of the strengthening of BGP, but more adoption is needed and, in time, full BGP path validation.

AT&T recently reported a major security breach.  On April 19, 2024, AT&T Inc. (“AT&T”) learned that a threat actor claimed to have unlawfully accessed and copied AT&T call logs. AT&T immediately activated its incident response process to investigate and retained external cybersecurity experts to assist. Based on its investigation, AT&T believes that threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated files containing AT&T records of customer call and text interactions that occurred between approximately May 1 and October 31, 2022, as well as on January 2, 2023.  This attack on the supply chain service provider highlights the ongoing need to focus on the full range of third-party suppliers. 

One of the most concise of recent documents is the CISA, NSA, FBI and international cyber authorities’ cybersecurity advisory to protect managed service providers and customers including:

  • Prevent initial compromise
  • Enable/improve monitoring and logging processes
  • Enforce multifactor authentication (MFA)
  • Manage internal architecture risks and segregate internal networks
  • Organisations should apply the principle of least privilege
  • Deprecate obsolete accounts and infrastructure
  • Apply updates
  • Backup systems and data
  • Develop and exercise incident response and recovery plans
  • Understand and proactively manage supply chain risk
  • Promote transparency
  • Manage account authentication and authorisation.

The Australian Signals Directorate (ASD) have released a guide, How to Manage Your Security When Engaging a Managed Service Provider.  It contains a number of suggested mitigation strategies including:

  • Make sure your own network is secure
  • Get security in the contract
  • Ensure your contract requires your MSP to maintain a good internal security culture
  • Control MSP access to your network
  • Mitigate the impact of stolen or abused credentials
  • Ensure visibility of MSP actions on your network
  • Plan for a cyber security incident.

Also available from the Canadian Centre for Cyber Security is the report, Cyber Security Considerations For Consumers of Managed ServicesThe report covers a range of topics including:

  • Data security
  • Legal compliance
  • Service provider assessments
  • Access control
  • Encryption
  • Incident response
  • Business continuity and disaster recovery
  • Supply chain integrity
  • Exit strategies
  • Data destruction.

BYOD allows employees and contractors to use personal devices for work. It has been found that compromised credentials are the initial access vector in many breaches.  These credentials have been gathered in a variety of ways, one of which has been abusing a company’s BYOD policy.  There are ways of securely implementing BYOD policies, for example, with virtual environments, least privilege, use of multi-factor authentication and managing data and permissions on employee exit.  However, it is all too common for this to be overlooked.  In the case of Snowflake, contractors used insecure personal devices to connect to customer databases.  The contractors, who had used their laptops for other purposes (e.g. watching pirated content), exposed their devices to Infostealer Malware.  This hands over login credentials to threat actors, which they can use to access database instances – often with the contractor’s administrator/IT privileges.


If you’d like to discuss these themes or to get more closely involved, please email [email protected].