Mobile operators are organizations that provide telecommunication services over a cellular interface.1 The mobile industry initially consisted of infrastructures that provided voice and very limited data services through mobile phones. Modern mobile operators provide a wide range of multimedia data services, including video-on-demand and mobile Internet access. This transformation created new demands in service provision, requiring enhanced versions of supporting services such as charging, billing, roaming, interworking and addressing, along with the necessary security services for protecting information confidentiality, integrity and availability. As a result, the infrastructure of modern mobile operators consists of a number of heterogeneous systems that host critical information in many forms and are usually handled by complex information technology (IT) governance systems.
This article aims to present existing problems in the security management systems of mobile operators, as captured by extensive security assessments conducted in a number of major operators. It presents difficulties in the implementation of international IT governance and security management standards, focusing on sharing experiences and proposing solutions to existing security issues in the specific environment of mobile operators, following the fundamental principle that security in practice is based on the knowledge we have regarding the vulnerabilities applied in a specific environment.2, 3
The Mobile Operator’s Environment
The multitude and magnitude of systems that process or store critical or legal sensitive data in combination with the fast infrastructure upgrades define an environment with important challenges for managing security. Figure 1 presents a simplified overview of a mobile operator’s infrastructure.
A typical third-generation (3G) mobile operator’s infrastructure, based on the Universal Mobile Telecommunications System (UMTS), consists of three main components: the UMTS Terrestrial Radio Access Network (UTRAN), the core network and the corporate network. The UTRAN is a collection of systems (including the antennae and their controllers, among other systems) that provide access to the subscribers through their mobile phones. The mobile core network serves traffic switching and signaling for voice and data mobile connections, linking the UTRAN with other voice and data networks, including the Internet. The mobile core network hosts a number of critical systems, including the gateways for voice and data service provision, as well as databases that hold subscriber data. All of these systems contain sensitive corporate or subscriber information. The corporate network indicatively hosts the billing system, which collects call detail records (CDRs) from various core network components—usually through a billing gateway, the enterprise resource planning (ERP) system, the fraud detection system, the data warehouse system, systems for subscriber management and customer relations, and other systems supporting the business functions of the mobile operator. Most of these systems handle critical information, including call details, personal subscriber data and sensitive corporate information.
Information types include user-related technical data and corporate information. User-related technical data include user traffic, charging data, billing data, location data, addressing data, identity data, security management data, access control management data and service profile data.4 Corporate information includes customers’ personal and financial data, contract data, employee information, organizational and corporate financials, sales and marketing data, and roaming data.
The Importance of Security
Mobile operators are organizations with very strict, nonnegotiable security and privacy requirements.5 These requirements derive from the need to protect the company’s shareholders’ interests and are essential to assure and maintain business continuity, profitability, growth, respected image, competitive edge and legal compliance. Unfortunately, the vast amount of critical information handled by mobile operators, in combination with the complexity of their infrastructures, makes these requirements difficult to address. At the same time, the European Union Directive on privacy and electronic communications6 considers the privacy of communication and subscribers’ personal data as a fundamental element of the society, while the continuously increasing demand for the world to effectively face terrorism and organized crime forced governments to permit the lawful interception of communications.7
A security incident may cause important business impact to the mobile operator. Breach of confidentiality can result in severe embarrassment, financial loss and even litigation for a mobile operator. Further types of serious disclosure involve secret commercial information, strategic directions, customers’ personal data and subscribers’ call data, or information disclosed to legal representatives. A breach of integrity can be particularly devastating. Especially in the case of billing data, the impact may be direct monetary loss. Legal problems may also be a result of the realization of this type of threat, since, for example, subscribers’ call data may be related to the investigation of a legal case or subject to lawful interception. As far as availability is concerned, the loss of records or data can be particularly disruptive. Especially for mobile operators, where most applications and services are time-sensitive, a breach of availability may cause several impacts, including direct monetary loss, increase in costs through additional working hours and a great deal of embarrassment when information is unexpectedly not available. Legal problems may also result if the organization is not able to keep up with service level agreements. Security management is important to be able to create the framework upon which technical countermeasures will rely for implementing confidentiality, integrity and availability.8 A vulnerable security framework may lead to disorganized implementation of technical controls that are not in line with the business needs of the mobile operator, and may open the path for successful attacks.9, 10
Implementing International Standards
Security management systems should be based on international standards. The processing of the results from several security assessments on major mobile operators indicated four common areas in security management, which due to the specific nature of mobile operators, were not successfully addressed. These areas were analyzed according to the guidelines of three international standards:
- Control Objectives for Information and related Technology (COBIT), which is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.11
- ISO/IEC 27001 “Information Security Management Systems—Requirements,” which aims to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system (ISMS)12
- ISO/IEC 17799:2005 “Information Technology—Code of Practice for Information Security Management,” which provides a list of controls for implementing security management13
These standards contribute to the establishment of security by providing important guidance from the same perspective, which is a customized security management architecture, but to different layers.
ISO 27001 is a set of steps that have to be followed for building an ISMS, like the one provided by ISO 9001, for building a quality system in an organization. ISO 27001 is based on BS 7799—Part 2.
ISO 17799, which is based on BS 7799—Part 1 and the upcoming ancestor of ISO 27002, provides a set of controls for supporting the implementation of security that may be managed by an ISMS. The controls described are general and have to be customized and possibly extended to support security in a specific organization.
COBIT is a complete system with a wider scope—the design, establishment and support of IT systems that are aligned with the business goals of an enterprise. Figure 2 presents the four vulnerable areas of security management, in relation to the relevant part of each standard.
Figure 2— Guidelines Provided by Standards
|Vulnerable Area Code
||Vulnerable Area Title
PO2.3 Data classification scheme
PO4.9 Data and system ownership
|Chapter 7, Asset Management—Ownership of Assets
||Chapter 4, Information Security Management System|
||Information security responsibilities
PO4.8 Responsibility for risk, security and compliance
PO4.9 Data and system ownership
PO6 Communicate management aims and direction
|Chapter 6, Organization of Information Security— Allocation of Information Security Responsibilities
||Chapter 5, Management Responsibility|
||Access control to critical information assets
AI2.3 Application control and auditability
AI2.4 Application security and availabilityDS5.3 Identity management
DS5.4 User account management
|Chapter 11, Access Control
||Logging of actions to critical information
||DS5.5 Security testing, surveillance and monitoring
||Chapter 10, Communications and Operations Management—Monitoring
The first two vulnerable areas (A1 and A2) concern determining the owner of each information type and how responsibilities are defined. According to ISO 27001, the term “owner” identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the assets. One of the fundamental requirements of ISO 27001 toward the creation of an ISMS is the assignment of information ownership. Management responsibility for establishing information security roles and responsibilities is also a priority for ISO 27001. According to COBIT, information ownership is fundamental to the integration of applications into a business process and generally one of the first steps to take when trying to build controls for IT governance. The identification of system and data ownership is also a control objective for the definition of IT processes. The determination of information ownership is generally a prerequisite for the subsequent steps of the COBIT framework. Furthermore, COBIT provides controls to embed ownership and responsibility for IT-related risks within the business at an appropriate management level, and to establish risk and security management responsibility at an organizationwide level. ISO 17799:2005 clearly defines the importance of defining information ownership and provides directions toward that target. The allocation of information security responsibilities, according to the information ownership schema, is also described in the standard.
Despite the guidelines provided by the standards, mobile operators face important problems for creating an effective information ownership and responsibility schema, mainly due to the complexity of the mobile operators’ environment. CDRs, for example, exist in many forms from the time of their generation by the core network elements to their storage and processing by the corporate billing system. The problem is extended when taking into account that this specific critical information type horizontally crosses many corporate departments, creating arguments regarding ownership and responsibility among the management of each department.
The other two vulnerable areas (A3 and A4), as shown in Figure 2, regard access to critical information and logging actions on this information. Access control in COBIT can be located in several parts, since it is considered a primary control for IT governance and security. Guidelines for logging are provided as part of a wider set of COBIT monitoring guidelines. ISO 17799 provides guidelines for access control in a homonym chapter, while logging guidelines are provided as part of monitoring guidelines within the scope of communications and operations management. ISO 27001 does not define specific controls, since its scope is to set the requirements and reference ISO 17799:2005 for implementing security. Both standards (COBIT and ISO 17799) describe guidelines for creating access and logging policies, which ensure that information is accessed by the appropriate personnel, while also ensuring that confidentiality, integrity and availability are maintained and that necessary user actions are logged. The standards state that access to information, including logs, should be in line with business requirements, in response to identified risks and in line with data classification. The standards also highlight the importance of uniquely identifying users and their activity on IT systems, while considering the protection of critical information at all stages and forms, the authentication and transaction integrity, and the capability for automatic information recovery. The standards underline that a logging and monitoring function enables the early detection of unusual or abnormal activities that may need to be addressed.
Due to the mobile operator’s environment, especially the multitude of forms that critical information may have and the multitude of systems and departments that have access to those systems, the implementation of access control and logging becomes a challenge. The main vulnerabilities identified by the security assessments are:
- There is no detailed description of all users’ roles to define exact access rights in specific information types to complete a work task. The absence of the detailed description does not permit any attempt in refining and redefining the access rights of each user; thus, there is no way of optimizing the access process by eliminating surplus access rights.
- User management is implemented for each specific system and/or application. There is no central management of the users and no central mechanism for auditing the access rights of the users and imposing central access policies.
- The same types of critical information are being accessed in different systems by the same users. Although access to these systems may be necessary for gaining complementary parts of information, this operation makes information access very complex and might influence an investigation procedure in the case of an incident.
- Shared accounts are activated, with the excuse that many technical staff members have to commonly and quickly access raw data records in systems. Shared accounts impact the ability to trace responsibility for security incidents.
- Logging capabilities vary from system to system, even when these systems contain critical information of the same level. There exist systems for which the activated logging capabilities are inadequate for the criticality and impact of the data they contain. For example, view logging is of primary importance for call details, and this facility is not provided by a number of legacy systems.
Tailored Solutions for Mobile Operators
Mobile operators need solutions for areas A1 to A4, which are customized to address the particularity of each vulnerability in the specific environment of the mobile operator. For A1 and A2, the first step is to combine the implementation of an automated asset registry mechanism, with strict procedures defined by the corporate security policy, as well as security awareness. The personnel of the mobile operator should be informed regarding the importance of keeping an updated registry and should follow a well-defined change management procedure, since the opposite could permit attacks (e.g., eavesdropping when altering a component of the mobile core network) that have major business impact, including legal implications. After the registry mechanism is implemented, information ownership and responsibility should be defined. The most appropriate information owners are those individuals who best understand the information’s value and threats, and have the authority to balance risk against cost.14 Based on that principle, the author proposes the following dual-level information ownership schema for mobile operators, consisting of two information owners who also interact with system owners that host the information. This schema requires interdepartmental cooperation:
- A first-level (L1) information owner should be a business user, holding a position in the upper levels of the hierarchy, whose responsibilities are most relevant to and most dependent on this specific information. This information owner should have the supervision of the specific information handling and should provide guidance to the second-level information owner. The L1 information owner should be responsible for any decision taken regarding the information.
- The second-level (L2) information owner should be a business user at lower levels of the hierarchy, whose business duties are most relevant to the information. This information owner should be responsible for the everyday handling of information and should notify the L1 information owner if a decision has to be made, as far as the information is concerned.
Figure 3 presents an example of the proposed information ownership schema. The example addresses a common and very important problem regarding information ownership and responsibility for CDRs. This example will also elaborate practical situations that mobile operators have to address in their everyday operation.
CDRs exist in many forms and are considered critical information, since they contain sensitive information regarding specific subscribers. In the example in Figure 3, a CDR is generated by an element of the mobile core network. This CDR may be accessed by personnel of the mobile systems department who are responsible for maintaining the mobile network. The mobile network element also belongs as a system to the mobile systems department. The CDR travels from the mobile network component to the billing system for processing. The billing system belongs to the corporate information systems department. Personnel from the customer care department have to access this information through the billing system to implement business processes related to the subscribers, such as addressing call dispute issues. The CDR is also accessed in the same system by the marketing department. The marketing department usually utilizes a specialized data warehouse system, which provides aggregate information. However, employees from marketing have to collect specific information for a number of high spenders to enhance policies for these specific clients.
Since CDRs contain sensitive legal information, the L1 information owner should be the manager of a direction that is most related to this information type. In the example case, this could be the manager of the corporate commercial direction, which hosts the customer care department. L2 information owners should be defined for each department that has access to this information type. In this scenario, this should be the mobile systems department, the customer care department and the marketing department. These information owners have to be supervised by the L1 information owner, who has the overall responsibility for this information type. L2 information owners are responsible for the actions of their departments regarding this specific information type. If a change has to be made in a CDR, the L1 information owner should provide authorization. For example, if the mobile systems department needs to make an update of the CDR format for technical reasons, the corporate commercial director should provide authorization. This information ownership schema has been tested in practice, and it was successful with support from upper management.
Regarding A3 and A4, a unified user management system should be employed to perform user-provisioning-related tasks from a central point in the network. This user-provisioning and management system should enable easy generation of a user’s profile according to his/her department. Based on a predetermined set of business rules, the system should allow users’ profiles to be set up automatically and the users to be granted the minimum access privileges they need to perform the respective business functions. Thus, the users will be registered to every application, database, middleware and operating system to which they need access. Furthermore, the system should allow for the self-organization of each user account (e.g., reset passwords, change personal information). The system should be extensible to support different types of access control on different systems, according to the sensitivity of the data or a documented policy. When the user’s status in the organization changes, the system should allow for full revocation of the granted access rights or the assignment of a new profile. Additionally, the system should be able to provide tailored reporting facilities (e.g., per department or per system) depending on management needs. To implement strong access control characteristics on the new system, a clean separation of user duties and roles should be implemented. It is desirable that, wherever possible, a mechanism for providing on-demand authorization to view selected sensitive data be developed. In this mechanism, a separate user should be designated to dynamically assign privileges to users who need to perform a business function on the selected sensitive data following the request-approve-resolve principle.
The ability to monitor and audit user activity is fundamental for security. Specific provisions need to be applied for security officers to be able to identify abnormal user behavior and track a security incident regarding a leak of sensitive information to specific user accounts in an undeniable manner. Therefore, applications should be extended or updated to provide the generation of detailed audit logs that record user activity (including the viewing of critical information) at both the system and application levels, while logs should be collected by a centralized mechanism for further analysis and correlation.
Mobile operators are characterized by a multitude of information types and systems, as well as the complexity of implementing their business processes through these systems. The systems that handle critical information in combination with the time-sensitive requirements for service provision upgrade lead to vulnerable security management schemas. The exploitation of these vulnerabilities may lead to important business impact, including legal implications. Addressing these vulnerabilities requires a deep understanding of the problem, taking into account the particular nature of the mobile operator’s environment. This understanding is a prerequisite for
the interpretation and customization of security controls defined by international security standards. This article provided an analysis of four security management areas, which, according to practical security assessments, were addressed inefficiently. The solutions proposed aim for optimized implementation of international standards according to the specific needs of mobile operators.
1 Wisely, D.; P. Eardley; L. Burness; IP for 3G—Networking Technologies for Mobile Communications, John Wiley & Sons, 2002
2 Schneier, B.; “Attack Trees,”Dr. Dobb’s Portal, vol. 24, no. 12, 1999, p. 21-29, www.ddj.com
3 The Honeynet Project, Know Your Enemy series, Learning About Security Threats, 2nd Edition, Addison-Wesley, 2004
4 3rd Generation Partnership Project, TS 21.133—3G Security, Security Threats and Requirements, 2004
5 Neimi, V.; K. Nyberg; UMTS Security, John Wiley & Sons, 2003
6 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (directive on privacy and electronic communications)
7 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot) Act of 2001
8 Whitehouse, O.; G. Murphy; Attacks and Counter Measures in 2.5G and 3G Cellular IP Networks, @stake press, 2004
9 Kameswari, K.; L. Peng; S. Yan; F.L. Thomas; A Taxonomy of Cyber Attacks on 3G Networks presentation, IEEE International Conference on Intelligence and Security, 2005
10 Donald, W.; L. Scott; Wireless Security Threat Taxonomy presentation, IEEE Workshop on Information Assurance, 2003
14 Ramachandran, J.; Designing Security Architecture Solutions, John Wiley & Sons, 2002
Christos Dimitriadis, Ph.D., CISA, CISM
is the technical manager of Expertnet SA and a researcher at the University of Piraeus, Greece, participating in European Union and national projects, including the security assessment of major mobile operators, banks and governmental authorities. Dimitriadis specializes in prevention, detection, response and IT security mechanisms. He has 31 publications in the field and is a founding member of the international Mobile-Government Study Group (MGSG). He has been invited by several organizations to provide lectures, including the International Telecommunication Union (ITU) and the National Institute of Standards and Technology (NIST). Other research interests include 3G and 4G security architectures, identity management, honeynets, and security protocol design and testing.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.