WHITE PAPER ON

SECURITY TESTING IN TELECOM NETWORK

DATE OF RELEASE: 27th July 2012

1

Table of Contents

1. Introduction .............................................................................................................................. 2

2. Need for securing Telecom Networks................................................................................. 3

3. Security Assessment Techniques ....................................................................................... 4

4. Security Testing methodologies in Telecom Networks................................................... 5

4.1 Telecom Equipment Testing ............................................................................................. 5

4.2 Telecom Network Vulnerability Assessment ................................................................. 5

4.3 Fuzz Testing ......................................................................................................................... 7

4.4 Penetration Testing............................................................................................................. 8

5. Remedial actions..................................................................................................................... 9

GLOSSARY ........................................................................................................................................ 11

REFERENCES ................................................................................................................................... 11

2

Security Testing in Telecom Network

1. Introduction

Circuit-switched PSTN networks, traditionally controlled by the telecom operators

are less prone to risks as compared to a packet-switched network based on an open

protocol like the IP. However, due to the growing demand for data and video

services and the limitations of the circuit-switched technology, telecom operators

find it economically prohibitive to expand their circuit-switched networks to meet

demand. This has led to a gradual move towards the adoption of packet-based

switching technology. Newer 2G and 3G mobile phone systems like GPRS, EDGE

and HSPA that are designed for data transmissions are also based on packet-based

switching technology.

Fig. 1 Transition to NGN

Packet-based switching technology used in Next Generation Networks is usually

implemented through the use of the IP suite. IP was based on open standards and

not originally designed for security implementations. The weaknesses in the IP

3

have been exploited since long and therefore risks are involved in adopting an IP-

based network.

Both the traditional circuit-switched networks and the packet-based next generation

networks are exposed to different threats and attacks – both from external and

internal sources – that target the various parts of the telecommunications network.

These attacks may be targeted at any part of the telecom network, including the

radio path of the access network. Attacks on one telecom operator’s network could

also spread to multiple networks over the interconnection interfaces.

2. Need for securing Telecom Networks

Telecommunication networks are playing a critical role in the economic growth of a

country. It has led to government regulations in the telecom industry, which include

requirements for ensuring the security of the telecom equipment and networks. The

import of telecom equipment from other countries that are antagonistic to a state’s

strategic interests may lead to security threats by means of embedded logic bombs

and malware.

The interconnection of the PSTN networks of fixed and mobile phone systems and

the next generation network has increased the attack surface of the telecom

networks. The wide range of end-user devices that can now connect to the telecom

networks has added to the complexity of the networks, thereby increasing the risks

and vulnerabilities as well.

Hence, the consequences of not implementing adequate security measures to deal

with the security threats and challenges to the telecom network could be heavy.

Several international standard development organisations like ITU, ISO/IEC, 3GPP,

3GPP2 and ETSI have prescribed standards that are applicable to telecom

networks. Also, many countries have legislations and regulations that the telecom

operators must comply with, which may require the adoption of specific security

standards.

4

Telecom operators should adopt a robust, managed security programme to ensure

that their networks are protected against malicious attacks, both external and

internal, while also ensuring compliance to the local regulatory environment. This

requires a holistic approach to implement security measures, based on globally

accepted security standards and best practices.

3. Security Assessment Techniques

There are various security testing and examination techniques that can be used to

assess the security posture of systems and networks. The most commonly used

techniques can be grouped into the following three categories:

3.1 Review Techniques : These are examination techniques used to evaluate

systems, applications, networks, policies, and procedures to discover

vulnerabilities, and are generally conducted manually. They include documentation,

log, ruleset, and system configuration review; network sniffing; and file integrity

checking.

3.2 Target Identification and Analysis Techniques : These testing techniques can

identify systems, ports, services, and potential vulnerabilities, and may be

performed manually but are generally performed using automated tools. They

include network discovery, network port and service identification, vulnerability

scanning, wireless scanning, and application security examination.

3.3 Target Vulnerability Validation Techniques : These testing techniques confirm

the existence of vulnerabilities, and may be performed manually or by using

automatic tools, depending on the specific technique used and the skill of the test

team. Target vulnerability validation techniques include password cracking,

penetration testing, social engineering, and application security testing.

Since no single technique can provide a complete picture of the security of a system

or network, organizations should combine appropriate techniques to ensure robust

security assessments. For example, penetration testing usually relies on performing

5

both network port/service identification and vulnerability scanning to identify hosts

and services that may be targets for future penetration.

4. Security Testing methodologies in Telecom Networks

Maintaining a consistent security posture across an organisation’s network in the

face of the ever changing nature of IT security is a complex and time consuming

task. Periodic security testing plays a vital role in assessing and enhancing the

security of networks.

Some of the Security testing techniques which are more relevant with respect to the

telecom networks are discussed below:

4.1 Telecom Equipment Testing

Telecommunication networks are likely to have a heterogeneous mix of equipment

from various suppliers. A highly credible, trusted third party certification programme

must be in place to conduct an assessment to identify and evaluate security

weaknesses and vulnerabilities contained in equipment software, firmware and

hardware implementations. Certification of the supplier products against the

Common Criteria Specifications (ISO 15408) ensures this at the component level.

4.2 Telecom Network Vulnerability Assessment

With a large number of vulnerabilities and an increasing number of attacks

exploiting them being reported across technology platforms, it is becoming difficult

to ensure that the critical elements of a telecommunications network are not

vulnerable to these attacks. Vulnerability scanners provide system and network

administrators with proactive tools that can be used to:

Identify vulnerabilities associated with operating systems and applications

Report and assess the vulnerability and its overall consequences

Recommend remediation strategies

To test compliance with organisational security policies by auditing system

configurations

Vulnerability scanners can be of two types: network-based scanners and host-

based scanners. Network-based scanners are used primarily for mapping an

6

organization's network and identifying open ports and related vulnerabilities. In most

cases, these scanners are not limited by the operating system of targeted systems.

The scanners can be installed on a single system on the network and can quickly

locate and test numerous hosts. Host-based scanners have to be installed on each

host to be tested and are used primarily to identify specific host operating system

and application misconfigurations and vulnerabilities.

Fig. 2 Network based vulnerability scanner

Because host-based scanners are able to detect vulnerabilities at a higher degree

of detail than network-based scanners, they usually require not only host (local)

access but also a “root” or administrative account. Some host-based scanners offer

the capability of repairing misconfigurations.

It is very important to organize, express, and measure security-related information

in standardized ways.

Recommendation ITU-T X.1520 defines the the use of the common

vulnerabilities and exposures (CVE) , which provides a common

nomenclature for publicly known problems in the commercial or open source

software used in communications networks, end-user devices,etc. CVE does

not contain information such as risk, impact, fix information, or detailed

7

technical information. CVE only contains the standard identifier number with

status indicator, a brief description, and references to related vulnerability

reports and advisories. The repository of CVE Identifiers is available at

[cve.mitre.org].

Recommendation ITU-T X.1524 defines the use of the common weakness

enumeration (CWE), which provides a common nomenclature to exchange

information regarding weaknesses in source code and operating systems.

CWE also offers supportive context information about possible risks,

impacts, fix information, and detailed technical information about what the

software weaknesses could mean to a software system. A comprehensive

CWE dictionary is available at [cwe.mitre.org].

Recommendation ITU-T X.1521 provides common vulnerabilities scoring

system (CVSS) as a standardized approach for communicating the

characteristics and impacts of ICT vulnerabilities. It uses base, temporal and

environmental metrics that apply contextual information to more accurately

reflect the risk to each user's unique environment. Many organizations are

using CVSS internally to make informed vulnerability management decisions.

They use scanners or monitoring technologies to first locate host and

application vulnerabilities. They combine this data with CVSS base, temporal

and environmental scores to obtain more contextual risk information and

remediate those vulnerabilities that pose the greatest risk to their systems.

4.3 Fuzz Testing

While vulnerability assessments can help identify and mitigate known

vulnerabilities, it cannot be used to protect against exploitation of unknown

vulnerabilities that are likely in complex networks like telecom networks. A

methodology that is now being used to address these unknown vulnerabilities is

Fuzz Testing. It is a form of attack simulation where abnormal inputs are used to

trigger vulnerabilities. One approach is model-based fuzzing, which uses protocol

specifications to target tests at protocol areas most susceptible to vulnerabilities.

8

Another approach, traffic capture fuzzing, uses traffic captures to create the fuzzers

used for testing.

4.4 Penetration Testing

The purpose of penetration testing is to identify methods of gaining access to a

system by using common tools and techniques used by attackers. It supplements

the vulnerability assessment activities by taking “the last step” and actually

exploiting these vulnerabilities to compromise and gain access to the target

systems. A penetration test can be designed to simulate an inside and/or an outside

attack.

Security testing specialists attempt to infiltrate the client’s network, systems and

applications using not only common technologies and techniques, but also

specialised tools and some unexpected methods, such as combined techniques

(“multi-vector” attacks). The result is a detailed report identifying key vulnerabilities

and suggested protection tactics – an action plan to improve the organisation’s

security posture.

There are two types of penetration testing commonly referred to as Blue Teaming

and Red Teaming. Blue Teaming involves performing a penetration test with the

knowledge and consent of the organization's IT staff. Red Teaming involves

performing a penetration test without the knowledge of the organization's IT staff

but with full knowledge and permission of the upper management. This type of test

is useful for testing not only network security, but also the IT staff's response to

perceived security incidents and their knowledge and implementation of the

organization's security policy. The Red Teaming may be conducted with or without

warning.

Penetration testing is important for determining how vulnerable an organization's

network is and the level of damage that can occur if the network is compromised.

Because of the high cost and potential impact, annual penetration testing may be

sufficient. The results of penetration testing should be taken very seriously and

discovered vulnerabilities should be mitigated. As soon as they are available, the

results should be presented to the organization’s managers.

Corrective measures can include closing discovered and exploited vulnerabilities,

modifying an organization's security policies, creating procedures to improve

9

security practices, and conducting security awareness training for personnel to

ensure that they understand the implications of poor system configurations and

poor security practices.

5. Remedial actions

While identifying and categorizing vulnerabilities is important, a security test is

much more valuable if it also results in a mitigation strategy being developed and

implemented. This requires translating the findings of the testing into remedial

actions. A suitable approach required to achieve this may be as follows. Based on

the analysis of the findings mitigation recommendations should be developed.

These recommendations should be presented as a report to the appropriate

authorities and finally, the mitigation activities should be carried out.

5.1 Mitigation Recommendations

After completion of all the testing activities final conclusion and mitigation

recommendations are developed. There may be both technical recommendations

(e.g., applying a particular patch) and nontechnical recommendations that address

the organization’s processes. Examples of mitigation actions include policy,

process, and procedure modifications; security architecture changes; deployment of

new security technologies; and deployment of OS and application patches.

5.2 Reporting

Upon completion of analysis, a report should be generated that identifies system,

network, and organizational vulnerabilities and their recommended mitigation

actions. This report should be documented and made available to the appropriate

staff, which may include the CIO, CISO, and ISSO as well as appropriate program

managers or system owners. Because a report may have multiple audiences,

multiple report formats may be required to ensure that all are appropriately

addressed.

5.3 Remediation / Mitigation

While implementing the remediation, Organizations should follow at least the four

steps outlined below.

10

i. Before implementing technical modifications to a production asset, testing should

be done on test systems in an environment that replicates the network in which the

mitigation action would be implemented. For example, before implementing patches

on an operational system it should be installed on a similar system in a test

environment just to check whether there are any negative implications. Such testing

significantly reduces, but does not eliminate, the risk of a system reacting adversely

to a technical modification.

ii. Changes and their impact to the existing systems, networks, policy, or processes

should be communicated to the appropriate authorities before executing any

remedial actions. At a minimum, the program manager or system owner should be

contacted before executing any remedial actions and should provide approval of the

planned mitigation actions before they are implemented.

iii. Implementation of mitigation strategies should be verified by conducting an audit of

the system. A system audit can be conducted by onsite security personnel or an

external security test team.

iv. It is important to continuously identify and update mitigation activities that have

been accomplished, partially accomplished, or are pending action by another

individual or system.

11

GLOSSARY

IP Internet protocol

PSTN Public switched telephone network

GPRS General Packet Radio Service

EDGE Enhanced data rates for GSM evolution

HSPA High Speed Packet Access

ITU International telecommunications union

ISO International organization for standardisation

IEC International electrotechnical commission

3GPP Third generation partnership project

ETSI European Telecommunications Standards Institute

CIO Chief Information Officer

CISO Chief Information Security Officer

REFERENCES

i. NIST Special Publication 800-37

ii. NIST Special Publication 800-42

iii. NIST Special Publication 800-115

iv. Security in Telecommunications and Information Technology, An overview of issues

and the deployment of existing ITU-T recommendations for secure

telecommunications, ITUT, June 2006

v. Unknown Vulnerability Management for Telecommunications, Anna-Maija Juuso

and Ari Takanen,Codenomicon, February 2011

vi. White paper on “Cyber security for virtual and cloud environments” by Spirent.

12