Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin

239 views

Published on

Preventing Loss of Personal Data on a Mobile Network

Published in: Internet
  • Be the first to comment

  • Be the first to like this

"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin

  1. 1. Preventing loss of personal data on a Mobile Network 23.09.2017 / Oleksii Lukin / Head Of Information Security SubDepartment Public
  2. 2. • Lukin Oleksii – Head od Information Security SubDepartment • Scope – Presentation focused on technical attacks on a Mobile network and its supporting infrastructure – Does not looking specifically are employee internal risks or social engineering attacks both of which constitute significant risks for any organisation Introduction 2
  3. 3. 1. Definition of personal data in a mobile network 2. Mobile Network attacks & controls 3. BSS & Corporate Network attacks & controls 4. Key Message Agenda
  4. 4. Definition of personal data in a mobile network 4 Mobile Network & Corporate systems Generated Business Process Generated Processed and stored on Network & IT Systems • Customer • Location data (cell site, country) • Usage records created for billing • Call, SMS, MMS details (not content) • Data usage • Corporate • Email • Web browsing • Customer • Account type (e.g. pre or post- paid/residential or business) • Name of customer • Billing Address • Payment details • Employee • Name • Contact details • Salary Dynamic/Event Static
  5. 5. Mobile Network Attacks - External 5 Mobile Network GRX Network (Used for roaming data traffic) Internet (Used for data traffic) SS7/Diameter (Used for roaming & interconnect signalling) Radio Access Network • All area of a Mobile Network are under constant academic study for new vulnerabilities that impact customer privacy
  6. 6. Mobile Network Attacks - External Signalling • SS7 (2G-3G) – Know attacks on SS7 signalling network – Abuse MAP signalling protocol – Take advantage of external links to roaming partners – Used for location tracking and call/SMS interception – DoS on individual customer or network • Diameter (4G) – New protocol replacing SS7 in LTE networks – Attacks similar to SS7 – Difficult to track origination as uses hop-by hop • GRX traffic – GTP protocol hacking – DNS attacks – Remote Call control – DoS • SS7 – Signalling firewall blocking all unauthorised MAP signalling traffic – GSMA standardised controls – Monitoring for abuse (SIEM) • Diameter – Signalling firewall – GSMA standardised controls – Implementation of Diameter Routing Agent/Diameter Edge Agent – IPsec on external connection with IPX provider – Monitoring for abuse (SIEM) • GRX (called IPX in 4G) – GTP protocol aware firewall border firewall – DNS hardening – White lists of valid roaming partners – Uses of GRX/IPX hub provider – Monitoring for abuse (SIEM) 6 Risks Controls
  7. 7. Mobile Network Attacks – Radio Access Network • 2G/2.5G – Risks well know – Man in the middle (IMSI Catcher) for accurate location and call/SMS interception – Weaknesses in GPRS protocol – Weakness in over the air encryption keys • 3G – Limited location attacks • 4G – Standard network IP backhaul network open to eavesdropping of customer traffic • 2G/2.5G – Implementation of latest GSMA encryption algorithms – Configuration of authentication and over the air encryption parameters – Customer applications that can detect MITM attacks • 3G – Standard has improved encryption and network mutual authentication – Configuration of authentication and over the air encryption • 4G – Use of IPSec to protect backhaul network – Standard has improved encryption and over the air authentication 7 Risks Controls
  8. 8. Mobile Network Attacks – Internet • Same standardised Internet access for all radio technologies e.g. 2.5G/3G/4G • DoS – Customer – Network elements • DNS – DoS – Poisoning • Products & Services (web) – DoS, hacking & scripting on – Customer Portal – Self service – Products (e.g. Child location tracking) • Border firewall • DoS Protection • NAT’ng • Hardened DNS • Web services – WAF – Code review & Testing – Internal vulnerability Scanning • External vulnerability scanning • Monitoring for abuse (SIEM) 8 Risks Controls
  9. 9. Mobile Network Attacks – Internal • Network & Service Delivery Elements – Unauthorised access to customer information – Ability to change customer service profile • Note: Each network element or service delivery platform has differing risks and may or may not contain meaningful customer information – e.g. GSM uses a temporary identity (T-IMSI) on some network elements to hide the customer true IMSI • Internal firewall between domains • Strong access control policy • Security Patch management • Security testing • Internal vulnerability scanning • Monitoring for abuse (SIEM) 9 Risks Controls
  10. 10. Remote Vendor Support • Mobile network generated event data is stored and processed in the BSS environment • There is segmentation between corporate users and BSS platforms Business Support System (BSS) & Corporate Network 10 BSS & Corporate Internet (email, Corporate Internet) Mobile Network
  11. 11. BSS & Corporate Network Attacks – External • Corporate Email – Phishing – Malware & Virus – SPAM – DoS • Corporate Internet – DoS – Malware & Virus – Hacking – Fake sites – Internal DNS • Unprotected vendor access – Unauthorised access to Network and IT systems • Border firewall – DoS Protection • Hardened DNS • External vulnerability scanning • Anti-virus and Malware protection • Security Patching • Data Loss Protection – Protects against internal fraud/abuse of customer information • VPN, VDI, strong authentication for vendor access • Monitoring for abuse (SIEM) 11 Risks Controls
  12. 12. BSS & Corporate Network Attacks - Internal • Billing & Charging Platforms – Loss or corruption of charging event data – Unauthorised access to customer information • Customer Care – Unauthorised access to customer information – Unauthorised changes (fraud) • Data Warehouse & Reporting Systems – Unauthorised access to customer information • HR Systems – Access to personal employee information • Network Support Systems – Ability to monitor customer activity – Unauthorised changes to customer’s service • Border firewall – DoS Protection • Hardened DNS • External vulnerability scanning • Anti-virus and Malware protection • Security Patching • Data Loss Protection – Protects against internal fraud/abuse of customer & corporate information • Strong access control policy • VPN, VDI & strong authentication for vendor access • Monitoring for abuse (SIEM) 12 Risks Controls
  13. 13. • Personal data is created and stored both in the Mobile , BSS and Corporate networks • Some areas of risk are harder to manage as they are reliant on – Technology standardisation – People • Security should always be applied in layers with good basic principles • Initial security assessment with continual testing and review • 24x7 monitoring using a SOC (SIEM) • Effective incident response process Key Message 13 Managing the risks to personal data is a continuous process as technology and the skills of the attacker evolve

×