This document discusses information security risks and implementation on an IP/MPLS network. It outlines the tension between business needs and security risks, and key principles of information security including confidentiality, integrity and availability. It recommends a people-process-technology approach and risk-based information security management system following ISO 27001 and 27002 best practices. Various security threats to telecommunications networks are analyzed and addressed through encryption, firewalls, intrusion detection systems and network hardening. The conclusion emphasizes building a robust security governance structure, adopting a risk-based approach, following good practices, managing both technical and non-technical controls, and promoting security awareness.

1. © 2012 Fluor Corporation. All Rights Reserved.
A Case Study on Information Security and Cyber
Risks Implementation on an IP/MPLS Network
Gabriel Ozique & Peter Crumpton

2. Tension between Business Drivers and Information
Security Risks
Managing Security is a balancing act between providing versatile solutions
to support business objectives while reducing security risks
•DLP-Focused Visual
Outsourced Workers
Insiders Trusted Employees
Third Party Workers
Competitors
Cyber Criminals
Phishers
Cloud Computing
Mass Storage
Online Services
ISO27001 Certification
Confidential
Information
Intellectual Property
Trade Secrets
Source Code
Customer Data
Personal Data
Product Information
ProposalsDesigns
Extended
Business Models
Bring Your Own
Mobile Devices
Advanced
Persistent Threats
(APT)Increase in Web
Based Services
Privacy & Cyber Security Laws
Increase in
Customer
Requirements
Increase in User-
Dependent Risks
Network Storage
Move towards Trust &
Verify Security model
Customer Security Audits
Expanded Contractual Requirements
Business
Demands for
Simplification
Continued Cost
Pressures

3. Key Principles of Information Security
Confidentiality
Integrity
Availability
Ensuring that information is accessible only to
those authorised to have access
Ensuring that authorised users have access to
information and associated assets when
required
Safeguarding the accuracy and completeness of
information and processing methods

4. People-Process-Technology Combined Approach

5. Risk Based Approach for the ISMS
Threats Assets
YIELD
Security Controls
and Policies
None or minimal security
policies/controls allow
vulnerabilities to be exploited
Partial security
controls/policies
have limited effect
Holistic security policies/
controls provide a
robust approach

6. Information Security Framework (ISMS/ CAS-T)
Implementation
Plan
 ISMS is established and scoped
 Risks are analysed – Using HMG IA Standard No. 1 Technical
Risk Assessment (IS1)
 Risk treatment plan developed
 Applicable controls (countermeasures) are identified
 Availability Performance must be analysed and documented
Do
 Gap Analysis – including penetration testing
 Fix programme
Act
 Remedial Programme – Ongoing process of
continual improvement, corrective and preventive
action
Check
IL2 audit
 Preparation – Stage 1 - Check the
completeness of the ISMS
 Implementation – Stage 2 - Further inspect
documentation and undertake interviews
Continuous
Process

7. ISO 27002: 2005 - Code of practice for information
security management
Information security management best practice (12 information security controls and control objectives)
Risk Assessment & Treatment Security Policy
Organisational of Security Policy Asset Management
Human Resource Security Physical & Environmental Security
Communications & Operations Security Access Control
Information systems acquisition, development &
maintenance
Incident Management
Business continuity management Compliance

8. ISO 27001 2013 Update
 New ISO 27001 Structure – additional ‘working clauses’
 Less prescriptive – organisations can implement
requirements to suit
 Top Management Leadership – needs to be more
demonstrable & active
 Objectives, Monitoring/Metrics – greater emphasis
 Terminology Changes – information security policy replaces
ISMS policy
 ISO 27002 133 controls reduced to 114 controls –
merges, deletions/additions & more guidance

9. ITU-T X.805 Security Model
end user security
control/signalling security
management security
INFRASTRUCTURE
SECURITY
SERVICES
SECURITY
APPLICATIONS
SECURITY
THREATS
&
ATTACKS
(Developed by Bell Labs)

10. ITU-T X.800 Threat Model
1. DESTRUCTION
destruction of information and/or network resources
2. CORRUPTION
unauthorized tampering with an asset
3. REMOVAL
theft, removal or loss of information and/or other resources
4. DISCLOSURE
unauthorized access to an asset
5. INTERRUPTION
interruption of services, network becomes unavailable or
unusable
x?
?
x

11. How the Security Dimensions Map to the Security
Threats
SECURITY DIMENSION
DESTRUCTION CORRUPTION REMOVAL DISCLOSURE INTERRUPTION
ACCESS CONTROL ✔ ✔ ✔ ✔
AUTHENTICATION ✔ ✔
NON-REPUDIATION ✔ ✔ ✔ ✔ ✔
DATA
CONFIDENTIALITY
✔ ✔
COMMUNICATION
SECURITY
✔ ✔
DATA INTEGRITY ✔ ✔
AVAILABILITY ✔ ✔
PRIVACY ✔

12. Addressing Security Threats
THREAT RESPONSE ENCRYPTION IDS/ IPS FIREWALL SYSTEM
HARDENING
Network data interception - man-in-the-middle attack ✔ ✔ ✔
Intruder gains control of roadside camera ✔ ✔ ✔
Disgruntled employee or subcontractor with malicious intent ✔ ✔ ✔
Intruder bypasses physical security and gets into transmission station ✔ ✔ ✔ ✔
Gain access to control network through corporate network ✔ ✔ ✔
Malware introduction ✔ ✔ ✔
Access protected data ✔ ✔ ✔
Remote –access-based attacks ✔ ✔ ✔
DDoS attacks from the internet ✔ ✔ ✔

13. Telecoms Network & Attack Vectors
IP/MPLS network
internet
PABX
NOC
SCADA
IP/MPLS
network
management
(5620 SAM)
LAN
CCTV
TPR
telephone
TRANSMISSION CENTRE
database
CCTV
REGIONAL CONTROL CENTRE
router
telephone
TRANSMISSION CENTRE Attack vector

14. Example Security Threats to Telecom Networks
• safety failures
• equipment failures
• carelessness
• misconfigurations
• natural disasters
• Hardware redundancy
• IP/MPLS resiliency
FRR, primary/secondary LSP, multi-chassis
LAG/APS, G.8032…
• traffic management (QoS)
• priority / separation
• …
INADVERTENT THREATS
• disgruntled employees
• industrial espionage
• vandalism/terrorism
• viruses, worms, malware
• theft
• DDoS
DELIBERATE THREATS
• Access Control Lists (ACL)
• router login access control
• firewall
• encryption
• Intrusion Detection Service (IDS)
• …

15. Secured Network
IP/MPLS network
internet PABX
NOC
SCADA
IP/MPLS
network
management
(5620 SAM)
LAN
CCTV
TPR
telephone
TRANSMISSION CENTRE
databaseIDS
firewall
IDS
encryption
NAT
System
Hardening
CCTV
REGIONAL CONTROL CENTRE
TRANSMISSION CENTRE

16. Conclusions
 Build a robust information security governance structure.
 Adopt a risk-based approach to information security - always consider
information security at the start to minimise future rework costs.
Follow good information security practice.
Assure the effective management of technical and non technical security
controls.
Promote security awareness – the human element is the always the most
significant threat!

17. 17
Any Questions?