💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › CHN › chn-0005.txt captured on 2022-06-12 at 10:39:07.
-=-=-=-=-=-=-
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
* (CHN) Connecticut Hacker Newsgroup (CHN) *
= CHN News File #5 =
* an I.I.R.G. affiliate *
= -=>Present<=- =
* Planning of Telecom Security *
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
PLANNING AND IMPLEMENTATION OF TELCOM SECURITY
By Paul A. Berth
(Paul A. Berth is a commercial sales and marketing manager
for AT&T Secure Communications Systems.)
Implementing a telecommunications security plan is a major project for any
corporation. The stakes are significant.
It requires a high degree of cooperation among the security, telecom and
information systems staffs as well as end users.
It involves complex technology, much of it new and unfamiliar, as well as
significant capital investment.
The project also may require management and political skill for more than
interdepartmental coordination. The need for telecommunications security has
limited acceptance in most companies. Even among managers who recognize the
need, it may not receive a high priority, except in case of an emergency.
A lack of cooperation can result in delays in getting information and
resources, extending your project cycle and ultimately raising the cost.
One factor on your side is need. The volume of information communicated over
telephone, fax and low-speed data lines daily is high for virtually any
company. Not everyone in a company typically requires a secure line, but the
need exists wherever you transmit proprietary, confidential or sensitive
information.
The first step is to assemble a team representing all constituencies involved.
Telecommunications typically involves responsibilities shared by the telecom
and IS departments. End-users need to be represented as well. The corporate
security staff must be involved, even if its role in a particular company has
been traditionally oriented toward physical security. The security aspects of
all information systems are increasingly critical; if your security staff
isn't already involved with them, telecom security is an excellent place to
start.
The nature of the issue, cutting across organizational lines, puts a premium
on clearly designating a project leader, preferably one with the clout to
resolve turf issues and other problems and to gain top management's backing for
a solution. Once a firm schedule, responsibilities and a budget have been
determined, phase one of the project is to assess the current telecom
environment.
Surveys of three areas are required to fully Understand your
telecommunications security needs: your infrastructure, sensitive information
and vulnerabilities.
First, look at the equipment you have and the links you use. Identify both
the physical elements of your systems and your procedures.
Realize from the start that an absolutely complete inventory may be impossible;
many companies have experienced an uncontrolled proliferation of fax machines,
local area networks, modems, communications software and other equipment.
If you try to track everything down, you may never finish. One productive
approach may to sectionalize your project, prioritizing the various
departments.
Telephones, cellular fax machmes, modems, LANS, voice mail, E-mail, and a PBX
are typical elements of a corporate telecom environment.
The networks you use may include the public switched telephone network,
a cellular network, tie lines and other leased lines and microwave links.
Next, determine where in your company sensitive information exists and what
applications are involved in communicating that information. Research and
development, finance, marketmg, human resources and legal departments typically
handle proprietary or sensitive information. Concentrations of sensitive
information develop in places specific to particular companies and industries.
For a bank, the hiighest priority may be customers' financial information; for
a pharmaceutical manufacturer, research and development; for a packaged goods
manufacturer, marketing.
Determine with whom the information is being communicated. A defense
contractor might share the most sensitive information with its government
customer, while a bank would need to protect links between offices as well as
links to its competitors for fund transfers.
What offices, conference rooms, laboratories or other locations are used when
communicating confidential information? Your secure communications
requirements may extend beyond your own offices and organization. If your key
executives deal with sensitive information when working at home or on the road,
portable security may be required. If you regularly discuss confidential
information with outsiders, you'll require compatible security systems.
Most companies don't need to secure 100 percent of their telecommunications.
Determine what information requires protection Under law, such as personnel,
financial or medical information. And decide just what sensitive information
has real value to your adversaries and what information could jeopardize your
competitive position.
At this point you're ready for a vulnerability analysis. What is the level of
the threat, and where does it come from? What damage are your adversaries
capable of doing to you? What systems could they attack? What information
would they seek?
There are two types of attacks: passive and active. Passive involves simply
listening, tapping a line and picking up valuable information as it is
discussed, faxed or transmitted in a data file.
Such attacks can be difficult or impossible to detect until their effects
suggest that critical information is leaking out of your organization - a
competitor consistently beating you to market, underbidding you or preempting
your marketing plans, for example.
Active attacks involve actually breaking into a system. The purpose may be
to steal information, in which case the attack may be surreptitious. The
intent could be more obvious: to damage the system, destroy information or
hijack the system, taking it over and using it to make unauthorized
long-distance calls, disrupt voice mail or cause other havoc,
Consider the particular vulnerabilities of your systems. Hackers have
exploited dial-in access to computers and voice mail in very damaging ways.
Cellular phone calls are especially vulnerable to both passive and active
attacks.
Once YOU understand your telecommunications environment, the second phase of
your security project is putting it out to bid and selecting a vendor.
Depending on the scope of your needs, you may need more than a single vendor.
If your concerns include your PBX, voice mail and cellular phones, you might
do well to go to your vendor for each system. PBXs and voice mail system
typically are designed with at least some security functionality. Privacy
services are available for cellular telephones.
Some manufacturers and dealers can provide the full range of solutions for
end-user equipment. Retrofit security products are available for telephones,
fax machines, modems, some cellular phones and computer hardware. Secure
telephones, fax machines and modems are available with security capabilities
built in. Software programs can provide encryption and other security functions
for data transmitted from computers and carried in laptops.
Qualifications for your supplier should include professional personnel and the
ability to do more than simply sell you a box. Whether you go with a
communications security dealer, buy directly from a manufacturer or work with
your existing telecom vendor, your security needs require specialists.
Communications security is as technical and complex a field as any in security.
Make sure your vendor has the expertise (and commitment) to advise you
throughout the project and, afterward, to support you and service your
equipment.
No matter how complex or broad your security requirements are, you should
expect a solution that provides both strong protection and ease of use. Some
systems can operate transparently to the user, but even those that require a
degree of user involvement should be simple to operate, free of complicated
procedures and extensive training requirements. And they should not negatively
impact the performance of your system, whether it's telephone voice quality,
time required for a fax transmission or computer response time on your LANS.
As with any security system, a high priority in protecting your
telecommunications is selling top management on the need for and value of the
investment you're asking them to make. But gaining buy-in from end users is
even more important in telecom security than in many other areas of security.
Unlike access control or surveillance systems, for example, many aspects of
telecom security actually are operated by the end user. Not all solutions can
function automatically, or even need to. A researcher might use the same phone
to discuss product test results with a product manager and to order lunch,
which would require the ability to implement security for one call while
operating in the clear for other calls.
Thus, implementation requires not only acquiescence, but also active
cooperation from users. Depending on the overall security environment of your
company, you may have to actively raise awareness of security issues in
telecommunications, an area widely subject to being taken for granted by end
users. That awareness is required for successfully establishing procedures on
how and when to implement security wherever its operation isn't automatic.
Training may be required in some cases, though most telecom security solutions
are simple to use.
Similarly, installation generally is not a major consideration in securing
systems already in place. Hardware and software solutions alike typically are
compatible with your existing standard systems. A complicated and intricately
planned flash cut isn't usually required; security can be added and activated
as it is installed.
If you already have a mandate from the top to secure your telecommunications,
congratulations. Selling the decision makers on the need for security can be
difficult in a company whose communications aren't known to have been attacked.
Nevertheless, the damage already is occurring. Unprotected telecom systems
are open door to corporate spies of all stripes: competitors, foreign
governments and even opportunistic third parties. (The Japanese phone giant
NTT reportedly monitors international faxes and sells the contents to
interested Japanese companies.)
Many nations are linking their national security to economic security, and
they're turning their intelligence agencies away from military and political
duty to economic espionage. Foreign intelligence agencies are widely reported
to have targeted General Electric, Texas Instruments and Corning. Hughes
Aircraft pulled out of a major European air show after the host country
targeted U.S. aerospace firms for spying at the show.
Such adversaries have many ways of getting information from you.
Vulnerabilities in telecommunications systems, especially those connected to
computer systems, can be especially damaging. The resources you need are
easily available once you know your requirements. With the right mix of
interdepartmental cooperation and commitment, from both end users and senior
management, your corporation can make its communications systems even more
costly and difficult to penetrate than traditional physical points of attack.