Mobile Telecommunications Security Threat Landscape
Mobile Telecommunications Security Threat Landscape
January 2020
COPYRIGHT ? 2020 GSMA
MOBILE TELECOMMUNICATIONS SECURITY THREAT LANDSCAPE
Contents
Executive Summary
2
Introduction
3
Threat Landscape Structure
5
Cloud and Virtualisation
6
Internet of Things
8
Securing the 5G Era
10
Securing Device Applications
12
Security Skills Shortage
14
Signalling Threats
16
Software Threats
18
Supply Chain Resilience
20
2020 and Beyond
22
5G standalone and scaled security
22
Network visibility
23
Increased blended attacks
23
Supply chain service impact
23
Final Thoughts
24
GSMA Member Security Services
25
About the GSMA
26
About the GSMA Fraud and Security Team
26
1
MOBILE TELECOMMUNICATIONS SECURITY THREAT LANDSCAPE
Executive Summary
Welcome to the GSMA 2nd Annual Threat Landscape Report As we enter the era of intelligent connectivity we are seeing ever more complex networks, both in the services they offer, in the use cases they will enable, and the range of technology used to build them. Not only will such networks be critical to economic and societal health they will also be attractive to attackers and it is important that the industry is motivated to identify and mitigate the threats. The `threat surface' is increasing and with the continued presence of 3G and 4G networks in the ecosystem, traditional threats and vulnerabilities will have to be continually mitigated and managed. Many threats are able to be anticipated and with good hygiene, continued action and vigilance, mitigated. New mitigation opportunities are arising through automation, machine learning and artificial intelligence, however these must be married to good procedural practices and appropriately skilled security staff, coupled with good strategic risk management practices. Threats must be managed across people, process and technology and across the full lifecycle from definition through deployment, operation and ultimately decommissioning. The supply chain continues to be a critical consideration in the threat landscape. This guide gives insights into the threat landscape of the mobile telecommunications ecosystem, details key dimensions of consideration, and offers guidance to mitigate and tackle such threats.
2
MOBILE TELECOMMUNICATIONS SECURITY THREAT LANDSCAPE
Introduction
The mobile telecommunications industry is under daily attack. The industry understands that no threat can be tackled in isolation, and that threat actors will continue to exploit vulnerabilities in deployed technologies to achieve their goal. In the face of this persistent threat it is crucial to develop a broad understanding of evolving threats facing the industry. Our aim is to advise on the current threats and highlight potential future threats affecting the mobile telecommunications industry.
THE GSMA'S DESIRE IS TO ENHANCE AWARENESS AND ENCOURAGE APPROPRIATE RESPONSES TO SECURITY THREATS.
3
MOBILE TELECOMMUNICATIONS SECURITY THREAT LANDSCAPE
The GSMA believes security threats have been on the rise and will continue rising with the adoption of new technologies and services within an expanding ecosystem. Security must move with the threat and enable technology adoption if it is to outmanoeuvre those working against the industry.
One overarching, ongoing challenge the industry faces is the lifespan of the technology they support. 2G and 3G networks still account for 50% of network traffic. The technologies these networks rely on have been in place since the 1990s
and will remain for many years before closure. The protocols and systems in use in these generations were never designed for the world they are being used in today. Compensating controls, and retrospectively building security post initial deployment, is cumbersome and as such the mobile industry has to implement several add-on security technologies and requirements.
However, as the industry evolves, known threats become more defined and progress to defend against them is being made.
Next generation mobile will deliver feature rich intelligent connectivity and we must ensure it remains secure and resilient.
Jon France, Head of Industry Security , GSMA
FIGURE 1
2019 INDUSTRY THREATS
Supply Chain Threats
Cloud Threats
Device Threats
Software Threats
2019 INDUSTRY THREATS
Internet of Things Threats
Signaling Service Threats
Security Skills Shortage
Securing the 5G Era
4
1
2
3
4
MOBILE TELECOMMUNICATIONS SECURITY THREAT LANDSCAPE
Threat Landscape Structure
This second version of the GSMA Security Threat Landscape report aims to provide understanding of mobile telecommunications threats at a high level. Each chapter in this report represents a single threat domain. All chapters that appeared in the 2019 report have been updated to reflect the current threats facing the industry. As the threat landscape has evolved, several threats seen in the past have been relegated to a lower status and been replaced with new threats (figure 1).
This does not mean that legacy threats have disappeared. They still need to be addressed. As a result this report builds on the 2019 Security Threat Landscape to present an updated view of the evolving threat landscape.1
For each threat the GSMA aims to outline the nature of the threat to the industry, offer insight and propose recommendations and actions the industry could implement. Each chapter is structured as follows:
THE GSMA'S OVERARCHING VIEW OF THE THREAT
FURTHER INSIGHTS INTO THE THREAT
RECOMMENDATIONS PROPOSED BY THE GSMA
1
5
MOBILE TELECOMMUNICATIONS SECURITY THREAT LANDSCAPE
Cloud and Virtualisation
Cloud services usage is on the rise year on year. This includes IT and telecommunications alike, albeit telecommunications services currently prefer private
cloud.2 Any potential economies of scale, offered through virtualisation and cloud services, will only be realised if the security controls remain consistent when implemented.
Virtualisation, and as such cloud threats, are well understood (figure 2). Protecting against these threats requires a combination of traditional IT hygiene controls and recognition of the structural and supply chain changes affecting the network, especially in relation to visibility (data, asset etc.).
Cloud services rely on virtualisation, where it can offer granular security controls and policies if designed and
implemented correctly. Once designed, the template-driven aspects of virtualisation allow automated deployment of systems that are secure by default, an aspiration of current and future networks. A combination of poor implementation and a lack of the correct skills within the industry can result in these controls being misconfigured or configured inconsistently, meaning a missed opportunity to protect the network; conversely, the misconfiguration can also result in a number of threats (figure 2) being realised.3
FIGURE 2
CLOUD AND VIRTUALISATION THREATS
database
TRADITIONAL IT AND HYGIENE THREATS
Poor patching practices Virtualisation aware malware
Lack of network visability Inappropriate access controls
harddriv
DATA, RESOURCE LEAKAGE Insecure API/interfaces
Misconfigured isolation controls
globe
RESILIANCE Geographical
Vendor
2 A private cloud is a particular model of cloud computing that involves a distinct and secure cloud based environment in which only the specified client can operate. 3
6
MOBILE TELECOMMUNICATIONS SECURITY THREAT LANDSCAPE
Cloud services and internal virtualisation mechanisms benefit from similar controls, these include:
? Design and implement resilience through redundancy and use of multiple availability zones.
? Local policy covering all cloud delivery and deployment models. Specific controls may relate to provisioning, service implementation, vendor choice, data management and destruction, and threat detection services
? Use microsegments to isolate high security or legacy areas; use virtualisation-aware security tooling to enforce policy and monitor these segments
? Subject virtualised systems to the same IT hygiene best practice as physical systems. This includes patch management, vulnerability management, hardening practices, authentication, access controls etc.
? Cover in-life threat modelling as part of the ongoing risk management process. Develop a threat model for each deployment model and consider hypervisor-based attacks, VM-based attacks, and VM image attacks
? Isolate services, memory, tenants and processes effectively. Only house like-for-like security levels on the same hypervisor
? If outsourcing, ensure that the above expectations are passed on to the vendor via the request for information (RFI) / invitation to tender (ITT) process
? Use modem hardware that supports appropriate security ? Check that suppliers hold appropriate compliance
controls and that these are enabled and supported
to industry-standard certifications to assure that it is
within the virtualisation layer
following industry best practice and regulations4
? Purchase security controls that are virtualisation-aware and are able to protect microsegments and virtual services. Adopt the same approach for cloud services
? Develop and retain appropriate skillsets amongst staff to manage cloud deployments, specifically cloud-based security skills5
? Develop consistent management and orchestration (MANO) services that include security controls at build phase (secure by design)
4 5 The Cybersecurity Insiders Cloud Security Report 2019 highlights that 26% of people cite that a lack of skills impacts their ability to secure cloud services; 41% say that a lack of training and skills
stop them updating to cloud based specialised security tooling.
7
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- infor software compatibility matrix for lawson products
- mobile telecommunications security threat landscape
- the future of procurement in the age of digital
- bar code printing from oracle wms and msca
- lawson administering users training workbook
- oracle e business suite applications global price list
- mobile printing streamlines supply chain and
- oracle mobile supply chain applications
- risk assessment in primary schools
- prosthetics section ii arkansas
Related searches
- copyright free landscape photos
- youtube watercolor landscape tutorials
- loose watercolor landscape tutorials
- free acrylic landscape painting lessons
- watercolor landscape projects for adults
- uniform landscape ap human geo
- landscape account manager salary
- uniform landscape ap human geography
- lined paper landscape printable pdf
- landscape of ohio
- romantic landscape painting characteristics
- watercolor landscape lesson plan