=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= * (CHN) Connecticut Hacker Newsgroup (CHN) * = CHN News File #5 = * an I.I.R.G. affiliate * = -=>Present<=- = * Planning of Telecom Security * =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= PLANNING AND IMPLEMENTATION OF TELCOM SECURITY By Paul A. Berth (Paul A. Berth is a commercial sales and marketing manager for AT&T Secure Communications Systems.) Implementing a telecommunications security plan is a major project for any corporation. The stakes are significant. It requires a high degree of cooperation among the security, telecom and information systems staffs as well as end users. It involves complex technology, much of it new and unfamiliar, as well as significant capital investment. The project also may require management and political skill for more than interdepartmental coordination. The need for telecommunications security has limited acceptance in most companies. Even among managers who recognize the need, it may not receive a high priority, except in case of an emergency. A lack of cooperation can result in delays in getting information and resources, extending your project cycle and ultimately raising the cost. One factor on your side is need. The volume of information communicated over telephone, fax and low-speed data lines daily is high for virtually any company. Not everyone in a company typically requires a secure line, but the need exists wherever you transmit proprietary, confidential or sensitive information. The first step is to assemble a team representing all constituencies involved. Telecommunications typically involves responsibilities shared by the telecom and IS departments. End-users need to be represented as well. The corporate security staff must be involved, even if its role in a particular company has been traditionally oriented toward physical security. The security aspects of all information systems are increasingly critical; if your security staff isn't already involved with them, telecom security is an excellent place to start. The nature of the issue, cutting across organizational lines, puts a premium on clearly designating a project leader, preferably one with the clout to resolve turf issues and other problems and to gain top management's backing for a solution. Once a firm schedule, responsibilities and a budget have been determined, phase one of the project is to assess the current telecom environment. Surveys of three areas are required to fully Understand your telecommunications security needs: your infrastructure, sensitive information and vulnerabilities. First, look at the equipment you have and the links you use. Identify both the physical elements of your systems and your procedures. Realize from the start that an absolutely complete inventory may be impossible; many companies have experienced an uncontrolled proliferation of fax machines, local area networks, modems, communications software and other equipment. If you try to track everything down, you may never finish. One productive approach may to sectionalize your project, prioritizing the various departments. Telephones, cellular fax machmes, modems, LANS, voice mail, E-mail, and a PBX are typical elements of a corporate telecom environment. The networks you use may include the public switched telephone network, a cellular network, tie lines and other leased lines and microwave links. Next, determine where in your company sensitive information exists and what applications are involved in communicating that information. Research and development, finance, marketmg, human resources and legal departments typically handle proprietary or sensitive information. Concentrations of sensitive information develop in places specific to particular companies and industries. For a bank, the hiighest priority may be customers' financial information; for a pharmaceutical manufacturer, research and development; for a packaged goods manufacturer, marketing. Determine with whom the information is being communicated. A defense contractor might share the most sensitive information with its government customer, while a bank would need to protect links between offices as well as links to its competitors for fund transfers. What offices, conference rooms, laboratories or other locations are used when communicating confidential information? Your secure communications requirements may extend beyond your own offices and organization. If your key executives deal with sensitive information when working at home or on the road, portable security may be required. If you regularly discuss confidential information with outsiders, you'll require compatible security systems. Most companies don't need to secure 100 percent of their telecommunications. Determine what information requires protection Under law, such as personnel, financial or medical information. And decide just what sensitive information has real value to your adversaries and what information could jeopardize your competitive position. At this point you're ready for a vulnerability analysis. What is the level of the threat, and where does it come from? What damage are your adversaries capable of doing to you? What systems could they attack? What information would they seek? There are two types of attacks: passive and active. Passive involves simply listening, tapping a line and picking up valuable information as it is discussed, faxed or transmitted in a data file. Such attacks can be difficult or impossible to detect until their effects suggest that critical information is leaking out of your organization - a competitor consistently beating you to market, underbidding you or preempting your marketing plans, for example. Active attacks involve actually breaking into a system. The purpose may be to steal information, in which case the attack may be surreptitious. The intent could be more obvious: to damage the system, destroy information or hijack the system, taking it over and using it to make unauthorized long-distance calls, disrupt voice mail or cause other havoc, Consider the particular vulnerabilities of your systems. Hackers have exploited dial-in access to computers and voice mail in very damaging ways. Cellular phone calls are especially vulnerable to both passive and active attacks. Once YOU understand your telecommunications environment, the second phase of your security project is putting it out to bid and selecting a vendor. Depending on the scope of your needs, you may need more than a single vendor. If your concerns include your PBX, voice mail and cellular phones, you might do well to go to your vendor for each system. PBXs and voice mail system typically are designed with at least some security functionality. Privacy services are available for cellular telephones. Some manufacturers and dealers can provide the full range of solutions for end-user equipment. Retrofit security products are available for telephones, fax machines, modems, some cellular phones and computer hardware. Secure telephones, fax machines and modems are available with security capabilities built in. Software programs can provide encryption and other security functions for data transmitted from computers and carried in laptops. Qualifications for your supplier should include professional personnel and the ability to do more than simply sell you a box. Whether you go with a communications security dealer, buy directly from a manufacturer or work with your existing telecom vendor, your security needs require specialists. Communications security is as technical and complex a field as any in security. Make sure your vendor has the expertise (and commitment) to advise you throughout the project and, afterward, to support you and service your equipment. No matter how complex or broad your security requirements are, you should expect a solution that provides both strong protection and ease of use. Some systems can operate transparently to the user, but even those that require a degree of user involvement should be simple to operate, free of complicated procedures and extensive training requirements. And they should not negatively impact the performance of your system, whether it's telephone voice quality, time required for a fax transmission or computer response time on your LANS. As with any security system, a high priority in protecting your telecommunications is selling top management on the need for and value of the investment you're asking them to make. But gaining buy-in from end users is even more important in telecom security than in many other areas of security. Unlike access control or surveillance systems, for example, many aspects of telecom security actually are operated by the end user. Not all solutions can function automatically, or even need to. A researcher might use the same phone to discuss product test results with a product manager and to order lunch, which would require the ability to implement security for one call while operating in the clear for other calls. Thus, implementation requires not only acquiescence, but also active cooperation from users. Depending on the overall security environment of your company, you may have to actively raise awareness of security issues in telecommunications, an area widely subject to being taken for granted by end users. That awareness is required for successfully establishing procedures on how and when to implement security wherever its operation isn't automatic. Training may be required in some cases, though most telecom security solutions are simple to use. Similarly, installation generally is not a major consideration in securing systems already in place. Hardware and software solutions alike typically are compatible with your existing standard systems. A complicated and intricately planned flash cut isn't usually required; security can be added and activated as it is installed. If you already have a mandate from the top to secure your telecommunications, congratulations. Selling the decision makers on the need for security can be difficult in a company whose communications aren't known to have been attacked. Nevertheless, the damage already is occurring. Unprotected telecom systems are open door to corporate spies of all stripes: competitors, foreign governments and even opportunistic third parties. (The Japanese phone giant NTT reportedly monitors international faxes and sells the contents to interested Japanese companies.) Many nations are linking their national security to economic security, and they're turning their intelligence agencies away from military and political duty to economic espionage. Foreign intelligence agencies are widely reported to have targeted General Electric, Texas Instruments and Corning. Hughes Aircraft pulled out of a major European air show after the host country targeted U.S. aerospace firms for spying at the show. Such adversaries have many ways of getting information from you. Vulnerabilities in telecommunications systems, especially those connected to computer systems, can be especially damaging. The resources you need are easily available once you know your requirements. With the right mix of interdepartmental cooperation and commitment, from both end users and senior management, your corporation can make its communications systems even more costly and difficult to penetrate than traditional physical points of attack.