It’s not a newsflash that the telecommunications industry is critical not just to how we communicate, but how we live overall and is therefore viewed as critical national infrastructure. The fact that telco networks are so large and complex also poses a significant Attack Surface Management (ASM) challenge. Both factors make telcos highly susceptible to significant cybersecurity breaches either directly or through their long supply chains. A recent report from EY concluded that security is now number two among the top 10 risks facing telco providers today; yet 39% of telco CISOs believe security is still insufficiently factored into strategic investments. Which is why, until telcos adopt a zero trust mindset and security strategy, we will continue to see headlines like the ones about the T-Mobile breach and Vodafone’s compromised supplier which could have impacted the entire industry.
Network misconfigurations that pose a significant risk to the confidentiality, integrity and availability (CIA) of systems and data should neither be prevalent or persist on a network. Yet every year, preventable attacks are costing telcos millions, according to a recent report. The study, The impact of exploitable misconfigurations on network security, reveals that misconfigurations cost an average of 9% of a company’s annual revenue.
Furthermore, misconfigurations, including ones that could pose a critical risk to security, often reside on networks for months, sometimes years, between audits, leaving businesses vulnerable to breach the entire time. Considering 75% of employees surveyed for the study agree that their organization relies on compliance to deliver security, the survey results conclude a reality where corporate security and external compliance requirements are not being met consistently and telcos remain exposed.
This is just one in a number of disconnects between network security perception and reality, highlighted by the survey, which also reveals:
- Companies prioritize firewalls over switches and routers. The research delves into network security practices and unveils that whilst 96% of senior cybersecurity decision-makers prioritize the auditing of firewall configurations, often totally ignoring network routing and switching devices which are equally critical to maintaining effective network segmentation. This means that only 4% include switches and routers in routine configuration assessments, which goes against zero trust principles of validating every device, every day, to prevent lateral movement across networks that would allow access to critical applications and data. Ignoring, or ‘trusting’, switches and routers therefore exposes telco networks to significant business risk stemming from significant CIA risk to their critical applications and their and their customers’ data.
- Prioritizing misconfiguration remediation workflows based on risk is a widespread challenge. With connections to networks at an all-time high thanks to work-from-home practices and the proliferation of collaboration and productivity tools, prioritizing how to secure the network has never been more mission critical for telcos. It’s not a surprise then that for telecom network security teams, 95% say validating network configurations is a top three consideration. Yet only 26% said that their network security tools could categorize and prioritize security compliance risks ‘very effectively’.
- Confidence in supply chain risk management is not where it needs to be. The risk in the supply chain is putting the industry in jeopardy more than ever before. In targeting a telecoms company, threat actors can gain access to more than the provider’s information. An attack at any point in the supply chain can compromise customer data. The aforementioned incident documented by Vodafone calls out a supplier that provides wholesale roaming and other services to a global network of telecom companies and claims a breach resulted in a “minor direct impact.” Of course, the next time it could be more significant. The U.S. government is thus calling on telcos and other critical national infrastructure organizations to sharpen their focus on supply chain risk management. Telcos, especially if they bid on governmental contracts, may now be subject to compliance with supply chain risk management requirements, including CMMC and NIST 800-171 and the new supplement Special Publication NIST 800-172.
Telecom companies must therefore create robust risk management strategies to protect their organizations and data. They must ensure compliance with trusted regulatory and corporate risk management frameworks to effectively manage their attack surface and protect their and their customers’ data and their reputation as a trustworthy telco. Adopting a zero trust mindset, where no people, devices or applications are implicitly trusted is key. And a good first step is to assure effective Zero Trust Segmentation so that at a base level users and critical applications are not on the same network segment.
Continuous evidentiary compliance reporting should therefore be underpinned by Zero Trust policy enforcement. However, effectively managing a telco’s huge attack surface also requires the remediation of regulatory/corporate non-compliances to be prioritized so as to close down known active and effective telco attack vectors. This can be achieved by continuously monitoring for and reporting compliance risks against trusted ASM frameworks such as MITRE ATT&CK. Yet only six percent of telcos surveyed reported having continuous monitoring in place with automation, and 12% had no formal or basic processes. Most (55%) only assess the configuration of their devices on an annual basis. Less than one quarter (22%) evaluate them monthly, and a tiny minority (2%) reported a weekly cadence.
Clearly a shift in mindset (and tech stack) is required to deliver an accurate picture from compliance of network vulnerabilities opening up attack vectors on daily basis and prioritize remediation according to the greatest risk to the business. This starts with accurate identification and categorization at the configuration assessment level.
Most (62%) telecom providers report identifying a critical configuration issue within the last two years, and most (76%) rated the severity between 3-5 on a scale of 1-10 (1 = not at all serious, 10 = very serious). Whether this is a case of luck, or an inability to identify and categorize risk is a subject for another study. Either way, by not managing potentially critical network risks, the level of exposure most telcos are currently carrying could be detrimental to the entire industry.
Only by prioritizing remediation of the most critical issues, establishing processes for better attack surface management, and ensuring continuous compliance, policy, and best practices at a device level, can providers stay confident in doing everything they can to deter threats and prevent breaches.
