Security: What is it? Do I need it?

Charles Brookson
Charles Brookson

Security, even the definitions and applications are vague: It can range from good business practice; strong technical standards, staff and contractor vetting, to: working with Law enforcement; inadequate scrutiny and testing of new products and services; customer and employee fraud and theft, and many many more.

Many of these areas are related; for instance, in the development of a product design or service, internal responsibility for its development should effectively reduce the opportunity of fraud and theft. It is also true that, in many cases, the right mindset to acquire good security is often lacking. For example, who considers when designing something, that there is any way of making revenue from exploiting the security features of that design? Many mobile operators are not even aware of what they should be looking for. A good example of this is the original GSM authentication algorithm, which makes it easy to clone a customer SIM card. It was broken over 15 years ago, is easy to swap out, but is still, nevertheless, widely deployed by mobile operators around the world. In some cases these losses can be very real and considerable, with a stolen or cloned SIM used to rack up calls to premium rate phone lines or text services.

I would recommend the following simple strategy to start addressing the issue:

  • Have the appropriate people and policies in place to ensure security is addressed. There are also International Standards for security, such as the ISO27000 process, which are helpful here.
  • Ensure that responsibility for security is clearly devolved throughout the organisation and contractors with training and responsibilities are clearly defined. Security should be part of everyone’s responsibility.
  • Ensure that each new product, process or service is checked for security weaknesses so that there are no severe risks of loss to revenue or reputation.
  • Technical aspects of a network are also capable of being attacked. There is a lot of guidance available from Industry Bodies on ways to mitigate technical weaknesses, such as interception of information, changing network parameters of billing systems and manipulating calls and signalling. Hackers at conferences such as Black Hat and the Chaos Compute Club are putting mobile networks under increasing scrutiny.
  • Finally, it is important to communicate to customers, in simple language, about the threats and risks, so that they can protect themselves against malware, unwanted nuisance calls and the risk of loss to their privacy and personal information.

Everyone has security challenges – the mistake many make is not to go through these checks. Making yourself safe and compliant will save you money.