Upload
pravesh-kumar-thakur
View
212
Download
0
Embed Size (px)
Citation preview
8/13/2019 White Paper on Security Testing
1/13
WHITE PAPER ON
SECURITY TESTING IN TELECOM NETWORK
DATE OF RELEASE: 27th
July 2012
8/13/2019 White Paper on Security Testing
2/13
1
Table of Contents
1. Introduction.............................. ........................... .......................... .......................... ................. 2
2. Need for securing Telecom Networks.............................. .......................... ......................... 3
3. Security Assessment Techniques........................... .......................... .......................... ........ 4
4. Security Testing methodolog ies in Telecom Networks........................... ........................ 5
4.1 Telecom Equipment Testing............................. .......................... .......................... ............ 5
4.2 Telecom Network Vulnerabili ty Assessment ........................... .......................... ............ 5
4.3 Fuzz Testing .............................. .......................... .......................... .......................... ............. 7
4.4 Penetration Testing.......................... .......................... .......................... ........................... .... 8
5. Remedial actions.............................. .......................... ........................... .......................... ........ 9
GLOSSARY ............................. .......................... .......................... .......................... .......................... ... 11
REFERENCES............................ .......................... .......................... .......................... ......................... 11
8/13/2019 White Paper on Security Testing
3/13
2
Security Testing in Telecom Network
1. Introduction
Circuit-switched PSTN networks, traditionally controlled by the telecom operators
are less prone to risks as compared to a packet-switched network based on an open
protocol like the IP. However, due to the growing demand for data and video
services and the limitations of the circuit-switched technology, telecom operators
find it economically prohibitive to expand their circuit-switched networks to meet
demand. This has led to a gradual move towards the adoption of packet-based
switching technology. Newer 2G and 3G mobile phone systems like GPRS, EDGEand HSPA that are designed for data transmissions are also based on packet-based
switching technology.
Fig. 1 Transition to NGN
Packet-based switching technology used in Next Generation Networks is usually
implemented through the use of the IP suite. IP was based on open standards and
not originally designed for security implementations. The weaknesses in the IP
8/13/2019 White Paper on Security Testing
4/13
3
have been exploited since long and therefore risks are involved in adopting an IP-
based network.
Both the traditional circuit-switched networks and the packet-based next generation
networks are exposed to different threats and attacks both from external and
internal sources that target the various parts of the telecommunications network.
These attacks may be targeted at any part of the telecom network, including the
radio path of the access network. Attacks on one telecom operators network could
also spread to multiple networks over the interconnection interfaces.
2. Need for securing Telecom Networks
Telecommunication networks are playing a critical role in the economic growth of acountry. It has led to government regulations in the telecom industry, which include
requirements for ensuring the security of the telecom equipment and networks. The
import of telecom equipment from other countries that are antagonistic to a states
strategic interests may lead to security threats by means of embedded logic bombs
and malware.
The interconnection of the PSTN networks of fixed and mobile phone systems and
the next generation network has increased the attack surface of the telecom
networks. The wide range of end-user devices that can now connect to the telecom
networks has added to the complexity of the networks, thereby increasing the risks
and vulnerabilities as well.
Hence, the consequences of not implementing adequate security measures to deal
with the security threats and challenges to the telecom network could be heavy.
Several international standard development organisations like ITU, ISO/IEC, 3GPP,3GPP2 and ETSI have prescribed standards that are applicable to telecom
networks. Also, many countries have legislations and regulations that the telecom
operators must comply with, which may require the adoption of specific security
standards.
8/13/2019 White Paper on Security Testing
5/13
4
Telecom operators should adopt a robust, managed security programme to ensure
that their networks are protected against malicious attacks, both external and
internal, while also ensuring compliance to the local regulatory environment. This
requires a holistic approach to implement security measures, based on globally
accepted security standards and best practices.
3. Security Assessment Techniques
There are various security testing and examination techniques that can be used to
assess the security posture of systems and networks. The most commonly used
techniques can be grouped into the following three categories:
3.1 Review Techniques : These are examination techniques used to evaluatesystems, applications, networks, policies, and procedures to discover
vulnerabilities, and are generally conducted manually. They include documentation,
log, ruleset, and system configuration review; network sniffing; and file integrity
checking.
3.2 Target Identification and Analysis Techniques : These testing techniques can
identify systems, ports, services, and potential vulnerabilities, and may be
performed manually but are generally performed using automated tools. They
include network discovery, network port and service identification, vulnerability
scanning, wireless scanning, and application security examination.
3.3 Target Vulnerability Validation Techniques : These testing techniques confirm
the existence of vulnerabilities, and may be performed manually or by using
automatic tools, depending on the specific technique used and the skill of the test
team. Target vulnerability validation techniques include password cracking,
penetration testing, social engineering, and application security testing.
Since no single technique can provide a complete picture of the security of a system
or network, organizations should combine appropriate techniques to ensure robust
security assessments. For example, penetration testing usually relies on performing
8/13/2019 White Paper on Security Testing
6/13
5
both network port/service identification and vulnerability scanning to identify hosts
and services that may be targets for future penetration.
4. Security Testing methodolog ies in Telecom Networks
Maintaining a consistent security posture across an organisations network in the
face of the ever changing nature of IT security is a complex and time consuming
task. Periodic security testing plays a vital role in assessing and enhancing the
security of networks.
Some of the Security testing techniques which are more relevant with respect to the
telecom networks are discussed below:
4.1 Telecom Equipment Testing
Telecommunication networks are likely to have a heterogeneous mix of equipment
from various suppliers. A highly credible, trusted third party certification programme
must be in place to conduct an assessment to identify and evaluate security
weaknesses and vulnerabilities contained in equipment software, firmware and
hardware implementations. Certification of the supplier products against the
Common Criteria Specifications (ISO 15408) ensures this at the component level.
4.2 Telecom Network Vulnerabilit y Assessment
With a large number of vulnerabilities and an increasing number of attacks
exploiting them being reported across technology platforms, it is becoming difficult
to ensure that the critical elements of a telecommunications network are not
vulnerable to these attacks. Vulnerability scanners provide system and network
administrators with proactive tools that can be used to:
Identify vulnerabilities associated with operating systems and applications
Report and assess the vulnerability and its overall consequences
Recommend remediation strategies
To test compliance with organisational security policies by auditing system
configurations
Vulnerability scanners can be of two types: network-based scanners and host-
based scanners. Network-based scanners are used primarily for mapping an
8/13/2019 White Paper on Security Testing
7/13
6
organization's network and identifying open ports and related vulnerabilities. In most
cases, these scanners are not limited by the operating system of targeted systems.
The scanners can be installed on a single system on the network and can quickly
locate and test numerous hosts. Host-based scanners have to be installed on each
host to be tested and are used primarily to identify specific host operating system
and application misconfigurations and vulnerabilities.
Fig. 2 Network based vulnerabili ty scanner
Because host-based scanners are able to detect vulnerabilities at a higher degree
of detail than network-based scanners, they usually require not only host (local)
access but also a root or administrative account. Some host-based scanners offer
the capability of repairing misconfigurations.
It is very important to organize, express, and measure security-related information
in standardized ways.
Recommendation ITU-T X.1520 defines the the use of the common
vulnerabilities and exposures (CVE) , which provides a common
nomenclature for publicly known problems in the commercial or open source
software used in communications networks, end-user devices,etc. CVE does
not contain information such as risk, impact, fix information, or detailed
8/13/2019 White Paper on Security Testing
8/13
7
technical information. CVE only contains the standard identifier number with
status indicator, a brief description, and references to related vulnerability
reports and advisories. The repository of CVE Identifiers is available at
[cve.mitre.org].
Recommendation ITU-T X.1524 defines the use of the common weakness
enumeration (CWE), which provides a common nomenclature to exchange
information regarding weaknesses in source code and operating systems.
CWE also offers supportive context information about possible risks,
impacts, fix information, and detailed technical information about what the
software weaknesses could mean to a software system. A comprehensive
CWE dictionary is available at [cwe.mitre.org].
Recommendation ITU-T X.1521 provides common vulnerabilities scoring
system (CVSS) as a standardized approach for communicating the
characteristics and impacts of ICT vulnerabilities. It uses base, temporal and
environmental metrics that apply contextual information to more accurately
reflect the risk to each user's unique environment. Many organizations are
using CVSS internally to make informed vulnerability management decisions.
They use scanners or monitoring technologies to first locate host andapplication vulnerabilities. They combine this data with CVSS base, temporal
and environmental scores to obtain more contextual risk information and
remediate those vulnerabilities that pose the greatest risk to their systems.
4.3 Fuzz Testing
While vulnerability assessments can help identify and mitigate known
vulnerabilities, it cannot be used to protect against exploitation of unknown
vulnerabilities that are likely in complex networks like telecom networks. A
methodology that is now being used to address these unknown vulnerabilities is
Fuzz Testing. It is a form of attack simulation where abnormal inputs are used to
trigger vulnerabilities. One approach is model-based fuzzing, which uses protocol
specifications to target tests at protocol areas most susceptible to vulnerabilities.
8/13/2019 White Paper on Security Testing
9/13
8
Another approach, traffic capture fuzzing, uses traffic captures to create the fuzzers
used for testing.
4.4 Penetrat ion Testing
The purpose of penetration testing is to identify methods of gaining access to a
system by using common tools and techniques used by attackers. It supplements
the vulnerability assessment activities by taking the last step and actually
exploiting these vulnerabilities to compromise and gain access to the target
systems. A penetration test can be designed to simulate an inside and/or an outside
attack.
Security testing specialists attempt to infiltrate the clients network, systems and
applications using not only common technologies and techniques, but also
specialised tools and some unexpected methods, such as combined techniques
(multi-vector attacks). The result is a detailed report identifying key vulnerabilities
and suggested protection tactics an action plan to improve the organisations
security posture.
There are two types of penetration testing commonly referred to as Blue Teaming
and Red Teaming. Blue Teaming involves performing a penetration test with the
knowledge and consent of the organization's IT staff. Red Teaming involves
performing a penetration test without the knowledge of the organization's IT staff
but with full knowledge and permission of the upper management. This type of test
is useful for testing not only network security, but also the IT staff's response to
perceived security incidents and their knowledge and implementation of the
organization's security policy. The Red Teaming may be conducted with or without
warning.
Penetration testing is important for determining how vulnerable an organization's
network is and the level of damage that can occur if the network is compromised.
Because of the high cost and potential impact, annual penetration testing may be
sufficient. The results of penetration testing should be taken very seriously and
discovered vulnerabilities should be mitigated. As soon as they are available, the
results should be presented to the organizations managers.
Corrective measures can include closing discovered and exploited vulnerabilities,
modifying an organization's security policies, creating procedures to improve
8/13/2019 White Paper on Security Testing
10/13
9
security practices, and conducting security awareness training for personnel to
ensure that they understand the implications of poor system configurations and
poor security practices.
5. Remedial actions
While identifying and categorizing vulnerabilities is important, a security test is
much more valuable if it also results in a mitigation strategy being developed and
implemented. This requires translating the findings of the testing into remedial
actions. A suitable approach required to achieve this may be as follows. Based on
the analysis of the findings mitigation recommendations should be developed.
These recommendations should be presented as a report to the appropriate
authorities and finally, the mitigation activities should be carried out.
5.1 Mitigation Recommendations
After completion of all the testing activities final conclusion and mitigation
recommendations are developed. There may be both technical recommendations
(e.g., applying a particular patch) and nontechnical recommendations that address
the organizations processes. Examples of mitigation actions include policy,
process, and procedure modifications; security architecture changes; deployment of
new security technologies; and deployment of OS and application patches.
5.2 Reporting
Upon completion of analysis, a report should be generated that identifies system,
network, and organizational vulnerabilities and their recommended mitigation
actions. This report should be documented and made available to the appropriate
staff, which may include the CIO, CISO, and ISSO as well as appropriate program
managers or system owners. Because a report may have multiple audiences,
multiple report formats may be required to ensure that all are appropriately
addressed.
5.3 Remediation / Mitigation
While implementing the remediation, Organizations should follow at least the four
steps outlined below.
8/13/2019 White Paper on Security Testing
11/13
10
i. Before implementing technical modifications to a production asset, testing should
be done on test systems in an environment that replicates the network in which the
mitigation action would be implemented. For example, before implementing patches
on an operational system it should be installed on a similar system in a test
environment just to check whether there are any negative implications. Such testing
significantly reduces, but does not eliminate, the risk of a system reacting adversely
to a technical modification.
ii. Changes and their impact to the existing systems, networks, policy, or processes
should be communicated to the appropriate authorities before executing any
remedial actions. At a minimum, the program manager or system owner should be
contacted before executing any remedial actions and should provide approval of the
planned mitigation actions before they are implemented.
iii. Implementation of mitigation strategies should be verified by conducting an audit of
the system. A system audit can be conducted by onsite security personnel or an
external security test team.
iv. It is important to continuously identify and update mitigation activities that have
been accomplished, partially accomplished, or are pending action by another
individual or system.
8/13/2019 White Paper on Security Testing
12/13
11
GLOSSARY
IP Internet protocol
PSTN Public switched telephone network
GPRS General Packet Radio Service
EDGE Enhanced data rates for GSM evolution
HSPA High Speed Packet Access
ITU International telecommunications union
ISO International organization for standardisation
IEC International electrotechnical commission
3GPP Third generation partnership project
ETSI European Telecommunications Standards Institute
CIO Chief Information Officer
CISO Chief Information Security Officer
REFERENCES
i. NIST Special Publication 800-37
ii. NIST Special Publication 800-42
iii. NIST Special Publication 800-115
iv. Security in Telecommunications and Information Technology, An overview of issues
and the deployment of existing ITU-T recommendations for secure
telecommunications, ITUT, June 2006
v. Unknown Vulnerability Management for Telecommunications, Anna-Maija Juuso
and Ari Takanen,Codenomicon, February 2011
vi. White paper on Cyber security for virtual and cloud environments by Spirent.
8/13/2019 White Paper on Security Testing
13/13
12