FORT LAUDERDALE, Fla.—When your job is to carry someone else’s messages, things can get complicated. This is why voice and data carriers make sure they’re meeting the requirements for getting messages or calls to where they’re supposed to go without losing them, and why they have meetings such as the Competitive Carriers Association annual meeting that taking place here this week.
One of the thorny problems these carriers are dealing with, like other organizations, is security. But for them it’s a more complex problem than it is with some other organizations. The reason is that a telecommunications carrier is responsible for getting voice and data messages from where they originate to their destination. The voice messages are what you call telephone calls. The data messages are email, SMS messages, Websites and pretty much everything else you’ll find on the Internet.
Part of the responsibility for moving the voice and data traffic is making sure that the contents won’t cause problems for the customers because they’re security threats. But there’s more. Carriers must also protect themselves.
The job of protecting the carrier’s network is substantial. Their networks are vast, with millions of users, and they’re accessible to the public. In addition, they must deliver reliable service all day, every day. The responsibility is enormous, and so is the threat.
This may have something to do with why the Competitive Carriers Association asked me to do a security seminar at its annual meeting focusing on the carriers themselves and their networks. Despite the fact that I’m pretty cognizant on how corporate security can impact an organization, it was only while working closely with carriers and their vendors that I grew to appreciate just how enormous their task really is.
After the seminar, I spoke with one of my panelists, Angela Knox, about the roles that the carriers play in security. Knox pointed out that carriers have control over only part of the communications traffic that it serves to enterprises. A carrier can, Knox said, examine some types of traffic in real time. This is especially true with SMS and MMS messages such as those text messages you send and receive on your cell phone.
Knox, who is a director of engineering at Cloudmark, a security company that makes communications security products, said that real-time inspection of network traffic can play a critical role in making sure that some threats are removed from the messaging stream even before they reach users. This can help control some sorts of phishing, she said.
For Carriers, Security Threats Come From All Directions
“One of the threats that is particularly serious is phishing of the carriers’ accounts,” Knox said. This happens, she said, when a text message is sent out to customers telling them that their account is about to be blocked because of suspicious activity. The message will contain a link that purports to be the carrier’s site, where the customers will see what appears to be a genuine site that asks the victims to enter their account name, password and other personal information.
Knox said that in addition to examining the SMS or MMS traffic to look for such phishing messages, carriers can maintain consistency with their branding so that it’s somewhat harder for phishers to pretend to be the carrier’s site, and to manage traffic at the demarcation point where message traffic moves between the carrier’s network and the customer’s network.
When the customer is an enterprise, which is the case with many company-owned mobile phones, then the company’s IT department should set up an arrangement with the carrier to let the carrier know when something suspicious is going on.
“The ability to say what of my devices have strange things going on” is critical, Knox said. She added that there should be no privacy issues when the company owns the device. In a bring-your-own-device (BYOD) environment, companies should have their employees sign an agreement that allows such monitoring, she said.
Such phishing attempts, if successful, can pose a significant risk to carrier networks, but they’re far from the only risk. Carriers have the same challenges every other network operator has, including hacking attempts where someone is intent on stealing customer data but also where someone is trying to take down the carrier’s network just so they can say they did.
While carrier networks have plenty of risks, they also have to face the reality that it’s impossible to keep the outside world out. After all, their job is to provide a public service, and to do that they must open their networks to the public. In one sense, that multiplies the risk, but in another, it makes it more clear.
There is no chance that the bad guys will be kept out of their networks, which means that they’re free to limit the damage while also making it harder for those who would like to run free through their critical information. While their problem is a complicated one, the level of risk is defined. The job may be hard, but they know what it is, at least.