Monday, 8 June 2009

Careless Talk

Reports are emerging today of a suspected breach on T-Mobile’s network, with hackers offering to sell customer and financial data to the highest bidder. Since Saturday, security analysts and T-Mobile have been trying to verify the breach and to determine exactly the type and amount of data compromised. What makes this potential breach especially unnerving is the weaknesses it shows in standard data protection among carriers. Earlier this year, leading communication service provider Verizon issued a report that found that 285 million electronic records were breached in 2008 and that organized criminal gangs were behind a large percentage of these breaches.

Since their inception, carriers have taken an externally facing, ‘at-the-edge’ approach to security. In simple terms, they focused on protecting the edge of the network from external attacks, believing that most threats would initiate off the network, and the edge would be the place where hackers and others would gain access. This completely ignores the risks posed by their own staff, contractors, suppliers and partners. What has occurred almost simultaneously is the rise of multifunctional phone devices that act as wallets, contact databases, email terminals, mini-computers, organizers, etc. Any carrier network now contains a wealth of personal and financial information and, with dedicated criminal organizations going after data to steal and sell, the carrier database is a natural target. Indeed, T-Mobile has been here before, as Paris Hilton no doubt remembers.

The “deflect at the edge” approach will not stop these types of criminals, who have shown the ability both to bypass these external controls and to infiltrate an organization with the prime purpose of stealing data. Therein lies the problem facing those who wish to protect the carrier database: just how do you get a clear, immediate snapshot of what is occurring, including whether or not data has been stolen? If this T-Mobile proves threat to be a hoax, which it may well do, it should still act as a wake-up call to all carriers as to the vulnerabilities inherent in protecting data. To ensure full protection and data integrity, the database should be protected from the inside out to the network edge, rather than the other way around. This approach would alert administrators to data movement or unusual activity around the database, protecting unauthorized access from both internal and external sources.

Paul Davie

Founder, Secerno