This transition to software-based network components creates new vulnerabilities. Disgruntled employees can insert rogue code. But failing to update policies and procedures creates another new vulnerability. An example of this can be seen in the recent attack on Deutsche Telekom.
At Deutsche Telekom it appears that when SDN switches and routers were deployed, the unused ports (~300) were left open and active, and that the attacker used these open and active ports as an entry point for a software attack on the network. It appears that what happened is as follows: Hardware-based switches and routers didn’t have open ports, so the policies and procedures for deploying and provisioning them did not include shutting down open ports. When SDN components arrived for deployment, operations was told that they would function exactly the same as the older hardware-based components. At the data and operations levels they did. However, they had an industry standard general-purpose computing platform underneath. That platform defaulted to all ports being open. Since operations was under the impression that the SDN components would work just like the hardware components they were replacing, they used the existing policies and procedures. Those policies and procedures didn’t call for closing unused ports, so they were left in default open configuration. It may also be the case that vendor documentation was not updated.
The take-away is that, as Cellcos move from hardware to software components, policies and procedures must be revised to minimize vulnerabilities in both the software functionality and the underlying platforms.
It is not wise to rely entirely on firewalls, virus checkers, and policies and procedures alone. Today, these represent a “semi-permeable membrane” akin to that of our skin. Just as our skin keeps out most invasive things, it can’t keep them all out - just as humans need air and food, a Cellco needs customers and employees to survive. Thus, our bodies have a way of detecting and either quarantining or removing harmful invasive things. Cellco networks need similar capabilities. All too often, intrusions and infections are only discovered after a large segment of the network has been affected. Only then, are manual efforts initiated. The resulting damage can be severe.
The Deutsche Telekom example cited above is a case in point. Deutsche Telekom should not be criticized, but rather commended. Far too often, successful attacks are kept secret. This is done out of fear that releasing the information will damage the company or damage the reputation of individuals involved in identifying and recovering from the attack. The Cyber Security industry has long advocated for release of attack information so that we, as an industry, can learn about the attack vectors and better work together to protect ourselves. Unfortunately, this is a fight against human nature. Some have argued that there needs to be government laws and regulations forcing disclosure while providing anonymization. But here again, this has proven politically difficult. Some years ago, it was estimated that only approximately 10% of the illegal drugs smuggled into the U.S. were caught. So, a way to estimate the quantity of drugs is to multiply the amount seized by 10 fold. There may be a similar situation visa vie Cellco cyber attacks. We can reasonably assume that there are far more attacks than publicly reported.