1. The document discusses preventing loss of personal data on a mobile network by addressing technical attacks and risks. It defines personal data as customer information like names, locations, call records, and payment details that are processed and stored on network and IT systems.
2. Attacks on the mobile network, signaling infrastructure, radio access network, internet, internal networks and business support systems are outlined. Risks include hacking, fraud, and unauthorized access to or corruption of customer data. Controls proposed include firewalls, encryption, access controls, monitoring and security best practices.
3. Managing risks to personal data requires ongoing assessment, testing, monitoring and incident response as technologies and attacks evolve over time. Security must be applied across
"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin
1. Preventing loss of
personal data on a
Mobile Network
23.09.2017 / Oleksii Lukin / Head Of
Information Security SubDepartment
Public
2. • Lukin Oleksii
– Head od Information Security SubDepartment
• Scope
– Presentation focused on technical attacks on a Mobile network and its supporting
infrastructure
– Does not looking specifically are employee internal risks or social engineering attacks both of
which constitute significant risks for any organisation
Introduction
2
3. 1. Definition of personal data in a mobile network
2. Mobile Network attacks & controls
3. BSS & Corporate Network attacks & controls
4. Key Message
Agenda
4. Definition of personal data in a mobile network
4
Mobile Network & Corporate
systems Generated
Business Process
Generated
Processed and stored on Network & IT Systems
• Customer
• Location data (cell site, country)
• Usage records created for billing
• Call, SMS, MMS details (not
content)
• Data usage
• Corporate
• Email
• Web browsing
• Customer
• Account type (e.g. pre or post-
paid/residential or business)
• Name of customer
• Billing Address
• Payment details
• Employee
• Name
• Contact details
• Salary
Dynamic/Event Static
5. Mobile Network Attacks - External
5
Mobile Network
GRX
Network
(Used for roaming
data traffic)
Internet
(Used for data
traffic)
SS7/Diameter
(Used for roaming &
interconnect
signalling)
Radio
Access
Network
• All area of a Mobile Network are under
constant academic study for new
vulnerabilities that impact customer
privacy
6. Mobile Network Attacks - External Signalling
• SS7 (2G-3G)
– Know attacks on SS7 signalling network
– Abuse MAP signalling protocol
– Take advantage of external links to roaming
partners
– Used for location tracking and call/SMS
interception
– DoS on individual customer or network
• Diameter (4G)
– New protocol replacing SS7 in LTE networks
– Attacks similar to SS7
– Difficult to track origination as uses hop-by hop
• GRX traffic
– GTP protocol hacking
– DNS attacks
– Remote Call control
– DoS
• SS7
– Signalling firewall blocking all unauthorised MAP
signalling traffic
– GSMA standardised controls
– Monitoring for abuse (SIEM)
• Diameter
– Signalling firewall
– GSMA standardised controls
– Implementation of Diameter Routing
Agent/Diameter Edge Agent
– IPsec on external connection with IPX provider
– Monitoring for abuse (SIEM)
• GRX (called IPX in 4G)
– GTP protocol aware firewall border firewall
– DNS hardening
– White lists of valid roaming partners
– Uses of GRX/IPX hub provider
– Monitoring for abuse (SIEM)
6
Risks Controls
7. Mobile Network Attacks – Radio Access Network
• 2G/2.5G
– Risks well know
– Man in the middle (IMSI Catcher) for accurate
location and call/SMS interception
– Weaknesses in GPRS protocol
– Weakness in over the air encryption keys
• 3G
– Limited location attacks
• 4G
– Standard network IP backhaul network open to
eavesdropping of customer traffic
• 2G/2.5G
– Implementation of latest GSMA encryption
algorithms
– Configuration of authentication and over the air
encryption parameters
– Customer applications that can detect MITM
attacks
• 3G
– Standard has improved encryption and network
mutual authentication
– Configuration of authentication and over the air
encryption
• 4G
– Use of IPSec to protect backhaul network
– Standard has improved encryption and over the
air authentication
7
Risks Controls
8. Mobile Network Attacks – Internet
• Same standardised Internet access for
all radio technologies e.g. 2.5G/3G/4G
• DoS
– Customer
– Network elements
• DNS
– DoS
– Poisoning
• Products & Services (web)
– DoS, hacking & scripting on
– Customer Portal
– Self service
– Products (e.g. Child location tracking)
• Border firewall
• DoS Protection
• NAT’ng
• Hardened DNS
• Web services
– WAF
– Code review & Testing
– Internal vulnerability Scanning
• External vulnerability scanning
• Monitoring for abuse (SIEM)
8
Risks Controls
9. Mobile Network Attacks – Internal
• Network & Service Delivery Elements
– Unauthorised access to customer information
– Ability to change customer service profile
• Note: Each network element or service
delivery platform has differing risks and
may or may not contain meaningful
customer information
– e.g. GSM uses a temporary identity (T-IMSI) on
some network elements to hide the customer true
IMSI
• Internal firewall between domains
• Strong access control policy
• Security Patch management
• Security testing
• Internal vulnerability scanning
• Monitoring for abuse (SIEM)
9
Risks Controls
10. Remote
Vendor
Support
• Mobile network generated event data is stored and processed in the BSS
environment
• There is segmentation between corporate users and BSS platforms
Business Support System (BSS) & Corporate
Network
10
BSS &
Corporate
Internet
(email, Corporate
Internet)
Mobile
Network
11. BSS & Corporate Network Attacks – External
• Corporate Email
– Phishing
– Malware & Virus
– SPAM
– DoS
• Corporate Internet
– DoS
– Malware & Virus
– Hacking
– Fake sites
– Internal DNS
• Unprotected vendor access
– Unauthorised access to Network and IT systems
• Border firewall
– DoS Protection
• Hardened DNS
• External vulnerability scanning
• Anti-virus and Malware protection
• Security Patching
• Data Loss Protection
– Protects against internal fraud/abuse of customer
information
• VPN, VDI, strong authentication for
vendor access
• Monitoring for abuse (SIEM)
11
Risks Controls
12. BSS & Corporate Network Attacks - Internal
• Billing & Charging Platforms
– Loss or corruption of charging event data
– Unauthorised access to customer information
• Customer Care
– Unauthorised access to customer information
– Unauthorised changes (fraud)
• Data Warehouse & Reporting Systems
– Unauthorised access to customer information
• HR Systems
– Access to personal employee information
• Network Support Systems
– Ability to monitor customer activity
– Unauthorised changes to customer’s service
• Border firewall
– DoS Protection
• Hardened DNS
• External vulnerability scanning
• Anti-virus and Malware protection
• Security Patching
• Data Loss Protection
– Protects against internal fraud/abuse of customer
& corporate information
• Strong access control policy
• VPN, VDI & strong authentication for
vendor access
• Monitoring for abuse (SIEM)
12
Risks Controls
13. • Personal data is created and stored both in the Mobile , BSS and
Corporate networks
• Some areas of risk are harder to manage as they are reliant on
– Technology standardisation
– People
• Security should always be applied in layers with good basic principles
• Initial security assessment with continual testing and review
• 24x7 monitoring using a SOC (SIEM)
• Effective incident response process
Key Message
13
Managing the risks to personal data is a continuous process as
technology and the skills of the attacker evolve