textfiles/magazines/CHN/chn-0005.txt

                =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
                *  (CHN) Connecticut Hacker Newsgroup (CHN) *
                =              CHN News File #5             =
                *           an I.I.R.G. affiliate           *
                =               -=>Present<=-               =
                *       Planning of Telecom Security        *
                =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=


                PLANNING AND IMPLEMENTATION OF TELCOM SECURITY
                               By Paul A. Berth

         (Paul A. Berth is a commercial sales and marketing manager 
                  for AT&T Secure Communications Systems.)
   

 Implementing a telecommunications security plan is a major project for any 
corporation.  The stakes are significant.
It requires a high degree of cooperation among the security, telecom and 
information systems staffs as well as end users.
It involves complex technology, much of it new and unfamiliar, as well as 
significant capital investment.
 The project also may require management and political skill for more than 
interdepartmental coordination. The need for telecommunications security has 
limited acceptance in most companies.  Even among managers who recognize the
need, it may not receive a high priority, except in case of an emergency.  
A lack of cooperation can result in delays in getting information and 
resources, extending your project cycle and ultimately raising the cost.
 One factor on your side is need.  The volume of information communicated over 
telephone, fax and low-speed data lines daily is high for virtually any 
company.  Not everyone in a company typically requires a secure line, but the 
need exists wherever you transmit proprietary, confidential or sensitive 
information.
 The first step is to assemble a team representing all constituencies involved.
Telecommunications typically involves responsibilities shared by the telecom 
and IS departments.  End-users need to be represented as well.  The corporate
security staff must be involved, even if its role in a particular company has 
been traditionally oriented toward physical security.  The security aspects of 
all information systems are increasingly critical;  if your security staff 
isn't already involved with them, telecom security is an excellent place to 
start.
 The nature of the issue, cutting across organizational lines, puts a premium 
on clearly designating a project leader, preferably one with the clout to 
resolve turf issues and other problems and to gain top management's backing for
a solution.  Once a firm schedule, responsibilities and a budget have been 
determined, phase one of the project is to assess the current telecom 
environment.
 Surveys of three areas are required to fully Understand your 
telecommunications security needs: your infrastructure, sensitive information 
and vulnerabilities.
 First, look at the equipment you have and the links you use.  Identify both 
the physical elements of your systems and your procedures.
Realize from the start that an absolutely complete inventory may be impossible;
many companies have experienced an uncontrolled proliferation of fax machines,
local area networks, modems, communications software and other equipment.
If you try to track everything down, you may never finish. One productive 
approach may to sectionalize your project, prioritizing the various 
departments.
 Telephones, cellular fax machmes, modems, LANS, voice mail, E-mail, and a PBX 
are typical elements of a corporate telecom environment.
The networks you use may include the public switched telephone network,
a cellular network, tie lines and other leased lines and microwave links.
 Next, determine where in your company sensitive information exists and what 
applications are involved in communicating that information.  Research and 
development, finance, marketmg, human resources and legal departments typically
handle proprietary or sensitive information.  Concentrations of sensitive 
information develop in places specific to particular companies and industries.
For a bank, the hiighest priority may be customers' financial information; for 
a pharmaceutical manufacturer, research and development; for a packaged goods 
manufacturer, marketing.
 Determine with whom the information is being communicated. A defense 
contractor might share the most sensitive information with its government 
customer, while a bank would need to protect links between offices as well as
links to its competitors for fund transfers.
 What offices, conference rooms, laboratories or other locations are used when
communicating confidential information?  Your secure communications 
requirements may extend beyond your own offices and organization.  If your key 
executives deal with sensitive information when working at home or on the road,
portable security may be required.  If you regularly discuss confidential 
information with outsiders, you'll require compatible security systems.
 Most companies don't need to secure 100 percent of their telecommunications.
Determine what information requires protection Under law, such as personnel, 
financial or medical information.  And decide just what sensitive information 
has real value to your adversaries and what information could jeopardize your 
competitive position.
 At this point you're ready for a vulnerability analysis.  What is the level of
the threat, and where does it come from?  What damage are your adversaries 
capable of doing to you?  What systems could they attack?  What information 
would they seek?
 There are two types of attacks: passive and active.  Passive involves simply 
listening, tapping a line and picking up valuable information as it is 
discussed, faxed or transmitted in a data file.
 Such attacks can be difficult or impossible to detect until their effects 
suggest that critical information is leaking out of your organization - a 
competitor consistently beating you to market, underbidding you or preempting 
your marketing plans, for example.
 Active attacks involve actually breaking into a system.  The purpose may be 
to steal information, in which case the attack may be surreptitious.  The 
intent could be more obvious: to damage the system, destroy information or 
hijack the system, taking it over and using it to make unauthorized 
long-distance calls, disrupt voice mail or cause other havoc,
 Consider the particular vulnerabilities of your systems.  Hackers have 
exploited dial-in access to computers and voice mail in very damaging ways.  
Cellular phone calls are especially vulnerable to both passive and active 
attacks.
 Once YOU understand your telecommunications environment, the second phase of 
your security project is putting it out to bid and selecting a vendor.
 Depending on the scope of your needs, you may need more than a single vendor.
If your concerns include your PBX, voice mail and cellular phones, you might 
do well to go to your vendor for each system. PBXs and voice mail system 
typically are designed with at least some security functionality.  Privacy 
services are available for cellular telephones.
 Some manufacturers and dealers can provide the full range of solutions for 
end-user equipment.  Retrofit security products are available for telephones, 
fax machines, modems, some cellular phones and computer hardware.  Secure 
telephones, fax machines and modems are available with security capabilities 
built in. Software programs can provide encryption and other security functions
for data transmitted from computers and carried in laptops.
 Qualifications for your supplier should include professional personnel and the
ability to do more than simply sell you a box.  Whether you go with a 
communications security dealer, buy directly from a manufacturer or work with 
your existing telecom vendor, your security needs require specialists.  
Communications security is as technical and complex a field as any in security.
Make sure your vendor has the expertise (and commitment) to advise you 
throughout the project and, afterward, to support you and service your 
equipment.
 No matter how complex or broad your security requirements are, you should 
expect a solution that provides both strong protection and ease of use.  Some 
systems can operate transparently to the user, but even those that require a 
degree of user involvement should be simple to operate, free of complicated 
procedures and extensive training requirements.  And they should not negatively
impact the performance of your system, whether it's telephone voice quality, 
time required for a fax transmission or computer response time on your LANS.
 As with any security system, a high priority in protecting your 
telecommunications is selling top management on the need for and value of the 
investment you're asking them to make.  But gaining buy-in from end users is 
even more important in telecom security than in many other areas of security.
 Unlike access control or surveillance systems, for example, many aspects of 
telecom security actually are operated by the end user.  Not all solutions can 
function automatically, or even need to. A researcher might use the same phone 
to discuss product test results with a product manager and to order lunch, 
which would require the ability to implement security for one call while 
operating in the clear for other calls.
 Thus, implementation requires not only acquiescence, but also active 
cooperation from users.  Depending on the overall security environment of your 
company, you may have to actively raise awareness of security issues in 
telecommunications, an area widely subject to being taken for granted by end 
users.  That awareness is required for successfully establishing procedures on 
how and when to implement security wherever its operation isn't automatic.
Training may be required in some cases, though most telecom security solutions
are simple to use.
 Similarly, installation generally is not a major consideration in securing 
systems already in place.  Hardware and software solutions alike typically are 
compatible with your existing standard systems.  A complicated and intricately 
planned flash cut isn't usually required; security can be added and activated 
as it is installed.
 If you already have a mandate from the top to secure your telecommunications,
congratulations.  Selling the decision makers on the need for security can be 
difficult in a company whose communications aren't known to have been attacked.
 Nevertheless, the damage already is occurring.  Unprotected telecom systems 
are open door to corporate spies of all stripes: competitors, foreign 
governments and even opportunistic third parties. (The Japanese phone giant 
NTT reportedly monitors international faxes and sells the contents to 
interested Japanese companies.)
 Many nations are linking their national security to economic security, and 
they're turning their intelligence agencies away from military and political 
duty to economic espionage.  Foreign intelligence agencies are widely reported 
to have targeted General Electric, Texas Instruments and Corning.  Hughes 
Aircraft pulled out of a major European air show after the host country 
targeted U.S. aerospace firms for spying at the show.
 Such adversaries have many ways of getting information from you.  
Vulnerabilities in telecommunications systems, especially those connected to 
computer systems, can be especially damaging.  The resources you need are 
easily available once you know your requirements.  With the right mix of 
interdepartmental cooperation and commitment, from both end users and senior
management, your corporation can make its communications systems even more 
costly and difficult to penetrate than traditional physical points of attack.