This was the industry view 2 years ago. In light of the technological advances that have been made in the last 2 years regarding the profileration of packet-switched voice traffic I'm interested to see what the community thinks. Let's face it as the industry moves towards a more converged state, we haven't even really begun to consider the security implications that present themselves in this new enviroment. -Scott On Sun, 10 Mar 2002, Sean Donelan wrote:
IV. SS7 SECURITY ISSUES
Dave Henderson (SEVIS Systems) gave a presentation entitled, "Public Switched Network is Now Really Public (Attachment 4)." Dave noted he has spent a number of years working in information warfare and protection. He noted that his work addresses issues on network security and open network connection.
Points Noted
10. Dave noted there are concerns with reliability of equipment. He noted that while the PSTN was formerly relatively closed, it is now wide open.
11. Dave noted in the past, the internet was relatively safe; however recent events have opened security issues while teaching vulnerability lessons. He noted that with an increase in network users, there is also an increase in vulnerabilities identified by users and decreased ability to control the network.
12. Dave reviewed the emerging threats to the PSTN. He noted the cost resulting from fraud is presently $12 billion and growing. With the rapid development of technology, there is less time for adequate testing. He noted that the quality of intruder tools is improving and they are becoming more available. He further noted hacker magazines are writing SS7 articles.
13. Dave reviewed some of the major threats to individual networks. Among these he noted theft of SS7 service (calling card numbers, wireless fraud and rerouting of call traffic) and denial of service.
14. Dave noted the solutions that are presently available for addressing security issues are inadequate. He noted the present gateway screening capabilities are unreliable, there is no standard security guideline for interconnection, there is a progressive skills gap, and there is currently no mechanisms to control or authenticate traffic on the network.
15. Dave noted the networks are very fragile with a tremendous number of vulnerabilities.
16. Dan noted if the network was compromised by a problem caused by a new piece of equipment, this could be devastating to a company's reputation.
17. Dave noted in order for convergence to take place interoperation with different transport and signaling technologies is imperative.
18. Dave noted the industry needs to be more proactive in addressing the security issues in order to avoid having the government impose mandates and to ensure the US is protected from information warfare attacks that could result in the draining of bank reserves and the cutting off of power sources.
19. Dan noted that like interoperability testing, security testing discoveries provide insurance against issues that arise. Unfortunately, until problems arise, people are not quick to act.