1Telstra in Confidence

Managing Security

for our

Mobile Technology

2Telstra in Confidence

Security Management Purpose

• Protection of Assets

• Protection of Services

• Prevention of Fraud

• Overall protection of revenue

3Telstra in Confidence

Content

1. Physical Security

2. Infrastructure Security

3. Responding to Emergencies

4Telstra in Confidence

PhysicalBase stationsData centresNetwork sites

Network/Platform InfrastructureServersRoutersFirewalls

Two Areas of Security

5Telstra in Confidence

Corporate Strategies – Physical Security• Managed access

– Managing who has the right to access• Security monitoring

– Monitoring priority sites through cameras and electronic access

• Fences, keys, alarming– Securing the perimeter to prevent

access• Site security auditing

– Ensuring compliance to security policy• Guard monitoring

6Telstra in Confidence

The Infrastructure Security Posture

ATTACK

WORM

WORM

WORM

Every Way In

WORM

WORM

7Telstra in Confidence

Corporate Strategies – Infrastructure Security

• Establish security policies

• Security alert methods

• Dedicated centre of excellence for IT/IP security mgt

• Vulnerability management processes

• Security incident management processes

• Intrusion detection

8Telstra in Confidence

Today's Organizational IssuesManagement of Infrastructure

Security• Increase of skills in hacking and

fraudulent tools and techniques• Protecting what you don’t know

(understanding the risk)• Cost of managing security• Ability for organizations to act• Complexity of our infrastructure• Increasing identification of

vulnerabilities• Recognition and support by senior

management of security management

9Telstra in Confidence

Defense in Depth

• Protect at all levels

• Focus on depth in setting up defense

• Apply security technology at all layers

• Apply security principles and processes at all layers

10Telstra in Confidence

Code Red PropagationJuly 19, midnight - 159 hosts infected

11Telstra in Confidence

Code Red Propagation (cont’d)July 19, 11:40 am - 4,920 hosts infected

12Telstra in Confidence

Code Red Propagation (cont’d)July 20, midnight - 341,015 hosts

infected

13Telstra in Confidence

Technical knowledge required

Threat Capabilities:More Dangerous and Easier to Use

Sophistication of hacker tools

Packet Forging/ Spoofing

19901980

Password Guessing

Self Replicating Code

Password Cracking

Exploiting Known Vulnerabilities

Disabling Audits

Back Doors

Sweepers

Sniffers

Stealth DiagnosticsHigh

Low 2000

DDoS

Internet Worms

14Telstra in Confidence

Type of Crime 2002 2003

Unauthorized Privileged Access $ 106K $322K +300%

Financial fraud $ 807K $3.5M +430%

Telecommunications Fraud $ 101K $415K +410%

Web Defacement $ - $58K -Denial of service $ 181K $397K +220%

Virus, Worm, Trojan Infection $ 891K $2.2M +245%

Unauthorized Insider Access $ 145K $262K +180%

– TOTAL $ 2.2M $7.1M +320%

–Compare this to the cost of implementing a comprehensive security solution!

Cost of Poor Security

Source: 2003 Australian Computer Crime and Security Survey

15Telstra in Confidence

Responding

to

Emergencies

16Telstra in Confidence

Business Continuity Plans

• Business Continuity Plans have been developed for all our strategic sites, Internet Data Centres, and Melbourne and Sydney cable tunnels.

• Generic Site recovery Process developed for 410 sites and is generic enough to apply to all sites.

• Critical processes and applications used to support the processes have:– Business Continuity Plans

– Application Recovery Plans

– Infrastructure Recovery Plans

17Telstra in Confidence

Blackout 2003 Scenario in Australia

• All category 1 and 2 sites have Emergency Power Plant

• Sites which do not have Emergency Power Plant would run out of battery reserve over a varied period of time

• Portable generation equipment would not be viable in this scenario due to demands by other community groups and the likelihood of theft.

• Business Continuity Plans applied to protect services

• Initiate Serious Incident Mgt Process

18Telstra in Confidence

Example - Responding to Fires, Floods, etc

The Key is Process

How it would work - Example• Centralised Serious Incident Mgt Team• Sites in affected area monitored• Situation monitored• Distribution of resources• Appropriate activities commissioned• Centralised, national command and

planning activities

19Telstra in Confidence

Conclusion

• Mobile’s Infrastructure Security mgt expands across both Physical and Logical aspects

• Corporate strategies to address the growing complexity of security risk in infrastructure

• Key to any Security or Emergency mgt – Is its management processes

• Focus on the management of Security Risk with prevention as the priority