Vodafone Security Report
1. Executive Summary
The purpose of this security report is to perform a security analysis based on risk assessment and company needs, as they result from the information that was gathered during the security evaluation. This report will help the company to update and maintain the security policies and controls to the appropriate or required level, identifying possible risks and threats from existing vulnerabilities that may allow company systems to be compromised. Taking all the security measures stated in this report will help the company to maintain the Integrity, Confidentiality, and Availability of the information that is the most significant asset of the company. Also, in this report the action plan of the project is defined, in which all the proposed security measures shall be implemented.
The company has a lot of assets spread across various sites around the country. All assets have to be secured properly in order to avoid threats that result in potential business impact and company embarrassment to the public. Since company most valuable asset is information data, it is proposed to mainly focus on the security of this asset. Security though does not cover only specific parts of the company. All the departments must comply with security policies and all the employees must follow security procedures and controls in order to succeed in maintaining a high level of security within company.
The report will focus on three key assets of the company that process and store a lot of critical information. These three assets are the database systems, company workstations, and network elements. Maintaining high level of security in these assets is necessary for the company in order to ensure the business continuity in case of an emergency. Security measures for each asset are presented in this report that must be complied by everyone inside the company.
2. Detailed Analysis
2.1. Company Analysis
Vodafone S.A is the second biggest mobile operator in Greece, and one of the most widespread and well known brand names all around the world. Although it is a large scale company with a vast amount of assets, the key asset of the company is information. Since the company does not sale anything rather than plain air the major asset of the company is information data. This information can vary from customer information data, charging information data, credit card details, marketing plans, customer campaign data, employee information, and many more. All this information which can be in various forms such as verbal, electronic, or printed must be kept safe inside company and must protected securely in order to keep confidentiality, availability and integrity to the appropriate levels.
In more detail, confidentiality of the information means that all the company data is stored securely and accessed only by authorized personnel in order to avoid data leakage from inside the company or even from outside threats. Keeping confidentiality to the appropriate security level will give the company the required public moral, since customers are aware that their personal information is kept inside company servers and their phone conversations are routed through company systems. Problems with confidentiality can bring various security risks such as customer personal information or credit card leakage that can result in loosing customers, and lead into revenue losses and to give bad reputation for the company to the public.
The next step that must be secured is the availability of information. Availability of the information will ensure that authorized users will have access to the data whenever it is required by them. Loss of availability can be catastrophic for the company since the employees will not be able to carry out their jobs appropriately, which brings process delays followed by unsatisfied customers, and finally followed by revenue losses.
Finally, it is Integrity of the information that also shall be secured in order to ensure the accuracy and thoroughness of the information. Problems with data integrity can result to various security issues such as customer charging files alteration.
Since Vodafone quite a big company with a lot of different departments, infrastructures, and job roles it is not possible to cover every aspect of security within this security report. For that reason the report will emphasize only to some of the key elements of the company where as believed the security is critical. The following diagram demonstrates a simplified form of the company structure.
IT department is responsible for all the computer software and hardware of the company as well as the information which all these systems process and maintain. In more detail, the software assets can vary from information data that is stored on disks (customer & employee data), program licenses, developing code or scripts, databases, backup information data and other. On the other hand there are hardware assets such as workstations, servers, cabling, routers, switches, printers, fax machines.
The Network department is responsible for all the network elements of the company. This type of assets include network equipment such as Mobile Switching Centers (MSC), Home Location Register (HLR), Base Stations (BS), Multimedia Message Gateways (MMMS) and other equipment that support the core network functionality in order to maintain the operational procedure of the company and allow clients to dial phone calls or use network services.
Marketing / Sales Department
This department is divided into two different smaller departments but they are put together because of their collaboration. The critical process of initiating campaigns, advertising new products in conjunction with company sales, requires both departments to work together in order to achieve best results. Assets of this department are all documentation of projects related with new products or services that are going to launched in production, trade secrets, marketing and advertisements campaigns or even posters.
The security department is responsible for keeping all the company assets safe. This is achieved with by publishing policies and procedures that employees must follow, security controls and requirements that ensure assets confidentiality, and finally by performing system audits and risk assessments in order to identify risks and vulnerabilities and suggest measures. This department also includes physical security section which is responsible for physical security of the company such as access to buildings, use of access control, closed circuit cameras, and other issues related with physical access.
2.2. Risk Assessment
In this section a risk assessment will be presented including some of the company key assets that are critical for the business process. The risk assessment will be carried out with the use of measures such as likelihood, impact, and risk value as indicated in the following tables.
Very Low--------An event that is highly unlikely to occur, if ever
Low-------------An event that is unlikely to occur, perhaps once every 3 years
Medium----------An event likely to occur relatively infrequently, perhaps once a year
High------------An event that is fairly probable, and could be expected to occur several times a year
Very High-------A highly event that could be reasonable expected to occur at least every month or more frequently
v Database Systems
Since the main asset of the company is information, which as mentioned earlier is related with every part of the company such as client personal data, billing data, employee data. All this information must be stored and processed with the use of database systems. The following figure presents the parts of an asset such as the database system.
The database system is constituted from two different parts. A hardware part which is the database server and a software part which is the operating system that includes the DBMS and the actual database. Because the company makes use of a lot of different platforms, the operating system used can vary from one system to another according to each system needs and requirements.
Most servers use Linux flavors as operating systems, although there are also Windows servers deployed. All the databases installed at company systems are purchased from Oracle since the company has singed a support contract with this specific company.
The table above indicates various threats and vulnerabilities of the system which they abuse in order to compromise the security of the system. The following section provides a more detailed approach for each type of threat and the vulnerability which may exist.
Because database systems and databases in general constantly process a lot of information by employees or automatic queries, high temperatures rise inside the systems. This issue in addition with weather temperature inside or outside the server room, especially in summer months, can become catastrophic for servers and their stored data.
Likelihood: The possibility of this threat is very low because servers are kept inside computer rooms with ventilation and air-condition equipment that keeps temperature within the appropriate operational levels.
Impact: The impact in this case will be high since a failure in database systems can cause serious service disruption and financial losses. Customer data or revenue data may lost or other data stored inside database servers.
Risk Value: The risk value is 6 because the possibilities of this threat are relatively low since servers provide alarm & notification capabilities when in danger and there are also placed inside computer rooms with ventilation and air-condition systems that keep temperature stable.
Another threat caused by natural causes is dust. Keeping database systems in a room without prevention from humidity, dust, and soils is not recommended. Dust can damage the systems since the machines work 24/7 throughout the year for many years constantly.
Likelihood: Very low possibility for this threat since usually database systems are kept within computer rooms with no windows and limited access in order to avoid this kind of threats.
Impact: Low because the potential business impact will limited to short operation disruption.
Risk Value: The risk value will be 1 since the possibilities of this threat to happen are really low with the current hardware implementation.
Another issue which can become a threat is maintenance error. Having machines with insufficient maintenance in order to keep costs low or to use budget for other equipment is not recommended. A maintenance error can totally waste the system and in cases where there is no secondary support server or backup equipment, it can lead to service failure.
Likelihood: The possibility of this threat is low because systems are scheduled for maintenance according to vendor instructions in predefined periods of time. There is a scenario where instructions are not followed by an employee which may lead to system failure.
Impact: The impact is medium for this threat, since it can lead business efficiency problems because of the system downtime.
Risk Value: The risk value is 4 since usually there is secondary equipment that supports the continuity of the system in case of primary system failure.
Masquerading user identity
This type of threat is basically similar with the previous one. The only difference is that it is triggered by mistakes in the security implementations of the system. Keeping password tables unprotected and imposing poor password management policies are common mistakes that allow people who want to harm the company to gain access to the systems.
Likelihood: Because the number of different systems and the total numbers of employees is large, it is difficult to maintain tight password management security policy for all systems.
Impact: The impact of this threat will be financial loss and probably will affect relations with customers or shareholders if private information is leaked and published to the public.
Risk Value: The risk value of this threat is 6 because some of the company systems make use of old software versions that support poor account management.
Use of software in an unauthorized way
This specific type of threat primary relates with company employees. Without logging user actions, and storing an audit trail for every system access, can allow users to make profit for their own with the use of company assets. For example, to sell information about company clients to another company, or to sell or view phone calls or other personal information.
Likelihood: The number of the company employees is large, which increase the possibility of specific threat.
Impact: The impact for the company will be the loss of trust from the customers, and also a breach of legal obligations regarding the privacy of customer data.
Risk Value: The risk value of this threat is 6 since because some systems do not log user actions and can allow employees to execute queries on company data without any risk of being found.
v Company Workstations
All the employees or external associates working for the company make use of workstations which can be desktop or laptop computers. These workstations are spread across Vodafone premises and provide access to various company systems. Employees log into workstations with the use of personal credentials that are managed by Active Directory. Security policies regarding password complexity, password policies, and access privileged are defined there and accounts are provided to every employee according to their job role and their need of access to systems across the company network. The following table indicates some of the major risks concerning company workstations which can compromise the security of the systems.
The threat of malicious software is one of the most common threats for every workstation inside the company network. If the company workstations do not use an antivirus or the current antivirus is outdated, this threat is probably going to succeed in the near future. This threat can become double cost effective also in the case where there is no back-up solution after the workstation infection.
Likelihood: Possibility of this threat to happen is high because the number of employees is big and not all of them are aware of the malicious software dangers.
Impact: The impact will also be high, because if the malicious software is spread across the network, it will cause serious service disruption.
Risk Value: High risk value of 12 for this threat, because laptop equipment is not updated regularly with security patches and antivirus updates.
Use of software by unauthorized users
Vulnerabilities caused by company employees can also become a threat for the company. Leaving the system without logging out after use, can lead to unauthorized access to the system.
Likelihood: Low likelihood for specific threat since user are aware that they should lock or logout after leaving their workstations, and also enforced policy is used to lock workstations after predefined inactivity period. Also, access to workstation offices is limited to company employees and 3rd party associates.
Impact: The impact of this threat is medium. If unauthorized users gain access to company workstations and their software, they get the possibility to communicate with other network systems that may store sensitive company information.
Risk Value: The risk value of this threat is 3 because of the reasons stated above.
Use of data by unauthorized users
The threat of data re-usage is also very common and only a few people are aware of it. Even fewer are performing a proper data erasure in order to delete any trace of their data.
Likelihood: Medium possibility for this threat since a lot of digital storage devices, which are transferred inside the company with users not being aware that just a delete do not completely erase all existing data.
Impact: The impact is low because the storage capacity of these devices is relative small compared with normal workstations.
Risk Value: The risk value of this threat for the company is 3.
Loss of power can become an issue for the company in cases where there is no back-up or temporary back-up solution, or a generator or UPS to keep to machine running in order to save currently working project.
Likelihood: Because workstations total number is relatively large, the possibility of specific threat is medium.
Impact: The impact is low since workstations store only current employee data.
Risk Value: The risk of this threat is 3.
Theft of company equipment and especially laptops is a major threat for the company. Employees who travel a lot, or their job role requires to be on the move all the time, do not have desktop workstation but they use company laptops to carry out their work. Specific laptops probably store critical company information and software which provides access to various company systems where sensitive information is stored.
Likelihood: Since the amount of workstations and especially laptops is relatively large the possibility of theft is high.
Impact: The potential impact of this threat is medium. It can cause some minor embarrassment to customers if sensitive information is leaked.
Risk Value: The risk value of specific threat is 8.
v Network Elements
Vodafone network elements such as Home Location Registration, Mobile Switching Centers, and Base stations play a significant role in the lifecycle of the company.
These elements provide all the communication between the company clients since mobile conversations are carried out through them. Since they are so important, network elements must work all the time under any conditions and without any downtime so they must be resilient against any case of failure or attack. The network department is responsible for the operation and security of these assets.
Failure of communication services
This is another major threat for the company with a high risk value. Having vulnerabilities such as single point of failure for the network company can lead to total network downtime and loss of communication between network elements.
Likelihood: The possibility for failure of communication services in such a large scale company like Vodafone is relatively high. Since the company network is so widespread all around the country, and there are various types of connections with different link types, a failure in the communication between the elements is always possible to happen.
Impact: The impact of such a failure will be high because it will cause serious disruption in operation of the network. Clients will not be able to dial calls, resulting in financial loss and bad reputation to current and future clients.
Risk Value: High possibility and also high impact raise the risk value of this threat to 12. Communication services are a vital part of the company assets and must be operational at every cost.
Hardware failure is also as crucial as the failure of communication services. If network element equipment fails, such as a Base Station for example, a lot of company clients will loose network connectivity and will not be able to be served by company equipment.
Likelihood: The possibility of hardware failure is high, because of the amount of equipment that is used to provide services all over the country. All type of equipment is possible to malfunction sometime.
Impact: The impact again will be high, for the same reasons mentioned in the previous threat.
Risk Value: The risk value for this threat is also 12.
Theft is another threat that could happen but the possibility is really low. Because the company equipment is relatively expensive, it is usually kept safe with the use of alarm systems, closed-circuit television (CCTV), and finally guards.
Likelihood: The possibility of specific threat is low and is likely to occur in isolated areas.
Impact: The impact is also low due to the fact that replacement equipment exists so the only problem will be service disruption for small period of time in specific area where the equipment was stolen.
Risk Value: The risk value for this threat is 2.
This specific threat although it has high potential business impact, has very low possibility to happen because the communication between the network elements is encrypted.
Likelihood: The possibility of this threat is very low since the equipment to expose such vulnerabilities is limited.
Impact: The impact on the other hand will be high in case of eavesdrop situation that could affect the relations with customer and bring serious embarrassment to the public.
Risk Value: The risk value for specific vulnerability is 3.
Network access by unauthorized users
This specific threat is very critical for the company. A few years ago the company was widespread embarrassed all around the world when security of systems was compromised and client conversations were intercepted.
Likelihood: The possibility of this event to occur is low. It may not happen again to the company since a lot of measures were taken from the previous incident.
Impact: The impact of course of a second interception incident will be very high or even devastating for the company. It could even lead to organization being closed down.
Risk Value: The risk value of this specific threat is 8.
In this section measures which exist or should be taken in order to increase the level of security in the company will be analyzed.
v Database Systems Measures
Measures shall be asses and delivered by Database and Server Administrators, Network Administrators (IT and Network Department), and also by Security Department.
- All database systems must be placed inside computer rooms where air-conditioning system are deployed.
- Database systems must be configured to shutdown properly after reaching critical temperatures levels.
- Software shall installed that will notify stand-by administrators in case emergency caused by extreme temperatures.
- Database systems must be placed inside computer or server rooms with limited access.
- Computer rooms should not have any windows and should not allow air to come from outside.
- Ventilation and dust remove machines shall be placed inside these rooms.
- Secondary available preconfigured equipment must exist for all critical systems in case of primary system failure or other emergency incident.
- Back-up of all software shall be taken at least once per day.
- Back-up media (e.g. tapes) shall be stored at off site premises in order to support the business continuity.
Masquerading user identity
- Default passwords in the operating system and the database shall be changed.
- Default users and roles that are not used shall be deleted.
- All the services that are running from the database shall not run with administrator access privileges and services that are not required shall be stopped.
Use of software in an unauthorized way
- Logs shall be kept for system access and actions performed in the system, starting from the login process and ending with logout process, both on Operating System and Database. These logs shall be stored on another machine, preferably a Log Server in order to be kept for additional analysis.
v Company Workstations Measures
Specific measures should be adopted by all company employees. Responsible for deploying the security measures will be the IT Department and the Security Department.
- Company employees must not have administration access to their workstations.
- Enterprise antivirus solution shall be installed, with a client on every workstation and centralized automatic update periodic procedure.
- Patches and updates for every application or operating system shall be installed by administrators remotely after testing them first.
- Use of external storage devices shall be prohibited.
Use of software by unauthorized users
- Access to company software must be done with the use of personal employee accounts. Group accounts should be avoided.
- Sessions must timeout after 30 minutes of inactivity.
- All company users, including managers and directors, must be aware of company's security policies and procedures. Awareness seminars and presentations by Security Department should be performed regularly.
Use of data by unauthorized users
- Proper erasure must be done by Security Department to each storage media that is not currently in use and it was used to store sensitive company information.
- Data Leakage Prevention system shall be installed on every workstation in order to avoid accidentally or intentional leakage of company information.
- Power generators shall be installed on every building in order supply workstations with power in case of power failure.
- UPS connected power sockets shall be placed on every room where workstations should be connected in order not to loose work in case of power fluctuation.
- Users should save their files on network file instead of their workstations in order not to loose their work in cases of theft.
- Laptops shall not have directly access to the company intranet, but access through Virtual Private Network (VPN) with the use of credentials.
- Laptops shall not have the ability to copy any information data from company network to the laptop hard disk or other storage media.
v Network Elements Measures
Network security measures proposed for Network Elements. Tasks must performed by Network Department in collaboration with Security Department.
Failure of communication services
- All connections between network elements must have a secondary communication option, for example secondary microwave links or terrain leased lines.
- Communication services shall be monitored constantly in order to identify and repair immediately any malfunctions.
- Emergency hardware shall be available for every network element of the network. In case of hardware failure, the service shall be provided with the use of emergency equipment in order to avoid service downtime.
- When there is no emergency equipment available test systems shall be used.
- Access control systems shall be deployed at every entrance leading to areas with company sensitive equipment.
- Alarm systems shall be installed at every building.
- All connections between network elements shall be encrypted.
- Outside access to the systems shall not be available.
Network access by unauthorized users
- Ports that are not being used shall be closed.
- Secured protocols shall be used whenever it is easy deployable and possible. (for example Secure FTP instead of FTP, SSH instead of telnet, HTTPS instead of HTTP).
2.4. Security Policies
The following section of the report states the policy that shall be used for every asset stated in the previous sections.
Policy for logical access to company systems
- All users must use their personal credentials in order to gain access to the systems.
- Credentials must be provided to the employee the day he/she was recruited and must be removed the day he/she leaves the company.
- Credentials are personal and it is not allowed to share them with any other employees.
- Every employee must have only the required access to each system that is needed to carry out his/her work.
- Passwords must be change regularly (enforced by the system) and must be combined with complexity rules.
Policy for back-up procedure
- For every system, database, or workstation back-up must be kept that include all configuration files and other sensitive or required information.
- Periodic back-up must be done to every critical system according to a predefined schedule.
- All back-up must be stored inside safely encrypted media storage devices.
- Back-up media must be kept of-site and stored securely in order to support the business continuity plan in case of a major destruction.
- Back-up data must be kept for predefined periods of time according to company policy or specific country laws.
- Back-up data shall be tested in order to verify their correctives in case restore procedure is required in an emergency situation.
Policy for password management
- Access to every workstation, system, database or other equipment must be provided with the use of passwords.
- Passwords must be at least 8 characters long and require special character and uppercase letters.
- Passwords for every system must change after 3 months of use or else must be locked.
- Passwords are private and must never be shared between employees.
- Passwords shall never be shared unencrypted through the network.
- No hard-coded passwords should exist inside program code or scripts.
This section describes the action plan that should be followed in order to apply the security recommendations mentioned above.
The first step is the awareness of board of executives about the security risks of the company. The Security Department shall present to CEO and executives the security proposals and recommendations based on this report. CEO shall decide about the risks and the budget that is required to address them in collaboration with Security Department and will inform the General Directors of each department about the security measures that must be adopted.
Every department will get a budget in order to comply with security measures and the technical staff in collaborations with security department will decide about the required equipment needed to be bought. Security requirements for software and hardware shall be set by security department and then the equipment shall be bought.
Technical staff of each department shall be required to address all the security measures and upon completion will inform the security department in order to update or write new security policy and controls.