close

Cyber Security

Cyber Security

How Businesses are Adapting to Cybersecurity Realities in Hong Kong

(This post is guest post by ENEA)

On the streets of Hong Kong, a notable trend is emerging in response to mobile-based cybersecurity concerns. Individuals and employees are increasingly adopting ‘burner phones’ – secondary mobile devices used to discreetly handle sensitive communications and transactions. This is no quirky tech trend however, it reflects increasingly widespread concerns about the ability of network operators to protect against intrusions, exfiltration of data, and exploitation of unauthorized access by threat actors.

The Changing Face of Cybersecurity in Hong Kong

The advent of such concerns brings with it a new level of complexity for companies – and individuals – doing business in Hong Kong. This has had a notable impact on how companies, both local and international, structure their own data security and privacy policies. The challenge lies in navigating this new terrain where the lines between safeguarding individual privacy, company data confidentiality, and national security appear increasingly blurred.

The Emergence of ‘Burner Phones’ as a Defensive Measure

The growing use of ‘burner phones’ in Hong Kong is a direct response to the heightened cybersecurity awareness in the region. These secondary devices, typically less advanced than a user’s primary smartphone, are being adopted as a practical measure to safeguard sensitive information. The rationale behind this trend is clear: in an environment where the risk of data breaches is perceived to be high, having a separate device can provide not just an additional layer of security but a way to avoid or at least to minimize the exposure of personal and company data to unauthorized access by not having to connect those devices, which present direct gateways to such data for attackers, to local network services at all. This practice is not just limited to tech-savvy individuals, but is increasingly being seen as a necessary precaution by businesses concerned about protecting their client data and proprietary information.

But this isn’t just a question of good security housekeeping. It underscores a broader crisis of confidence in the ability of network operators to protect against sophisticated cyber threats. In this context, the humble ‘burner phone’ has emerged as a symbolic and practical tool for individuals and organizations striving to exercise control over perceived risks to digital privacy, data confidentiality and personal security.

The Challenge of Securing Mobile Networks

The unique nature of mobile network security presents a distinct challenge that sets it apart from conventional cybersecurity. In mobile communications, threats and vulnerabilities exist at a network level, often beyond the control of individual users or businesses. The European Union Agency for Cybersecurity (ENISA) has long pointed out that individuals are largely powerless in protecting themselves against such threats, as the attacks and resultant data leakage occur within the providers’ core networks. This situation places a significant portion of the responsibility for cybersecurity on the shoulders of the network providers, rather than the end-users.

ENISA says, “One important factor to mention is that in most cases, the subscriber cannot do too much in order to protect themselves from these risks. As most of the attacks are developed at the providers’ level (as both SS7 and Diameter are protocols functioning within the providers’ core network), the possible actions available for subscribers are very limited (e.g. encryption). Most of the security work has to be done at the providers’ level.”

ENISA isn’t alone in this perspective. For instance, the new US National Cybersecurity Strategy highlights that too much responsibility for cybersecurity has historically been placed on individual users. Similarly, Australia’s Cyber Security Strategy emphasizes the need to block cyber threats before they may reach end users. These strategies indicate a growing recognition of the need for a more proactive approach by network operators and governments to resource protection at the network level against unauthorized access by threat actors.

In this context, the growing adoption of ‘burner phone’ usage not merely as informal practice but as a matter of policy is a cry for help amid a crisis of confidence in mobile network security.

read more
5GCyber Security

Private 5G & Enterprise Network Security- Discussion!

In my previous blogs, I covered some important topics, including how enterprise networks or IT networks could evolve to integrate Private 5G (P5G) network on their premises or hybrid cloud. Moreover, it’s also known that P5G networks have been on roll for past few months, where service providers and enterprises are partnering to solve different business use cases, collaboratively.

It brings forth another important question, how do enterprises ensure security of P5G as well as their existing enterprise network?

Trend-micro has conducted a detailed survey on ‘Expectations of P5G Network Security’ recently and published the findings. Not surprising at all, some of the challenges we already foresaw during our earlier discussions.

Although it’s known that cellular networks (4G/5G) are more secure (compared to Wi-Fi), many enterprises do have concerns regarding data transferred on 5G air interface (devices to cell tower), and attacks on devices connected to network. There are additional concerns about whether 5G network equipment can be compromised, esp. if you are deploying it in hybrid or public cloud setup. These concerns are quite valid ones.

With respect to data transfer on air interface, 5G offers very robust cryptographic encryption process, with the introduction of NEA (New Encryption Algorithm) and NIA (New Integration Algorithm). The details of which are beyond scope of this blog post but interested readers can refer to ITU Workshop for more details. Moreover, with SUPI being encrypted with public key in home network itself, subscriber identity is protected completely.

To address the above security concerns, many enterprises, are either partnering with specialized security partners with 5G domain expertise or relying on existing IT security partners to address those cocerns. In any situation, task at end requires specialized understanding of entire 5G security landscape and there’s no easy route to find possible answers.

Interestingly, the findings from TrendMicro survey shows that many enterprises are intend to connect their existing enterprise network with P5G network in some way. In fact, close of 70% enterprises are going to integrate networks, which brings forth an interesting question, on how to do enterprises ensure seamless security of traffic, integration of devices connectity and policies. Surely, with P5G, enterprises need to take a holistic view of their entire enterprise network security, including P5G networks.

Topic of 5G security does require discussion around open standards. With O-RAN on rise, and many enterprises relying on building cloud-native networks with open source modules, ensuring compliance with open standard is must for enterprises. Issue of vulnerabilities, esp. with adoption of open standards is another major concern.

While there’s no easy route to 5G security, many enhancements with 5G Security from standard perspective are going to help but they aren’t enough. Along with P5G, deployment of MEC (multi-access edge compute) based architecture, integrated with P5G is also on rise. MEC, although a boon to solve business problems in real time, brings many other complexities on-campus. esp. MEC is deployed in data plane path with UPF on N6 interface, many of these MEC apps could be part of Enterprises network deployed on Cloud or in Hybrid model. Securing traffic on N6 interface, as well as ensuring right policies applies to traffic flowing in/out of UPF (service provider’s network) is going to be important. Moreover, how do enterprises integrate their existing network and apps with these policies is interesting to see.

What’s way forward for enterprises adopting P5G and MEC?

TrendMicro recommends enterprises should perform pilot of security operations, integrating their existing enterprise network with P5G before going live with P5G applications. Moreover, in our view, many enterprises, adopting P5G/MEC should gear up to understand 5G security aspects, and build domain expertise early by upskilling their existing IT team or partnering with right partners or hiring such experts from outside. Implementing such pilots won’t be easy, and without skilled resources on-board, it will be an uphill task.

read more
5GAI/MLCyber Security

5G and AI Expected to Bring Heightened Cybersecurity Risks, Study Finds

An overwhelming majority of cybersecurity and risk management leaders believe that developments in 5G wireless technology will create cybersecurity challenges for their organizations. Their top three 5G-related concerns are greater risk of attacks on Internet of Things (IoT) networks, a wider attack surface and a lack of security by design in 5G hardware and firmware.

These are among the findings of a new report released today by Information Risk Management (IRM), a UK-based cybersecurity company of Altran, the global leader in engineering and R&D services.

The report, titled Risky Business,is based on a survey of senior cybersecurity and risk management decision makers at 50 global companies across seven major industry sectors: automotive, communications, energy, finance/public sector, software/internet, transport and pharmaceuticals. The study was conducted between July and September of this year.

Eighty-three percent of survey respondents said 5G developments will create cybersecurity challenges for their organizations, suggesting that the new technology will bring heightened risks. “The acceleration to market of 5G and lack of security considerations are causing concern,” the report states. “The vulnerabilities in 5G appear to go beyond wireless, introducing risks around virtualised and cloud native infrastructure.”

The study also found that 86% of respondents expect artificial intelligence (AI) to have an impact on their cybersecurity strategy over the next five years, as AI systems are integrated into core enterprise security functions. The top three AI applications that respondents said they would consider implementing as part of their cybersecurity strategy are network intrusion detection and prevention, fraud detection and secure user authentication.

AI in cybersecurity is a double-edged sword,” the report explains. “It can provide many companies with the tools to detect fraudulent activity on bank accounts, for example, but it is inevitably a tool being used by cybercriminals to carry out even more sophisticated attacks.”

In late August, for example, The Wall Street Journal reported that criminals using AI-based software had successfully mimicked a German CEO’s voice and had duped the head of a UK subsidiary into sending €220,000 ($243,000) to a fraudulent account. It is being dubbed one of the world’s first publicly known cyberattacks using AI. “We are likely to see more of this as the technology develops,” the report warns.

Commenting on the potential impact of 5G and AI on cybersecurity, Charles White, CEO of IRM, cautioned: “A lack of awareness of these technologies’ security implications can have far reaching consequences. At best an embarrassing fine and at worst a fatal blow to the bottom line. Now is the time for enterprises to work closely with their cybersecurity teams to design and develop 5G and AI products that place cybersecurity front and center.”

The study also found:

  • A growing number of C-level executives recognize the challenges facing enterprise security teams. Ninety-one percent of respondents said that increased cybersecurity awareness at the C-level has translated into their decision-making. But most cybersecurity decisions are still based on cost – and not on the safest solutions to put in place, according to respondents, indicating a lack of understanding of the financial and reputational impact of cyberattacks.
  • There is a worrisome lack of awareness of the Networks & Information Systems Directive/ Network & Information Systems Regulations, which is a piece of legislation setting a range of network and information security requirements for Operators of Essential Services (OES) and Digital Service Providers (DSPs). The survey found that 30% of respondents are unaware of the NIS Directive/Regulations, and of the 70% who are aware of the legislation, over a third (about 25% overall) have failed to implement the necessary changes.

IRM is at the heart of Altran’s recently formed World Class Center for Cybersecurity, which offers an extended portfolio of global solutions to protect next-generation networks and systems. With sites in North America, France, the UK and Portugal, the WCC for cybersecurity specializes in working with some of the world’s largest organizations to combat cyber challenges introduced by Industry 4.0.

To download a copy of the report, please visit https://www.irmsecurity.com/risky-business-2019-download.

read more