Pen testing must evolve to keep pace with telco threats
Spending on cybersecurity has reached all-time highs. According to Grand View Research, the IT and telecoms sectors alone have dedicated nearly $38 billion to cyber defence. For context, that’s roughly the GDP of Estonia. However, this figure is dwarfed by the scale of the threat. The annual global cost of cybercrimes is estimated to exceed $10 trillion by 2025—yes, you read that right - $10 trillion. If cybercrime were a country, it would be the world’s third-largest economy after China and the US.
Telecoms is not the most lucrative target for hackers. That honour goes to the financial services industry. However, telecoms is doubly exposed; it is a target in its own right, and it is a gateway to vast amounts of business-critical data for other industries. Telco networks form a major part of every industry’s attack surface, presenting not just opportunities for data theft but ingress routes for malware and distributed denial-of-service (DDoS) attacks.
Telcos are at the centre of an ecosystem that is challenging to control. However good their security, they are at the mercy of the hygiene practices of all the organisations connected to them, including hardware providers. This means that not only are customers vulnerable, but so are third-party providers of network services that share telcos’ networks.
Moreover, as critical national infrastructure, telecoms networks are increasingly attractive to nation-state threat actors for whom they represent not just a valuable source of data but a target for disruption including economic and even political interference.
In January this year, the data on 750 million telecom users in India was compromised. Names, addresses, mobile numbers and Aadhaar numbers (unique ID numbers for every Indian citizen) were offered for sale on the dark web for a paltry $3000. In the same month, Telekom Malaysia suffered a breach affecting 200 million records.
Now, of course, there is another emerging factor that is escalating an already turbulent situation: AI promises to increase both the volume and ingenuity of threats.
So what’s to be done? Faced with a threat to critical infrastructure, governments typically respond by throwing regulations at the problem. This has led to an increase in the number of compliance mandates and legislation requiring regular penetration tests. While these are valuable and useful exercises, they suffer limitations.
Penetration tests are as old as networking itself. They date back to the late 1960s, when the operators of emerging computer networks hired teams of security experts to find flaws in their infrastructure before a potential attacker could exploit them.
Five decades later, the principles of pen testing have seen little change, but the world is now a much more interconnected, complex and fast-moving place. Early networks were mainly physical entities linked by relatively little software. Now, they are mainly composed of software that is constantly being updated.
As AI is playing an increasingly more significant role in network automation, network software will be rewriting itself—improving but inevitably also creating new vulnerabilities of its own.
When networks were still relatively stable, slowly evolving systems, point-in-time penetration testing made sense. However, this is no longer the case.
Government agencies have recognized the problem. The UK’s National Cyber Security Centre warns that pen testing only provides assurance at the time of the test and is “not a silver bullet.”
Another problem with nationally mandated compliance tests is that their scope is unlikely to reflect the real world the telcos operate in. To be practicable, tests tend to focus on an isolated system or a limited set of systems. Therefore, the results of such tests might not tell you how the same systems will behave in a wider network ecosystem.
In most conventional pen tests, the scope of the exercise is determined cooperatively by the network operator and the tester. This has two drawbacks. First, the tester might be subject to rules that adversaries don’t follow. Second, the management overhead associated with designing and running pen testing projects militates against agility and discourages frequent testing.
Pen testing and a broader set of cybersecurity defence services have evolved to address these issues. Evolution has taken two forms: a wider gene pool and more efficient ways to respond to predators.
Crowdsourcing defenders is an obvious way to address the imbalance in numbers. Offering them rewards through bug bounty programs addresses the motivation issue. Ethical hacking now offers a lucrative alternative to criminal hacking. It’s no longer necessary to risk jail to become a millionaire. Furthermore, while only the most talented ethical hackers pull in seven-figure incomes, good ones stand to make a very decent living.
There is nothing new about outsourcing cybersecurity or incentivizing it through bug bounties. The breakthrough development was the emergence of crowdsourcing platforms that make it easier for organisations to tap into the ethical hacking gene pool. Some of these platforms use intelligence (including AI) to match organisations with the skills they need.
They also automate other processes that customers struggle to manage themselves, such as payments and vulnerability reporting or—in the case of pen testing—project design and management. Most importantly, they demonstrate impressive returns on investment (ROI) for customers (see case study).
The platform-based approach enables organisations to implement bug bounty programs that leverage ethical hackers who can test and report vulnerabilities that a rigid, compliance-based test might never uncover.
Furthermore, crowdsourcing platforms reduce the lead times and management hassles of running pen tests, enabling more frequent testing. As such, they are regularly used by telcos such as T-Mobile, Comcast/Xfinity and Telstra as part of broader bug bounty and vulnerability discovery programs. These enable continuous testing of defences in the ever-changing threat landscape.
Pen testing remains critical to the protection of telco services. A new wave of penetration testing as a service (PTaaS) combines the benefits of crowdsourcing and platform-based automation, simultaneously increasing the pool of expertise available to customers while eliminating cumbersome processes that cause delays and add cost.
PTaaS enables telcos not just to satisfy regulatory requirements but to exceed them. It automates the process of highlighting critical vulnerabilities and prioritising fixes, as PTaaS platforms can feed vulnerability reports directly into DevSec workflows. Most importantly, a more agile process with shorter setup times means that testing can become more frequent, overcoming the main problem with traditional point-in-time testing - their lack of repeatability and scalability.
The advent of AI is driving the next evolution of penetration testing. As telcos deploy AI for a wide range of applications, from customer service to network automation, their security testing will need to evolve accordingly. AI software is subject to traditional vulnerabilities but to new ones, such as prompt injection. This is where misleading inputs are used to trick an AI system into changing its outputs. Prompt injection is a known danger. There will be others we can’t yet imagine.
Will rapidly growing investments in cybersecurity ever turn the tide of cybercrime? A managed approach to crowdsourcing is our best chance that it will.
