Privileged-account controls crucial as Telstra weighs cost of data-retention security

Telstra is “still working on” calculating the cost of reliably securing the mass of metadata that will be collected under the government’s controversial telecommunications data retention legislation, the company’s chief information security officer has confirmed.

Speaking in a panel discussion at today’s Cisco Live! technical conference, Telstra CISO Mike Burgess reiterated concerns that the accumulation of telecommunications metadata – which Telstra is expected to manage as part of a government effort to improve its ability to track criminal suspects online – would create a “honeypot” of private information that would be actively targeted by cybercriminals.

Telstra was committed to securing the repository and was still unsure how much it would cost to do so effectively: “we will make sure we have the appropriate level of security,” Burgess said. “How much is that going to cost? We’re still working on that.”

Secure controls over access to any metadata retained under the legislation has emerged as a sticking point in discussions about the controversial legislation: in a recent Protiviti survey, for example, 64 percent of respondents supported the legislation but 78 percent of respondents said that any such legislation would need to be carefully controlled and access should requite a court order.

Echoing Burgess’ concerns, fully 62 percent of respondents to the Protiviti research were concerned that concentrating massive quantities of metadata would create new security risks. And 87 percent said telcos should be required to apply specific security standards to protect the information they hold.

The question of just what standards should be applied, however, is still up in the air. Appropriate security for the metadata repository would involve both a technological investment – providing new security systems and augmenting existing controls to prevent unauthorised hacking of the data – as well as a human element.

This is because, Burgess said, rather than simply relying on brute-force attacks, cybercriminals were most likely to target the credentials that allow authorised users to access the metadata repository after a request by law enforcement agencies.

“They will hunt down the person who has that account information, to get that [metadata] in response to a lawful request,” Burgess said.

Protection of privileged-user accounts is being increasingly recognised as an important part of a cybersecurity defence, with the growth in cloud-based access adding additional pressure on cybersecurity defences.

The challenge had been exacerbated in the wake of the introduction of new privacy laws in March 2014, forcing organisations of all stripes to revisit the security controls they apply to personally identifiable information; regardless, however, some security experts warn that many companies are still leaving open avenues for attack.

Not all panel members believed the cost of the security was the most salient point, however: while Telstra is still weighing the cost of securing the metadata it collects, Cisco chief security and trust officer John Stewart said simply putting dollar values on security projects was “the wrong measurement.”

“I don’t talk about it in dollar terms,” he said. “I have watched an incredible amount of good and bad spend, and what is important are the risk controls in place – and whether you can prove that the protection of the data is done by the means through which it is supposed to be done.”

“If a truly dedicated team is coming after you and they’re coming for a very long period of time, the probability of them being successful at least once does go up. The key is not only to stop everything from happening, but to handle it in a very transparent way when it does.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.