Privileged-account controls crucial as Telstra weighs cost of data-retention security

Telstra is “still working on” calculating the cost of reliably securing the mass of metadata that will be collected under the government's controversial telecommunications data retention legislation, the company's chief information security officer has confirmed.

Speaking in a panel discussion at today's Cisco Live! technical conference, Telstra CISO Mike Burgess reiterated concerns that the accumulation of telecommunications metadata – which Telstra is expected to manage as part of a government effort to improve its ability to track criminal suspects online – would create a “honeypot” of private information that would be actively targeted by cybercriminals.

Telstra was committed to securing the repository and was still unsure how much it would cost to do so effectively: “we will make sure we have the appropriate level of security,” Burgess said. “How much is that going to cost? We're still working on that.”

Secure controls over access to any metadata retained under the legislation has emerged as a sticking point in discussions about the controversial legislation: in a recent Protiviti survey, for example, 64 percent of respondents supported the legislation but 78 percent of respondents said that any such legislation would need to be carefully controlled and access should requite a court order.

Echoing Burgess' concerns, fully 62 percent of respondents to the Protiviti research were concerned that concentrating massive quantities of metadata would create new security risks. And 87 percent said telcos should be required to apply specific security standards to protect the information they hold.

The question of just what standards should be applied, however, is still up in the air. Appropriate security for the metadata repository would involve both a technological investment – providing new security systems and augmenting existing controls to prevent unauthorised hacking of the data – as well as a human element.

This is because, Burgess said, rather than simply relying on brute-force attacks, cybercriminals were most likely to target the credentials that allow authorised users to access the metadata repository after a request by law enforcement agencies.

“They will hunt down the person who has that account information, to get that [metadata] in response to a lawful request,” Burgess said.

Protection of privileged-user accounts is being increasingly recognised as an important part of a cybersecurity defence, with the growth in cloud-based access adding additional pressure on cybersecurity defences.

The challenge had been exacerbated in the wake of the introduction of new privacy laws in March 2014, forcing organisations of all stripes to revisit the security controls they apply to personally identifiable information; regardless, however, some security experts warn that many companies are still leaving open avenues for attack.

Not all panel members believed the cost of the security was the most salient point, however: while Telstra is still weighing the cost of securing the metadata it collects, Cisco chief security and trust officer John Stewart said simply putting dollar values on security projects was “the wrong measurement.”

“I don't talk about it in dollar terms,” he said. “I have watched an incredible amount of good and bad spend, and what is important are the risk controls in place – and whether you can prove that the protection of the data is done by the means through which it is supposed to be done.”

“If a truly dedicated team is coming after you and they're coming for a very long period of time, the probability of them being successful at least once does go up. The key is not only to stop everything from happening, but to handle it in a very transparent way when it does.”

Read more: PM spruiks data retention as report blames Snowden for poor data sharing

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecurity defencesattackunauthorised hackingCisco Livemetadatadata retentiongovernmentcybercriminalsCSO AustraliaTelstraProtiviti surveydata-retention security

More about CiscoCSOEnex TestLabProtiviti

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place