`
`PROVISIONAL APPLICATION FOR
`UNITED STATES PATENT
`
`SECURITY AND FRAUD DETECTION FOR DEVICE
`ASSISTED SERVICES
`
`By Inventors:
`
`Gregory G. Raleigh
`Woodside, CA
`A Citizen of the United States
`
`Assignee:
`
`Headwater Partners I LLC
`
`VAN PELT, YI & JAMES LLP
`10050 N. Foothill Blvd., Suite 200
`Cupertino, CA 95014
`Telephone 408-973-2585
`
`
`
`ltsOn
`
`security
`
`and Fraud
`
`Overview
`
`SNA
`
`SUSI
`
`
`
`It
`
`
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`
`
`
`
`
`
`
`
`Revision Date
`
`Description
`
`Revised with internal feedback
`
`11/29/2010
`
`Created Document
`
`12/9/2010
`
`This documentcontains forward-looking statements based on current expectations, forecasts and
`
`assumptions of the Companythat involve risks and uncertainties. Forward looking statements are subject
`
`to risks and uncertainties associated with the Company's business that could cause actual results to vary
`
`materially from those stated or implied by such forward-looking statements.
`
`This documentis intended for use as a guideline and for information purposes only, and represents ItsOn,
`
`Inc’s current view of its product direction. This information is subject to change without notice.
`
`As ltsOn, Inc. develops product using an Agile developmentprocess, any one of the milestones, features,
`
`release products, release periods or versions could change. None ofthe information herein should be
`
`interpreted as a commitmenton the part of ItsOn, Inc.
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`
`
`
`
`
`
`
`
`Document ReVISION HiStOry 00... eee cseeseneeeecseesecsesseesesseeeesecsesscescsaseecsaesecsecsesasecsaesesnesecaeeacsasseeneeaeeas 2
`
`DiSCIAIMEN 00... ee ceeeecseeseesesecseesecseescesesasencsecsescsccsasccuaesecssesesaesccseesecssesecsesseassecasesecsesaseaesaeeeaeeeesaseeeneeeeeaeea 2
`
`Introduction: Layering iN SCCUIILY...........cccceecscceccecessessnceeecececeeeesseseeeeceseeseaseeeeeeesesessaeseseceeeeseeseaeseseseeaaaaeees 5
`
`Building Security into the Service PrOCESSOM............cccessesseeccesessesseceeececeseesesaaceccecessesaeeesececssesessaeseeeceseeeaaees 5
`
`Building Security into the Service Processor/Controller COMMUNICATIONS ..............:cceeececesseessecesseceeseeesteeees 7
`
`SECULItY PFaCtiCOS............cceceseseseseeesesesenesesesesesesesesennansuansesnaaanansnauaeaueaeceaeaeeeaeaeeeaeeeaeaeceeseseseseseseseseseeese seesnees 7
`
`Building Security into the MSP...........ccccccccccssesstscececeseessnseceeecesesesseeeeeeeceseeseaseeeeeceeeseeseaeeeeeceeeesessesesesseesesaaaeees 8
`
`Physical SCUIItY............ccsecsscccccecesensseeececeeeeeesaeeeeeeceseeeeaeeeeeeeseseeseeeeeeeceeeeseaaeeeeeseceeeesaaeaesecuseseesaaeesese saaeaeeeenees 8
`
`SAS70 Type 2 Certified ...........cccccccccccecesessnsececececeseesneeeeseeseeeeseaeeeeeceseeseeseeeeceseeseaaaeeaesecsseeseaeaeeseusesesaaaeaeeeens 12
`
`Log monitoring and management (SEM and SIM)...........ccccccccccssscccssscececseseesecsessececeseeseeeessesecsesseeeeeesseeessaes 13
`
`Vulnerability ASSCSSMENHS............ccccccccecessescecececesessessaceeeeecesesaaeeeeeececeseessaseeesceseeseeseaeseseceseeseasaesecuseeeaaaaeess 13
`
`Network S@CUSILY .........cccceccccccccecesensececececeseeseseeeeeeeeeeesaaaeeeeeenseeseasaaeeeeseeeeaaeeeeeeeceseeeeaaaeeeeeseseesaaeeaeseceeeseeeenses 13
`
`ENSUPING CONTINUE SECULILY ...........cccccccecessescecececeseesensneeeeeecesesaeeeeeeecesesseaseaeeeseeeseasaaesesecsseesesseaesessesseaaaaeees 15
`
`FRAUD .......ceeeseceseceseceseecneeseeesceesscecscecseecesessneesneeeneecaeesacesseceaeceasesssesseeeeessnecsaecsaeceaeceaeceasees ceseeenetenteeneeeneenaees 16
`
`ACTIVE SERVICE PROCESSOR VALIDATION ..........ceescesscesscececeereeeeeseesceeeseeeeacesaeceaecasesseesneseneeacecsaeceaeceaeeees 18
`
`SGSN Notification of Start/Stop Data SESSION ...........cccccccccssscesseceescecesseecsececssecesceceeeecasecesseceesseseseeceneeeenas 19
`
`GGSN Notification of Start/Stop Data S@SSION.............ccccccssscesssceescecesseecssecesssecesseceeeecssseeesseceeaseseaeecseeeeenas 21
`
`Service Processor/Service Controller AUtHeNtiCatiOn..........cccccsccccccecsssssccccccecessssssececccesssssseseeseeceessaaeeeess 23
`
`SC Receives UDRs From SP After Receiving “Data Session Stopped” Trigger From Network...............005 24
`
`Service Controller Receives CDRs But Does not Receive UDRS .......... ee eeeeceseeesecesececeseeecsaeersscessneeceseeeesaes 24
`
`SC Receives CDRs and UDRs But the Usage Counts Don’t Aligin.............cccccccccceeessnseceeeeeceseessnececcsseesessaaeees 25
`
`SC Receives CDRs and UDRs but SC Detects Usage Over Charging Policy (CP) Limit(s)...............ccccceceeeees 25
`
`SC Receives UDRs but Charging Codes do not Correspond to CP(s) for Current Active Services............... 26
`
`SC receives CDRs and UDRs, countsalign, but usage velocity within a Service Componentor Service
`Activity is greater than rate limit(s) set Via CP oo... cc ccecccccssccceesssceceesesseceesseceesesseceesesseceesssseeeseseeeeeesees 26
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`
`
`
`
`
`
`SC receives CDRs and UDRs, countsalign, but usage velocity at the Service Activity or Service Component
`level deviates “significantly” from average USer USAGE VEIOCILY............cccccecesessececececeseesenseceeeeeceeesaeeeeeeenees 27
`
`CDR-based Verification AIZOrithim ............:cccccccccessssececececeesesensncececeeesesecesececeseesesseaeecssessessaaeseeecsseesessaeeeenees 28
`
`FDR-based Verification AIZOrithim .............ccccecsscecceseesensececececsseessseeeeceseeeesseeeeeeeceseesaaeaesecsseesessaaeseesceseaaaaeees 29
`
`Behavior-based Verification AIQOrithim.............:ccccccccsessscecececeseesensececececeseseceeeeeceseeseasesesesseessaaeseeeseeeeaaaaes 30
`
`Production Deployment CONSIDErAtIONS ............ccccceceseesscecececeseesensececececesessececececeseesaaseseseceeesesseaeseeeseseeaqaaes 31
`
`Fraud Analysis CONSid erations ...........ccccccccsessssssececeseesensnceeeeeceseeseeeeeeecesesseaseaeeeeeseseasaeesesecsseesessaaeseseeeseaaaaeess 32
`
`Fraud SAMpling .............ccceccsccceceessensnceceeeceseeseseeeeeeseseeaeaeeeeeenseeseaaeeeeeeseeseaaaeeeesecesessaeeaeseeeseseeaaaaeaeseeaaeaeeeenees 33
`
`ICR & CDR Fraud Analysis FIOW ..........ccccccccssssssssececseeeseeeeeeeeceseeseeeeeeeceeesseaseeeeeeesesesaaaeseseceseesesseaeseseeeseaaaaeees 35
`
`FDR Fraud Analysis FIOW ............ccccessccccccesssensceeeseceseesesaeaeeeesesesaeeeeeeecnsesseaseesecesesseasaeeaesecsseesaeesesecsseeeaaaaeees 36
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`
`
`
`
`
`
`
`
`The key to security for many years has been a layered defense or defense in depth.
`Defense in depth is a military strategy, it seeks to delay rather than prevent the advance of an
`attacker, buying time and causing additional casualties by yielding space. Rather than defeating
`an attacker with a single, strong defensive line, defense in depth relies on the tendency of an
`attack to lose momentum overa period of time or as it covers a larger area. The idea of defense
`in depth is now widely used to describe non-military strategies.
`
`This is the approach ItsOn has takenrealizing that no one system is completely
`impenetrable. The Android device like many other phones is not completely secure and for
`a skilled in the art hacker quite penetrable. The client is obviously the first point of concern
`in any network. We haveput considerable thoughtin how to detect if our software has
`been tampered with or compromised. Our approachis to detect this both on the handset
`from within and at the networkor Service Controller. This documentoutlines the steps we
`have taken to secure the Service processor on the handsetto prevent tampering andalso to
`detect fraud using the networkin conjunction with the Service Controller. In reviewingthis
`document you should also keep in mind that Androidalso affords us a level of security also
`which details can be found here:
`
`http://developer.android.com/guide/topics/security/security.html
`
`It should be noted that ItsOn will be performing penetration testing ofall the systems and
`as such the architecture could change over time as westrive to improve ourdefense in
`depth.
`
`The Client software will have a signed manifest whichlistsall files in the software
`distribution. Thelisted files will also be paired with a SHA1 hash. The manifestitself
`will be signed with a private/public key rsa strength key combination. This is standard
`Android application security. Once installed in the OEM distribution Android enforces
`that the app can only be upgraded if signed with the same key. This will makeit difficult
`to install over the top.
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`
`
`
`
`
`
`
`
`The private key will be kept only within ItsOn's build environment and used during the
`build process. Accessto the ItsOn build environmentwill be limited to a small number
`of named personnel. The private key will only be held offsite in a secured environment
`beside the build server.
`The public key will be shipped with the ItsOnbinaries andin the default distribution as
`part of the framework.
`
`Figure 1.0 Integrity checking
`Upon loadingof the APK it will query the additional ItsOn frameworkcode to perform a
`Manifest check.It will then perform an integrity check of the ItsOn apk.If the apk has
`integrity it is allowed to run and then will validate the ItsOn and IOInterface kernel
`objects. If the ItsOn apk is running and reporting data usage thenit is considered that
`the system has not been tamperedwith. If the ItsOn apk is not running andthereis data
`usagethis is a standard fraud case. Thus putting the device in a fraud state for data
`rating/charging.
`This integrity check will happen every time the apk is loaded for execution and every
`boot.
`The kernel objects will be named in such a waythatit is not obvious what they are. So
`user whohasrooted the device cannotidentify them easily.
`Intermediary storage for service processor will be encrypted
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`
`
`
`
`
`
`ItsOn Client Java code will also be obscured to prevent decompiling or reverse
`engineering.
`
` The SP/SC communication will happen oover TLSS encryptedddata pipe. We willI RSA/SHA
`
`cyphersuite. The SP/SC systems will use mutual authentication (client-side and server-
`side certificates). We will get the client side certificate installed as part of an
`activation/bootstrapping algorithm onthe client when it first connects. ItsOn would get
`its certificates issues by a standardcertificate authority.
`Wewill either encrypt or add a message digest to messagesin transit. This would be
`implemented in the communication layerat the client and server. Session initiation will
`be muchlike in TLS, after the authentication occurs the server will send the client a
`session key that would be usedto encrypt/sign all data exchanged (in both directions)
`for that session. Client to server communication sessionstypically only last a few
`seconds at most. There are no persistent sessions.
`
`%ie
`DB
`
`ma
`
`?t
`
`PRET TD
`¥
`PSL
`fi @ sidys
`RRS
`wen
`Me
`ItsOn will also perform source code audits using tools like RATSor Fortify360 to ensure
`that coding vulnerabilities are prevented.
`ItsOn will detect Rogue application by comparing hashes of know goodapplications.
`These hashes will be held with the service activity and pushed downto the SP from the
`SC.
`Penetration testing of the Service Processor software will also be carried out ona
`regular basis. The scope of which will be determined in contracts.
`
`
`
`
`
`isHYHE oo odCUceg
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`
`
`
`
`
`
`
`
`have accessto various physical locations, such as the data center, warehouse, computer
`operational centers, and anyother critical areas.
`
`Exterior Security Elements
`The Santa Clara facility meets all local, state, and federal regulatory requirements for
`building codes and has been constructed of post and beam frameworkwiththe exterior of
`the walls madeoftilt up concrete. The building was acquired by QualityTech in 2007 and
`has been modified accordingly to enable the secure delivery of data center services. The
`facility has a total of approximately 67,200 square feet of usable space, with 20,000 square
`feet allocated to an 18” raised floor data center area on thefirst floor of the building, and
`19,500 squarefeet allocated to a 24” raised floor data center area on the secondfloor of the
`building. The remaining usable spaceis allocated to office areas, storage space, and
`infrastructure accommodations.
`
`Exterior lighting is appropriate for adequatevisibility outside the facility during night
`hours, helping to ensure potential intruders are unable to approach the building unseen.
`Groundsandvegetation surrounding the building are appropriately maintained to prevent
`potential intruders from shielding or hiding themselves. Exterior windowsleading into the
`data center area onthe first floor are protected by 1/4” thick Kevlar panels to prevent the1
`glass from being penetrated by projectiles or by other forceful means. Windowsleading
`into the data center area on the secondfloor are protected by 5/8” thick sheetrock. The
`exterior of the building is also protected by strategically placed security surveillance
`cameras for monitoring and recordingof external building activity.
`
`Roofaccess to the main twostory portion of the facility is accommodated from the inside of
`the building via a ladderin a stairwell. Access to the stairwell is protected by a badge
`reader and only authorized personnel are permitted in that area. The roof hatch at the top
`of the ladder is latched from the inside so it cannot be opened from theoutside, andis tied
`to the building alarm system to notify security personnel whenthe hatchis open. In
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`
`
`
`
`
`
`addition, the building has an expansion wingthatis one story high with roof access gained
`from the outside within the courtyard area located adjacent to the expansion wing. The
`courtyard houses the facility's backup generators, fuel for the generators, and other
`electrical & environmentalinfrastructure, and is surrounded by cement walls and wrought
`iron fencing. Access to the courtyard area can be gained from inside or outside thefacility,
`andis protected by badgereaders and biometric readers to ensure only authorized
`individuals can gain entry to the courtyard area.
`
`Interior Security Elements
`The Santa Clara facility is manned by QualityTech security staff 24x7, with a minimum of
`two (2) security personnel onsite at all times during business hours. The security team
`performs regularly scheduled rounds looking for anything unusual, suspicious, or out of the
`ordinary, and surveillance camerasare placed strategically throughoutthe building for
`monitoring and recordingof internal building activity. To facilitate the secure shredding
`and disposalof sensitive documents, the Santa Clara facility maintains a contract with a
`local vendor.
`
`The Santa Clara security team is responsible for a variety of critical activities and functions,
`including but notlimited to:
`
`e
`
`e
`
`e
`
`e
`
`e
`
`e
`
`Controlling and monitoring data center access, prevention of unauthorized access
`
`Ensuring compliance with access procedures
`
`Controlling the movementof items removed via the facility main entry point, loss prevention
`
`Issuance andretrieval of ID access badges
`
`Administration of the computerized access control system
`
`Administration and maintenance of physical security systems
`
`e Monitoring of, response to, and resolution for security alarms
`
`e
`
`e
`
`e
`
`Conducting scheduled and unscheduled security,fire, and safety patrol inspections
`
`Enforcementof policy to prevent unauthorized photography
`
`Enforcementof policy prohibiting food or drink in the data center areas
`
`e__Escorting of visitors withoutaccess credentials
`
`e
`
`e
`
`Assisting customers with cage lockouts
`
`General compliance with security policies and procedures
`
`The data center area raised floor onthefirst floor of the facility is secured with heavy tiles
`made of concrete, while on the secondfloor the data center area raised floor is secured
`with hollow coretiles to reduce the weight strain on the second floor. No data center
`entry/exit is possible from underthe raisedfloors in either data center area. The area
`under the raised floor of the data center area on the first floor is used to deliver power,
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`
`
`
`
`
`
`
`
`network cabling, and cooling to customer cabinets and cages. On the secondfloor, the area
`under the raised floor of the data center area is for the delivery of power and cooling while
`accommodations for network cabling are provided overhead. Cabinets and cages are
`constructed of metal and are of appropriate strength andrigidity to secure customer
`equipmentfrom unauthorized access. All data center cabinets and cagesin the facility are
`fastened to thefloor, are clearly labeled, and are inspected periodically to ensure their
`properphysical condition. All cabinets and cages are securedwith traditional lock & key
`mechanismswith keys safeguarded bythe security team, and a select few are also
`equipped with electronic badge readers at the request of customers occupying those
`environments. Independent holding roomsare present on boththe first and second floors
`of the facility and mustbe cleared prior to accessing the data center areas on those floors.
`
`Access Control Elements
`Generalaccess to the Santa Clara facility is gained via the front door, whichis open for
`public access during normal business hours. The front door remains locked during non
`business hours andis secured by an electronic badge reading system. All other external
`doors remain locked when notin use, and are protected by badge readers and/or
`traditional lock & key. The Santa Clarafacility is equipped with an electronic badge reading
`system to prevent unauthorized access to all areas of the building, managed and
`maintained by the security team. Each area of the building is considered a separate security
`zone andis configured individually within the electronic badge reading system for access
`to that specific area.
`
`All visitors to the Santa Clara facility must havetheir visit logged by the security team, and
`mustbe escorted atall times unless they have access rights that do not require an escort.
`All persons requiring unescorted access to the Santa Clarafacility must have an electronic
`accessidentification badge issued to them by the security team. Each electronic access
`badgeis unique to the individual so that logging of access by electronic badge readers can
`be tied to specific persons. Electronic access badgesare issued to customersbythe security
`team undera structured enrollment program requiring a governmentissuedpicture ID
`such as a driver's license or passport. The type and duration of access is determined by the
`customer's access needsand the security team assigns accessrights based on the specific
`parameters.
`
`In addition to the electronic badge reading system thefacility is equipped with biometric
`iris scanning devices and biometric fingerprint reading devicesin select areas throughout
`the facility, managed and maintainedby thesecurity team. Like the electronic badge
`reading system, each area of the building protected by these biometric devices is
`considered a separate security zone andis configured individually within the systems for
`accessto that specific area. Customers have their biometric attributes configured in these
`systemsbythe security team in accordance with customers’ access requirements.
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`
`
`
`
`
`
`Accessto the data center areas on boththefirst and secondfloors can only be gained by
`clearing holding roomsthat require two-factor authentication. Individuals requiring access
`to a data centerareafirst use their electronic access badge andtheir biometric fingerprint
`to gain entry to the holding room,and then havetheiriris scannedby aniris reader inside
`the holding room to gain access to the applicable data centerfloor.
`
`Monitoring Elements
`The facility has in place forty (40) fixed position security cameras for video surveillance of
`critical areas in and aroundthe building. The exterior andinterior of the building are
`continuously monitored by camerasplacedstrategically for optimum coverageof critical
`areas, with images from the security cameras being displayed on two (2) 42 inch monitors
`each with sixteen (16) split screens for viewing multiple security cameras simultaneously.
`The monitors are maintained in the Security Office and are viewed by a memberof the
`security team atall times when not engaged in other security duties.
`
`All video surveillance streams are channeled througha digital video recorder (DVR) that
`archives the video captured by the security cameras. The DVRis located in a secure cabinet
`in the first floor data center and is accessible only to QualityTech security personnel and
`data center technicians. Video archives are maintained online for a period of one week
`before they are transferred to tape. Tape archives of the captured video are maintained for
`a period of ninety (90) days before they are overwritten, and the entire video surveillance
`system is protected by an uninterruptable powersupply in the eventthereis a loss of
`power.
`
`Fire, Life, Safety Elements
`The Santa Clara facility is equipped with a comprehensiveset of controls to ensure
`adequate protection asit relates tofire, life, and various safety elements. A central
`monitoring control panel is located in the Security Office that displays the status of various
`fire, life and safety elements throughoutthe facility. The central monitoring control panel
`aggregates data from severalother control panels in variouslocationsof the facility that
`are tied to their particular elements. In addition to onsite monitoring efforts undertaken by
`QualityTech security personnel, a third party security service provides remote monitoring
`of criticalfire, life and safety elements including fire and smoke detectors, HVAC alarms,
`watersensors, and annunciators. The remote monitoring service will contact Santa Clara
`personnel in accordance with an escalation contactlist in the eventan alertis triggered by
`anycriticalfire, life or safety element.
`
`A wetpipe fire suppression system protects the common office areas of the facility as well
`as the generator area in the adjacent courtyard. All other areas within the facility on both
`floors, including the data center areas, mechanical & electrical rooms, and other
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`
`
`
`
`
`
`infrastructure areas, are protected by a pre-action dry pipe fire suppression system. A
`common watersupply feedsthe fire suppression system on boththe first and second
`floors, however, the system operates independently on the twofloors and an alert
`condition that causes the dry pipesto fill on the first floor does not cause the dry pipes to
`fill on the secondfloor, and vice versa. Leak detectors are located under the CRAC units on
`both floors to ensure that any water escaping from the fire suppression system or CRAC
`units is detected in a timely manner.The entire fire suppression system is inspected
`annually by the local Fire Marshal to ensureits operability and compliance withfire codes.
`
`In addition to the pre-action dry pipe fire suppression system, a Fenwall FM 200 system in
`place in the data centerarea onthe first floor of the facility that provides an additionallevel
`of fire protection in the first floor data center. The FM 200 system is a chemical based
`waterless fire suppression system that deploys quickly without leaving behind any residue
`or particulates, and operates independently from the water based pre-action dry pipe fire
`suppression system. The fire suppression system in the secondfloor data center areais
`enhanced by the implementation of Very Early Smoke Detection Apparatus (VESDA) type
`smoke detectors. The VESDA smokedetectors provide enhanced protection from fire
`conditions by reading air samples with highly sensitive laser technology that detects smoke
`particulates during the earliest stages of a fire condition. The second floor data center area
`incorporates three (3) VESDA air sampling control panels to ensure adequate coverage of
`the data center space. Fire extinguishersare positioned strategically throughout both floors
`of the facility to aid in the suppression of small incipientfires.
`
`-
`os ge
`7 Ges
`
`aw
`cabs
`
`ft
`Cs Type
`cooel,
`SASS
`Statement on AuditingSStandards (SAS) No. 70, Service Organizations, is a widely
`recognized auditing standard developed by the American Institute of Certified Public
`Accountants (AICPA). A service auditor's examination performed in accordance with SAS
`No. 70 ("SAS 70 Audit") is widely recognized, because it represents that a service
`organization has been through an in-depth audit of their control objectives and control
`activities, which often include controls over information technology andrelated
`processes. In today's global economy,service organizations or service providers must
`demonstrate that they have adequatecontrols and safeguards whenthey hostor process
`data belonging to their customers. In addition, the requirements of Section 404 of the
`Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more importantto the process
`of reporting on the effectiveness of internal control overfinancial reporting. (For more
`information see www.sas70.com)
`
`Quality Technology Services has engaged NDB, LLP (Formerly Dupont & Morgan, LLP) as
`the exclusive SAS 70 audit provider for QualityTech data center facilities in the continental
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`
`
`
`
`
`
`tad
`
`US. NBD is an international accounting and consulting firm that concentrates on providing
`high quality, cost-effective services to meetthe challenges of today’s complex and
`competitive business environment. NBD’s emphasis on SAS 70,in particular their years of
`experience working in and with data center providers, was an importantfactor in our
`decision to engage NDB.
`
`Splunk iis used toimplement real-time monitoring andalerting of incidents andattacks.
`System and application log files are monitored to find security and complianceissues as
`well as maintaining an audit trail of system activity.
`
`ItsOn will utilizee QualysGuard to perform regularly scheduled vulnerability assessments.
`QualysGuard provides a robust scanning service that analyzes the security of your network
`devices by referencing an inventory of thousands of known vulnerabilities coveringall
`major operating systems, services and applications.
`
`:
`8
`oho
`eyes geehay
`Ng Sparey
`VETWOP SECUPRY
`
`In addition to the MSP security ItsOn will also take the following precautions to protect
`data and systems within the Service controller etc.
`¢
`Front-facing DMZ implementation
`
`¢ External servicesare isolated in a restricted perimeter network(a.k.a. DMZ)
`and separated byfunctionalclassification.
`
`¢
`
`VLANisolation of servers by function:
`
`*
`
`3DMZVLANs
`
`¢
`
`¢
`
`The device services VLAN allowstraffic from a range of device IPs toa
`limited number of application specific IP ports.
`
`The web portal VLAN allowsSSL traffic to Apache servers that proxy
`to the Service Design Center. Traffic can be restricted to a specific
`range of source IPs but that requirementhas not been defined.
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`
`
`
`
`
`
`
`
`¢
`
`The carrier services VLAN allowstraffic from the carrier for the
`
`purpose offile transfers and/or accounting record streams. This
`traffic is expected to be encapsulated in a secure VPN tunnel overthe
`Internet from the carrier.
`
`¢ Application VLAN
`
`¢
`
`The application VLAN protects the business logic processors from the
`externaltraffic.
`
`* Database VLAN
`
`*
`
`The database VLANisolates the database servers andrestricts traffic
`
`to that coming from the application servers.
`
`¢
`
`ItsOn Ops VLAN
`
`¢
`
`The Ops VLANseparates ItsOn management and monitoring servers
`from the businesslayers.
`
`¢ MSP Backup/Monitoring VLAN
`
`¢
`
`The MSP uses a dedicated VLAN for monitoring and backuptraffic.
`
`*
`
`Inter-VLANsecurity via ACL
`
`¢ ACLs are used to restrict traffic between VLANS.
`
`HostLevel:
`*
`No shared logins
`
`¢ Users are required to maintain separate and securelogins
`
`¢ Remote logging and monitoring of access
`
`¢
`
`Systems logs are mirrored to a remoteserver for real-time analysis to
`identify unauthorized access
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`
`
`
`
`“ORREIRERS
`
`
`
` SS
`
`
`
`
`
`
`
`
`
`
`
`
`
` SS
`
`
`
`
`
`
`
`
`
`YiYW
`
` yyWi
`Vil
`
`
`
`
`
`
`
`
` lip
`
`
`Le
` Us
`
`
`
`
`
`Serres
`
`
`
`RSS
`SO
`
`SSRIS ESR SERPS Coss se rb
`EMSUMHIE COMTNIUSS SSCUFNY
`
`ItsOn will work with the MSP to implementvulnerability scanning for both the server and
`application vulnerabilities using QualysGuard. This tool will be run on a frequentbasis
`(TBD). Results will be analyzed and corrective action taken within the contracted days.
`
`ItsOn will also ensure that any patching of the software required for security purposes is
`also applied in the contracted timeframe. The MSP actively monitors OS related patch
`releases. OS patch updates are scheduled based on severity and applicability.
`
`
`
`
`
`
`
`
`
`ItsOn will also use a product like McAfee Secure or QualysGuard to perform vulnerability
`scanningof the Service Control Center to ensure that customerdatais safe from internal
`and external threat. This will ensure that SQL injection or XSS scripting is not an issue.
`
`Penetration testing can also be carried out on a predetermined timescale based on
`contract.
`
`These following bullets outline the fraud detection methods ItsOn will use and the fraud
`eventit will capture:
`
`*
`
`*
`
`*
`
`Service Processor (SP) doesn’t attempt authentication within acceptable window
`after the Service Controller (SC) receives “data session started” indication from the
`network
`
`“* Cause: SP disabled, SIM in a non-ItsOn enabled device (non-fraud)
`
`SP fails authentication with SC
`
`“* Cause: Invalid credentials, device spoofing
`
`SC receives Usage Data Records (UDR) from SP after receiving “data session
`stopped”trigger from the network
`
`“* Cause: Device spoofing
`
`*
`
`Service Controller receives CDRs but does not receive UDRs
`
`** Cause: SP disabled, SIM in a non-ItsOn enabled device (non-fraud, unless SP
`has authenticated with SC during this data session)
`
`¢
`
`¢
`
`SC receives CDRs and UDRsbut the usage counts don’t align
`
`“* Cause: SP tampering
`
`SC receives CDRs and UDRsbut the UDRsindicate usage over Charging Policy (CP)
`limit(s)
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`
`
`
`
`
`
`“* Cause: SP tampering
`
`¢
`
`¢
`
`*
`
`*
`
`SC receives UDRs but charging codes do not correspondto CP(s) for current active
`services
`
`“* Cause: SP tampering, device spoofing
`
`SC receives CDRs and UDRs, countsalign, charging codes are correct, but datais
`miss-categorized (needs FDRsto corroborate)
`>,
`“* Cause: SP tampering
`
`SC receives CDRs and UDRs, countsalign, but usage velocity within a Service
`Componentor Service Activity is greater than the rate limit(s) set via the Control
`Policy
`
`“* Cause: SP tampering
`
`SC receives CDRs and UDRs, countsalign, but usage velocity at the Service Activity
`or Service Componentlevel deviates “significantly” from average user usage velocity
`
`“* Cause: SP tampering, Service Activity/Componentusage patterns changing
`(e.g., service adds streaming content) (non-fraud)
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`
`
`
`
`
`
`
`
`¢
`
`¢
`
`¢
`
`¢
`
`*
`
`Service Controller receives a start session message from the network
`
`* Could bea “Start Accounting” RADIUS message from a GGSN, AAA or PDSN,
`or successful “GPRS Attach” notification from an SGSN
`
`Service Controller sets an “Expecting Service Processor Login” timer
`
`IfService Controller successfully authenticates the Service Processor within the
`timer interval, Service Processor is deemed to be running and valid.
`
`Ifthe Service Controller does not successfully authenticate the Service Processor
`within the timer interval, it is assumed that: 1) the device does not contain a Service
`Processor; or 2) the Service Processor on the device has been disabled.
`
`¢ Whenthis event occurs, the Service Controller can either 1) trigger to the
`networkto charge for usageat “standard”bulk rates; or 2) specify a
`“standard” bulk rate charging code in the CDRssent to data mediation
`
`Following slides depict sample high-level implementation optionsof this
`functionality ina GSM/GRPS core data network
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`
`
`
`
`
`
`
`
`. Esta Deve
`
`. NeatksOni
`
`
`
`
`* Device attempts data session and sends GPRS Attach to SGSN
`
`*
`
`¢
`
`SGSN notifies ItsOn Service Controller that the device has started a data session
`
`ItsOn Service Controller waits for a pre-determined time (e.g., one minute) to
`receive a login/authentication request from the ItsOn Service Processor on the
`device
`
`¢
`
`¢
`
`Ifthe ItsOn Service Controller sees the request, it send