Attorney Docket No. RALEP045+
`
`PROVISIONAL APPLICATION FOR
`UNITED STATES PATENT
`
`SECURITY AND FRAUD DETECTION FOR DEVICE
`ASSISTED SERVICES
`
`By Inventors:
`
`Gregory G. Raleigh
`Woodside, CA
`A Citizen of the United States
`
`Assignee:
`
`Headwater Partners I LLC
`
`VAN PELT, YI & JAMES LLP
`10050 N. Foothill Blvd., Suite 200
`Cupertino, CA 95014
`Telephone 408-973-2585
`
`

`

`ltsOn
`
`security
`
`and Fraud
`
`Overview
`
`SNA
`
`SUSI
`
`
`
`It
`
`
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`

`

`
`
`
`
`
`
`Revision Date
`
`Description
`
`Revised with internal feedback
`
`11/29/2010
`
`Created Document
`
`12/9/2010
`
`This documentcontains forward-looking statements based on current expectations, forecasts and
`
`assumptions of the Companythat involve risks and uncertainties. Forward looking statements are subject
`
`to risks and uncertainties associated with the Company's business that could cause actual results to vary
`
`materially from those stated or implied by such forward-looking statements.
`
`This documentis intended for use as a guideline and for information purposes only, and represents ItsOn,
`
`Inc’s current view of its product direction. This information is subject to change without notice.
`
`As ltsOn, Inc. develops product using an Agile developmentprocess, any one of the milestones, features,
`
`release products, release periods or versions could change. None ofthe information herein should be
`
`interpreted as a commitmenton the part of ItsOn, Inc.
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`

`

`
`
`
`
`
`
`Document ReVISION HiStOry 00... eee cseeseneeeecseesecsesseesesseeeesecsesscescsaseecsaesecsecsesasecsaesesnesecaeeacsasseeneeaeeas 2
`
`DiSCIAIMEN 00... ee ceeeecseeseesesecseesecseescesesasencsecsescsccsasccuaesecssesesaesccseesecssesecsesseassecasesecsesaseaesaeeeaeeeesaseeeneeeeeaeea 2
`
`Introduction: Layering iN SCCUIILY...........cccceecscceccecessessnceeecececeeeesseseeeeceseeseaseeeeeeesesessaeseseceeeeseeseaeseseseeaaaaeees 5
`
`Building Security into the Service PrOCESSOM............cccessesseeccesessesseceeececeseesesaaceccecessesaeeesececssesessaeseeeceseeeaaees 5
`
`Building Security into the Service Processor/Controller COMMUNICATIONS ..............:cceeececesseessecesseceeseeesteeees 7
`
`SECULItY PFaCtiCOS............cceceseseseseeesesesenesesesesesesesesennansuansesnaaanansnauaeaueaeceaeaeeeaeaeeeaeeeaeaeceeseseseseseseseseseeese seesnees 7
`
`Building Security into the MSP...........ccccccccccssesstscececeseessnseceeecesesesseeeeeeeceseeseaseeeeeceeeseeseaeeeeeceeeesessesesesseesesaaaeees 8
`
`Physical SCUIItY............ccsecsscccccecesensseeececeeeeeesaeeeeeeceseeeeaeeeeeeeseseeseeeeeeeceeeeseaaeeeeeseceeeesaaeaesecuseseesaaeesese saaeaeeeenees 8
`
`SAS70 Type 2 Certified ...........cccccccccccecesessnsececececeseesneeeeseeseeeeseaeeeeeceseeseeseeeeceseeseaaaeeaesecsseeseaeaeeseusesesaaaeaeeeens 12
`
`Log monitoring and management (SEM and SIM)...........ccccccccccssscccssscececseseesecsessececeseeseeeessesecsesseeeeeesseeessaes 13
`
`Vulnerability ASSCSSMENHS............ccccccccecessescecececesessessaceeeeecesesaaeeeeeececeseessaseeesceseeseeseaeseseceseeseasaesecuseeeaaaaeess 13
`
`Network S@CUSILY .........cccceccccccccecesensececececeseeseseeeeeeeeeeesaaaeeeeeenseeseasaaeeeeseeeeaaeeeeeeeceseeeeaaaeeeeeseseesaaeeaeseceeeseeeenses 13
`
`ENSUPING CONTINUE SECULILY ...........cccccccecessescecececeseesensneeeeeecesesaeeeeeeecesesseaseaeeeseeeseasaaesesecsseesesseaesessesseaaaaeees 15
`
`FRAUD .......ceeeseceseceseceseecneeseeesceesscecscecseecesessneesneeeneecaeesacesseceaeceasesssesseeeeessnecsaecsaeceaeceaeceasees ceseeenetenteeneeeneenaees 16
`
`ACTIVE SERVICE PROCESSOR VALIDATION ..........ceescesscesscececeereeeeeseesceeeseeeeacesaeceaecasesseesneseneeacecsaeceaeceaeeees 18
`
`SGSN Notification of Start/Stop Data SESSION ...........cccccccccssscesseceescecesseecsececssecesceceeeecasecesseceesseseseeceneeeenas 19
`
`GGSN Notification of Start/Stop Data S@SSION.............ccccccssscesssceescecesseecssecesssecesseceeeecssseeesseceeaseseaeecseeeeenas 21
`
`Service Processor/Service Controller AUtHeNtiCatiOn..........cccccsccccccecsssssccccccecessssssececccesssssseseeseeceessaaeeeess 23
`
`SC Receives UDRs From SP After Receiving “Data Session Stopped” Trigger From Network...............005 24
`
`Service Controller Receives CDRs But Does not Receive UDRS .......... ee eeeeceseeesecesececeseeecsaeersscessneeceseeeesaes 24
`
`SC Receives CDRs and UDRs But the Usage Counts Don’t Aligin.............cccccccccceeessnseceeeeeceseessnececcsseesessaaeees 25
`
`SC Receives CDRs and UDRs but SC Detects Usage Over Charging Policy (CP) Limit(s)...............ccccceceeeees 25
`
`SC Receives UDRs but Charging Codes do not Correspond to CP(s) for Current Active Services............... 26
`
`SC receives CDRs and UDRs, countsalign, but usage velocity within a Service Componentor Service
`Activity is greater than rate limit(s) set Via CP oo... cc ccecccccssccceesssceceesesseceesseceesesseceesesseceesssseeeseseeeeeesees 26
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`

`

`
`
`
`
`
`
`SC receives CDRs and UDRs, countsalign, but usage velocity at the Service Activity or Service Component
`level deviates “significantly” from average USer USAGE VEIOCILY............cccccecesessececececeseesenseceeeeeceeesaeeeeeeenees 27
`
`CDR-based Verification AIZOrithim ............:cccccccccessssececececeesesensncececeeesesecesececeseesesseaeecssessessaaeseeecsseesessaeeeenees 28
`
`FDR-based Verification AIZOrithim .............ccccecsscecceseesensececececsseessseeeeceseeeesseeeeeeeceseesaaeaesecsseesessaaeseesceseaaaaeees 29
`
`Behavior-based Verification AIQOrithim.............:ccccccccsessscecececeseesensececececeseseceeeeeceseeseasesesesseessaaeseeeseeeeaaaaes 30
`
`Production Deployment CONSIDErAtIONS ............ccccceceseesscecececeseesensececececesessececececeseesaaseseseceeesesseaeseeeseseeaqaaes 31
`
`Fraud Analysis CONSid erations ...........ccccccccsessssssececeseesensnceeeeeceseeseeeeeeecesesseaseaeeeeeseseasaeesesecsseesessaaeseseeeseaaaaeess 32
`
`Fraud SAMpling .............ccceccsccceceessensnceceeeceseeseseeeeeeseseeaeaeeeeeenseeseaaeeeeeeseeseaaaeeeesecesessaeeaeseeeseseeaaaaeaeseeaaeaeeeenees 33
`
`ICR & CDR Fraud Analysis FIOW ..........ccccccccssssssssececseeeseeeeeeeeceseeseeeeeeeceeesseaseeeeeeesesesaaaeseseceseesesseaeseseeeseaaaaeees 35
`
`FDR Fraud Analysis FIOW ............ccccessccccccesssensceeeseceseesesaeaeeeesesesaeeeeeeecnsesseaseesecesesseasaeeaesecsseesaeesesecsseeeaaaaeees 36
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`

`

`
`
`
`
`
`
`The key to security for many years has been a layered defense or defense in depth.
`Defense in depth is a military strategy, it seeks to delay rather than prevent the advance of an
`attacker, buying time and causing additional casualties by yielding space. Rather than defeating
`an attacker with a single, strong defensive line, defense in depth relies on the tendency of an
`attack to lose momentum overa period of time or as it covers a larger area. The idea of defense
`in depth is now widely used to describe non-military strategies.
`
`This is the approach ItsOn has takenrealizing that no one system is completely
`impenetrable. The Android device like many other phones is not completely secure and for
`a skilled in the art hacker quite penetrable. The client is obviously the first point of concern
`in any network. We haveput considerable thoughtin how to detect if our software has
`been tampered with or compromised. Our approachis to detect this both on the handset
`from within and at the networkor Service Controller. This documentoutlines the steps we
`have taken to secure the Service processor on the handsetto prevent tampering andalso to
`detect fraud using the networkin conjunction with the Service Controller. In reviewingthis
`document you should also keep in mind that Androidalso affords us a level of security also
`which details can be found here:
`
`http://developer.android.com/guide/topics/security/security.html
`
`It should be noted that ItsOn will be performing penetration testing ofall the systems and
`as such the architecture could change over time as westrive to improve ourdefense in
`depth.
`
`The Client software will have a signed manifest whichlistsall files in the software
`distribution. Thelisted files will also be paired with a SHA1 hash. The manifestitself
`will be signed with a private/public key rsa strength key combination. This is standard
`Android application security. Once installed in the OEM distribution Android enforces
`that the app can only be upgraded if signed with the same key. This will makeit difficult
`to install over the top.
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`

`

`
`
`
`
`
`
`The private key will be kept only within ItsOn's build environment and used during the
`build process. Accessto the ItsOn build environmentwill be limited to a small number
`of named personnel. The private key will only be held offsite in a secured environment
`beside the build server.
`The public key will be shipped with the ItsOnbinaries andin the default distribution as
`part of the framework.
`
`Figure 1.0 Integrity checking
`Upon loadingof the APK it will query the additional ItsOn frameworkcode to perform a
`Manifest check.It will then perform an integrity check of the ItsOn apk.If the apk has
`integrity it is allowed to run and then will validate the ItsOn and IOInterface kernel
`objects. If the ItsOn apk is running and reporting data usage thenit is considered that
`the system has not been tamperedwith. If the ItsOn apk is not running andthereis data
`usagethis is a standard fraud case. Thus putting the device in a fraud state for data
`rating/charging.
`This integrity check will happen every time the apk is loaded for execution and every
`boot.
`The kernel objects will be named in such a waythatit is not obvious what they are. So
`user whohasrooted the device cannotidentify them easily.
`Intermediary storage for service processor will be encrypted
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`

`

`
`
`
`
`
`
`ItsOn Client Java code will also be obscured to prevent decompiling or reverse
`engineering.
`
` The SP/SC communication will happen oover TLSS encryptedddata pipe. We willI RSA/SHA
`
`cyphersuite. The SP/SC systems will use mutual authentication (client-side and server-
`side certificates). We will get the client side certificate installed as part of an
`activation/bootstrapping algorithm onthe client when it first connects. ItsOn would get
`its certificates issues by a standardcertificate authority.
`Wewill either encrypt or add a message digest to messagesin transit. This would be
`implemented in the communication layerat the client and server. Session initiation will
`be muchlike in TLS, after the authentication occurs the server will send the client a
`session key that would be usedto encrypt/sign all data exchanged (in both directions)
`for that session. Client to server communication sessionstypically only last a few
`seconds at most. There are no persistent sessions.
`
`%ie
`DB
`
`ma
`
`?t
`
`PRET TD

`PSL
`fi @ sidys
`RRS
`wen
`Me
`ItsOn will also perform source code audits using tools like RATSor Fortify360 to ensure
`that coding vulnerabilities are prevented.
`ItsOn will detect Rogue application by comparing hashes of know goodapplications.
`These hashes will be held with the service activity and pushed downto the SP from the
`SC.
`Penetration testing of the Service Processor software will also be carried out ona
`regular basis. The scope of which will be determined in contracts.
`
`
`
`
`
`isHYHE oo odCUceg
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`

`

`
`
`
`
`
`
`have accessto various physical locations, such as the data center, warehouse, computer
`operational centers, and anyother critical areas.
`
`Exterior Security Elements
`The Santa Clara facility meets all local, state, and federal regulatory requirements for
`building codes and has been constructed of post and beam frameworkwiththe exterior of
`the walls madeoftilt up concrete. The building was acquired by QualityTech in 2007 and
`has been modified accordingly to enable the secure delivery of data center services. The
`facility has a total of approximately 67,200 square feet of usable space, with 20,000 square
`feet allocated to an 18” raised floor data center area on thefirst floor of the building, and
`19,500 squarefeet allocated to a 24” raised floor data center area on the secondfloor of the
`building. The remaining usable spaceis allocated to office areas, storage space, and
`infrastructure accommodations.
`
`Exterior lighting is appropriate for adequatevisibility outside the facility during night
`hours, helping to ensure potential intruders are unable to approach the building unseen.
`Groundsandvegetation surrounding the building are appropriately maintained to prevent
`potential intruders from shielding or hiding themselves. Exterior windowsleading into the
`data center area onthe first floor are protected by 1/4” thick Kevlar panels to prevent the1
`glass from being penetrated by projectiles or by other forceful means. Windowsleading
`into the data center area on the secondfloor are protected by 5/8” thick sheetrock. The
`exterior of the building is also protected by strategically placed security surveillance
`cameras for monitoring and recordingof external building activity.
`
`Roofaccess to the main twostory portion of the facility is accommodated from the inside of
`the building via a ladderin a stairwell. Access to the stairwell is protected by a badge
`reader and only authorized personnel are permitted in that area. The roof hatch at the top
`of the ladder is latched from the inside so it cannot be opened from theoutside, andis tied
`to the building alarm system to notify security personnel whenthe hatchis open. In
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`

`

`
`
`
`
`
`
`addition, the building has an expansion wingthatis one story high with roof access gained
`from the outside within the courtyard area located adjacent to the expansion wing. The
`courtyard houses the facility's backup generators, fuel for the generators, and other
`electrical & environmentalinfrastructure, and is surrounded by cement walls and wrought
`iron fencing. Access to the courtyard area can be gained from inside or outside thefacility,
`andis protected by badgereaders and biometric readers to ensure only authorized
`individuals can gain entry to the courtyard area.
`
`Interior Security Elements
`The Santa Clara facility is manned by QualityTech security staff 24x7, with a minimum of
`two (2) security personnel onsite at all times during business hours. The security team
`performs regularly scheduled rounds looking for anything unusual, suspicious, or out of the
`ordinary, and surveillance camerasare placed strategically throughoutthe building for
`monitoring and recordingof internal building activity. To facilitate the secure shredding
`and disposalof sensitive documents, the Santa Clara facility maintains a contract with a
`local vendor.
`
`The Santa Clara security team is responsible for a variety of critical activities and functions,
`including but notlimited to:
`
`e
`
`e
`
`e
`
`e
`
`e
`
`e
`
`Controlling and monitoring data center access, prevention of unauthorized access
`
`Ensuring compliance with access procedures
`
`Controlling the movementof items removed via the facility main entry point, loss prevention
`
`Issuance andretrieval of ID access badges
`
`Administration of the computerized access control system
`
`Administration and maintenance of physical security systems
`
`e Monitoring of, response to, and resolution for security alarms
`
`e
`
`e
`
`e
`
`Conducting scheduled and unscheduled security,fire, and safety patrol inspections
`
`Enforcementof policy to prevent unauthorized photography
`
`Enforcementof policy prohibiting food or drink in the data center areas
`
`e__Escorting of visitors withoutaccess credentials
`
`e
`
`e
`
`Assisting customers with cage lockouts
`
`General compliance with security policies and procedures
`
`The data center area raised floor onthefirst floor of the facility is secured with heavy tiles
`made of concrete, while on the secondfloor the data center area raised floor is secured
`with hollow coretiles to reduce the weight strain on the second floor. No data center
`entry/exit is possible from underthe raisedfloors in either data center area. The area
`under the raised floor of the data center area on the first floor is used to deliver power,
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`

`

`
`
`
`
`
`
`network cabling, and cooling to customer cabinets and cages. On the secondfloor, the area
`under the raised floor of the data center area is for the delivery of power and cooling while
`accommodations for network cabling are provided overhead. Cabinets and cages are
`constructed of metal and are of appropriate strength andrigidity to secure customer
`equipmentfrom unauthorized access. All data center cabinets and cagesin the facility are
`fastened to thefloor, are clearly labeled, and are inspected periodically to ensure their
`properphysical condition. All cabinets and cages are securedwith traditional lock & key
`mechanismswith keys safeguarded bythe security team, and a select few are also
`equipped with electronic badge readers at the request of customers occupying those
`environments. Independent holding roomsare present on boththe first and second floors
`of the facility and mustbe cleared prior to accessing the data center areas on those floors.
`
`Access Control Elements
`Generalaccess to the Santa Clara facility is gained via the front door, whichis open for
`public access during normal business hours. The front door remains locked during non
`business hours andis secured by an electronic badge reading system. All other external
`doors remain locked when notin use, and are protected by badge readers and/or
`traditional lock & key. The Santa Clarafacility is equipped with an electronic badge reading
`system to prevent unauthorized access to all areas of the building, managed and
`maintained by the security team. Each area of the building is considered a separate security
`zone andis configured individually within the electronic badge reading system for access
`to that specific area.
`
`All visitors to the Santa Clara facility must havetheir visit logged by the security team, and
`mustbe escorted atall times unless they have access rights that do not require an escort.
`All persons requiring unescorted access to the Santa Clarafacility must have an electronic
`accessidentification badge issued to them by the security team. Each electronic access
`badgeis unique to the individual so that logging of access by electronic badge readers can
`be tied to specific persons. Electronic access badgesare issued to customersbythe security
`team undera structured enrollment program requiring a governmentissuedpicture ID
`such as a driver's license or passport. The type and duration of access is determined by the
`customer's access needsand the security team assigns accessrights based on the specific
`parameters.
`
`In addition to the electronic badge reading system thefacility is equipped with biometric
`iris scanning devices and biometric fingerprint reading devicesin select areas throughout
`the facility, managed and maintainedby thesecurity team. Like the electronic badge
`reading system, each area of the building protected by these biometric devices is
`considered a separate security zone andis configured individually within the systems for
`accessto that specific area. Customers have their biometric attributes configured in these
`systemsbythe security team in accordance with customers’ access requirements.
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`

`

`
`
`
`
`
`
`Accessto the data center areas on boththefirst and secondfloors can only be gained by
`clearing holding roomsthat require two-factor authentication. Individuals requiring access
`to a data centerareafirst use their electronic access badge andtheir biometric fingerprint
`to gain entry to the holding room,and then havetheiriris scannedby aniris reader inside
`the holding room to gain access to the applicable data centerfloor.
`
`Monitoring Elements
`The facility has in place forty (40) fixed position security cameras for video surveillance of
`critical areas in and aroundthe building. The exterior andinterior of the building are
`continuously monitored by camerasplacedstrategically for optimum coverageof critical
`areas, with images from the security cameras being displayed on two (2) 42 inch monitors
`each with sixteen (16) split screens for viewing multiple security cameras simultaneously.
`The monitors are maintained in the Security Office and are viewed by a memberof the
`security team atall times when not engaged in other security duties.
`
`All video surveillance streams are channeled througha digital video recorder (DVR) that
`archives the video captured by the security cameras. The DVRis located in a secure cabinet
`in the first floor data center and is accessible only to QualityTech security personnel and
`data center technicians. Video archives are maintained online for a period of one week
`before they are transferred to tape. Tape archives of the captured video are maintained for
`a period of ninety (90) days before they are overwritten, and the entire video surveillance
`system is protected by an uninterruptable powersupply in the eventthereis a loss of
`power.
`
`Fire, Life, Safety Elements
`The Santa Clara facility is equipped with a comprehensiveset of controls to ensure
`adequate protection asit relates tofire, life, and various safety elements. A central
`monitoring control panel is located in the Security Office that displays the status of various
`fire, life and safety elements throughoutthe facility. The central monitoring control panel
`aggregates data from severalother control panels in variouslocationsof the facility that
`are tied to their particular elements. In addition to onsite monitoring efforts undertaken by
`QualityTech security personnel, a third party security service provides remote monitoring
`of criticalfire, life and safety elements including fire and smoke detectors, HVAC alarms,
`watersensors, and annunciators. The remote monitoring service will contact Santa Clara
`personnel in accordance with an escalation contactlist in the eventan alertis triggered by
`anycriticalfire, life or safety element.
`
`A wetpipe fire suppression system protects the common office areas of the facility as well
`as the generator area in the adjacent courtyard. All other areas within the facility on both
`floors, including the data center areas, mechanical & electrical rooms, and other
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`

`

`
`
`
`
`
`
`infrastructure areas, are protected by a pre-action dry pipe fire suppression system. A
`common watersupply feedsthe fire suppression system on boththe first and second
`floors, however, the system operates independently on the twofloors and an alert
`condition that causes the dry pipesto fill on the first floor does not cause the dry pipes to
`fill on the secondfloor, and vice versa. Leak detectors are located under the CRAC units on
`both floors to ensure that any water escaping from the fire suppression system or CRAC
`units is detected in a timely manner.The entire fire suppression system is inspected
`annually by the local Fire Marshal to ensureits operability and compliance withfire codes.
`
`In addition to the pre-action dry pipe fire suppression system, a Fenwall FM 200 system in
`place in the data centerarea onthe first floor of the facility that provides an additionallevel
`of fire protection in the first floor data center. The FM 200 system is a chemical based
`waterless fire suppression system that deploys quickly without leaving behind any residue
`or particulates, and operates independently from the water based pre-action dry pipe fire
`suppression system. The fire suppression system in the secondfloor data center areais
`enhanced by the implementation of Very Early Smoke Detection Apparatus (VESDA) type
`smoke detectors. The VESDA smokedetectors provide enhanced protection from fire
`conditions by reading air samples with highly sensitive laser technology that detects smoke
`particulates during the earliest stages of a fire condition. The second floor data center area
`incorporates three (3) VESDA air sampling control panels to ensure adequate coverage of
`the data center space. Fire extinguishersare positioned strategically throughout both floors
`of the facility to aid in the suppression of small incipientfires.
`
`-
`os ge
`7 Ges
`
`aw
`cabs
`
`ft
`Cs Type
`cooel,
`SASS
`Statement on AuditingSStandards (SAS) No. 70, Service Organizations, is a widely
`recognized auditing standard developed by the American Institute of Certified Public
`Accountants (AICPA). A service auditor's examination performed in accordance with SAS
`No. 70 ("SAS 70 Audit") is widely recognized, because it represents that a service
`organization has been through an in-depth audit of their control objectives and control
`activities, which often include controls over information technology andrelated
`processes. In today's global economy,service organizations or service providers must
`demonstrate that they have adequatecontrols and safeguards whenthey hostor process
`data belonging to their customers. In addition, the requirements of Section 404 of the
`Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more importantto the process
`of reporting on the effectiveness of internal control overfinancial reporting. (For more
`information see www.sas70.com)
`
`Quality Technology Services has engaged NDB, LLP (Formerly Dupont & Morgan, LLP) as
`the exclusive SAS 70 audit provider for QualityTech data center facilities in the continental
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`

`

`
`
`
`
`
`
`tad
`
`US. NBD is an international accounting and consulting firm that concentrates on providing
`high quality, cost-effective services to meetthe challenges of today’s complex and
`competitive business environment. NBD’s emphasis on SAS 70,in particular their years of
`experience working in and with data center providers, was an importantfactor in our
`decision to engage NDB.
`
`Splunk iis used toimplement real-time monitoring andalerting of incidents andattacks.
`System and application log files are monitored to find security and complianceissues as
`well as maintaining an audit trail of system activity.
`
`ItsOn will utilizee QualysGuard to perform regularly scheduled vulnerability assessments.
`QualysGuard provides a robust scanning service that analyzes the security of your network
`devices by referencing an inventory of thousands of known vulnerabilities coveringall
`major operating systems, services and applications.
`
`:
`8
`oho
`eyes geehay
`Ng Sparey
`VETWOP SECUPRY
`
`In addition to the MSP security ItsOn will also take the following precautions to protect
`data and systems within the Service controller etc.

`Front-facing DMZ implementation
`
`¢ External servicesare isolated in a restricted perimeter network(a.k.a. DMZ)
`and separated byfunctionalclassification.
`

`
`VLANisolation of servers by function:
`
`*
`
`3DMZVLANs
`

`

`
`The device services VLAN allowstraffic from a range of device IPs toa
`limited number of application specific IP ports.
`
`The web portal VLAN allowsSSL traffic to Apache servers that proxy
`to the Service Design Center. Traffic can be restricted to a specific
`range of source IPs but that requirementhas not been defined.
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`

`

`
`
`
`
`
`

`
`The carrier services VLAN allowstraffic from the carrier for the
`
`purpose offile transfers and/or accounting record streams. This
`traffic is expected to be encapsulated in a secure VPN tunnel overthe
`Internet from the carrier.
`
`¢ Application VLAN
`

`
`The application VLAN protects the business logic processors from the
`externaltraffic.
`
`* Database VLAN
`
`*
`
`The database VLANisolates the database servers andrestricts traffic
`
`to that coming from the application servers.
`

`
`ItsOn Ops VLAN
`

`
`The Ops VLANseparates ItsOn management and monitoring servers
`from the businesslayers.
`
`¢ MSP Backup/Monitoring VLAN
`

`
`The MSP uses a dedicated VLAN for monitoring and backuptraffic.
`
`*
`
`Inter-VLANsecurity via ACL
`
`¢ ACLs are used to restrict traffic between VLANS.
`
`HostLevel:
`*
`No shared logins
`
`¢ Users are required to maintain separate and securelogins
`
`¢ Remote logging and monitoring of access
`

`
`Systems logs are mirrored to a remoteserver for real-time analysis to
`identify unauthorized access
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`

`

`
`
`“ORREIRERS
`
`
`
` SS
`
`
`
`
`
`
`
`
`
`
`
`
`
` SS
`
`
`
`
`
`
`
`
`
`YiYW
`
` yyWi
`Vil
`
`
`
`
`
`
`
`
` lip
`
`
`Le
` Us
`
`
`
`
`
`Serres
`
`
`
`RSS
`SO
`
`SSRIS ESR SERPS Coss se rb
`EMSUMHIE COMTNIUSS SSCUFNY
`
`ItsOn will work with the MSP to implementvulnerability scanning for both the server and
`application vulnerabilities using QualysGuard. This tool will be run on a frequentbasis
`(TBD). Results will be analyzed and corrective action taken within the contracted days.
`
`ItsOn will also ensure that any patching of the software required for security purposes is
`also applied in the contracted timeframe. The MSP actively monitors OS related patch
`releases. OS patch updates are scheduled based on severity and applicability.
`
`

`

`
`
`
`
`
`
`ItsOn will also use a product like McAfee Secure or QualysGuard to perform vulnerability
`scanningof the Service Control Center to ensure that customerdatais safe from internal
`and external threat. This will ensure that SQL injection or XSS scripting is not an issue.
`
`Penetration testing can also be carried out on a predetermined timescale based on
`contract.
`
`These following bullets outline the fraud detection methods ItsOn will use and the fraud
`eventit will capture:
`
`*
`
`*
`
`*
`
`Service Processor (SP) doesn’t attempt authentication within acceptable window
`after the Service Controller (SC) receives “data session started” indication from the
`network
`
`“* Cause: SP disabled, SIM in a non-ItsOn enabled device (non-fraud)
`
`SP fails authentication with SC
`
`“* Cause: Invalid credentials, device spoofing
`
`SC receives Usage Data Records (UDR) from SP after receiving “data session
`stopped”trigger from the network
`
`“* Cause: Device spoofing
`
`*
`
`Service Controller receives CDRs but does not receive UDRs
`
`** Cause: SP disabled, SIM in a non-ItsOn enabled device (non-fraud, unless SP
`has authenticated with SC during this data session)
`

`

`
`SC receives CDRs and UDRsbut the usage counts don’t align
`
`“* Cause: SP tampering
`
`SC receives CDRs and UDRsbut the UDRsindicate usage over Charging Policy (CP)
`limit(s)
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`

`

`
`
`
`
`
`
`“* Cause: SP tampering
`

`

`
`*
`
`*
`
`SC receives UDRs but charging codes do not correspondto CP(s) for current active
`services
`
`“* Cause: SP tampering, device spoofing
`
`SC receives CDRs and UDRs, countsalign, charging codes are correct, but datais
`miss-categorized (needs FDRsto corroborate)
`>,
`“* Cause: SP tampering
`
`SC receives CDRs and UDRs, countsalign, but usage velocity within a Service
`Componentor Service Activity is greater than the rate limit(s) set via the Control
`Policy
`
`“* Cause: SP tampering
`
`SC receives CDRs and UDRs, countsalign, but usage velocity at the Service Activity
`or Service Componentlevel deviates “significantly” from average user usage velocity
`
`“* Cause: SP tampering, Service Activity/Componentusage patterns changing
`(e.g., service adds streaming content) (non-fraud)
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`

`

`
`
`
`
`
`

`

`

`

`
`*
`
`Service Controller receives a start session message from the network
`
`* Could bea “Start Accounting” RADIUS message from a GGSN, AAA or PDSN,
`or successful “GPRS Attach” notification from an SGSN
`
`Service Controller sets an “Expecting Service Processor Login” timer
`
`IfService Controller successfully authenticates the Service Processor within the
`timer interval, Service Processor is deemed to be running and valid.
`
`Ifthe Service Controller does not successfully authenticate the Service Processor
`within the timer interval, it is assumed that: 1) the device does not contain a Service
`Processor; or 2) the Service Processor on the device has been disabled.
`
`¢ Whenthis event occurs, the Service Controller can either 1) trigger to the
`networkto charge for usageat “standard”bulk rates; or 2) specify a
`“standard” bulk rate charging code in the CDRssent to data mediation
`
`Following slides depict sample high-level implementation optionsof this
`functionality ina GSM/GRPS core data network
`
`SHOAIBAAAAAAAAAAIAAAAAAAAAATASAASAASAAAS
`
`
`
`

`

`
`
`
`
`
`
`. Esta Deve
`
`. NeatksOni
`
`
`
`
`* Device attempts data session and sends GPRS Attach to SGSN
`
`*
`

`
`SGSN notifies ItsOn Service Controller that the device has started a data session
`
`ItsOn Service Controller waits for a pre-determined time (e.g., one minute) to
`receive a login/authentication request from the ItsOn Service Processor on the
`device
`

`

`
`Ifthe ItsOn Service Controller sees the request, it send

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.

We are unable to display this document.

PTO Denying Access

Refresh this Document
Go to the Docket