Securing Cables New Digital Terrain

Author:
Publish date:

The move to digital-based distribution channels is giving rise to a whole new array of opportunities for cable operators, including Internet-provision services, Webcasting, interactivity, home shopping and content on-demand.

But migration to the digital world brings serious concern regarding the protection of intellectual property and customer data to the fore. Though these distribution channels provide powerful pathways for the flow of information, they also provide the conduit for virus attacks, hacker "exploits" and the theft, unauthorized access or manipulation of that information.

Content and data can also be compromised through access points at cable modems, set-top boxes, coaxial and fiber-optic cabling, amplifiers, nodes, headend gateways and originating Internet-protocol and local networks. Compromise can also occur through satellite links to regional headends, service distribution hubs, and digital storage servers at partner companies.

The rapid spread of the "Love Bug" virus and the online theft of Stephen King's novel Riding the Bullet are just two news stories that show how very real these concerns are. These problems are exacerbated by the fact that security in the new-media world is very different from that in its "old media" predecessor.

SECURITY CONCERNS ABOUND

In an earlier day, system security concentrated on data access control and the protection of physical equipment. As we saw earlier this year, however, an insidious denial-of-service (DoS) attack can halt businesses that use high-bandwidth delivery mechanisms-indeed, increased bandwidth is a lure to those wanting to wreak havoc with DoS attacks, system infiltration or content theft.

In February, Yahoo!-considered a leader in information technology practices and infrastructure design-experienced a major service outage, as did other high profile Internet sites. Yahoo's service was halted by the infusion of more than 1 gigabyte per second in page requests. It would require over 300,000 users with 56K modems to send that amount of data. But with cable modems that run 24/7, it would require less than 1,000 users to achieve the same results.

Another problem is found in the availability of data stored in digitized format at cable operator sites. Digital businesses require the ability to respond rapidly to customer requests-and requests that are often for customized content-but the pooling of customer data needed for this level of responsiveness is a tempting target for information thieves. Witness the earlier tribulations of CD Universe, in which a hacker armed with credit-card information stolen from the site held the company hostage.

Cable operators that collect customer data will also need to stay in compliance with changing regulations that protect the privacy of digital-service users. Ensuring compliance will be crucial to maintaining brand image and trust.

Cable modems offer a particularly vulnerable point of entry to system hackers. With 24/7 operation, and a limited number of IP addresses available from cable operators, hackers are provided easy access via random dialing to data and content that traverses broadband lines connected to cable modems.

A firewall can prevent most attacks, but hackers are finding ways around these mechanisms. Firewalls are of no use if the hacker is a legitimate subscriber to cable services and is conducting scans from within the firewall.

Data that travels through cable modems into cable lines can be read by anyone connected to the same local hub. This, in effect, creates a local-area network of users connected to set-top boxes or cable modems in the same neighborhood. Anyone in the "neighborhood" has easily and widely available access.

Ease of access in a cable neighborhood provides hackers the ability to enter weakly secured cable operator systems and, within seconds, utilize system resources to launch attacks on other sites with complete anonymity. Even worse, an attacker can seize a neighbor's PC and operate under the cloak of assumed identity. Cable operators whose systems are compromised can be perceived as unwilling participants in Web attacks, with potential legal and economic consequences.

IT SECURITY MANAGEMENT

Security concerns underscore the need for internal system controls and security capabilities. Enterprise-wide policies and procedures, system-access controls, vigilant system monitoring and the implementation of security software are essential to minimizing risk.

IT departments and business management need to work together to ensure decisions are made that enhance both asset security and business growth. The cost of increased security should be balanced with the investments made in front-end value added services for end-users. What is important to protect? What are the ramifications of not protecting it? The cost that comes from damage to brand image or consumer trust needs to be factored into the equation.

Risk therefore needs to be quantified in order to develop a properly secured infrastructure and mitigate exposure. System assessments and security software selection and implementation, as well as event monitoring, are essential ingredients in the establishment and ongoing success of digital business.

The need to grow digital businesses has started turning cable operators' technical staff and information-technology departments into crucial participants in the success of the enterprise through development of secure infrastructures, security policies and system integrity.

WHAT MUST BE DONE?

As cable operators feel the effects of fragmented markets, limited growth, and competition from Web outlets, they are developing digital strategies to effectively compete and increase brand awareness. System security assessments and network architecture reviews are effective ways to uncover holes in the current security configuration and determine the optimal configuration needed to protect digital businesses.

As small successes are realized in the transition to a digital environment, cable operators will mature their business plans for digital services through set-top boxes and cable modems. This will require further assessment of what is important to secure-content, data, transactions, and so on-and the potential effects on business of not securing those services. Management plays a critical role in identifying critical components of the business and determining the need for security relative to brand and speed to market.

As digitization further affects the business, cable operators will aggressively roll out digital delivery of programming and Web products, and begin to realize success in new services that connect cable customers to operator sites. At this point, privacy issues become prevalent as more users connect to cable-operator systems.

Information asset protection and security policy development are appropriate tools here. In addition, the role of privacy regulations needs to be included in decisions involving protection of data and maintenance of trust.

As digital distribution approaches saturation levels and becomes a common platform for all manners of transactions, encryption technologies such as public key infrastructure will become important.

The key, however, is to start early, addressing security and privacy concerns before functional infrastructures are in place. Tackling security and privacy issues on a system that is already up and running is more difficult, costly and time consuming. But with forethought and teamwork among those responsible for IT, operations and strategy, cable operators will be able to seize the many opportunities as we move into the digital age.

Julius Adams is principal of the Media & Entertainment Practice at IFsec, a New York-based network and information security firm.

Related