TRA: Telecom operators must be alert against cyber threats

Oman’s Telecommunications Regulatory Authority (TRA) has directed the growing number of telecom licensees operating across various segments of the Sultanate’s telecom sector to beef up their defences against potential cyber threats.
TRA Executive President Dr Hamed Salim al Rawahi said the Authority has issued guidelines requiring operators to safeguard their networks against all kinds of cyber and online risks.
“As cyber incidents pose a high risk to telecom networks and services, as well as consumer interests, and as it is important for the licensees to be continuously alert to such threats and update their plans for defence response and strategic security, the TRA has prepared and issued regulations specifying the licensees’ obligations to protect the telecom networks against such risks,” said Dr Al Rawahi.
“This will ensure that the licensees will take appropriate technical and operational measures to protect telecom network security and the services provided through them,” he stated in the Executive President’s Message featured in the newly published 2018 Annual Report of the Authority.
Apart from the main operators Omantel, Ooredoo and Awasr, the Authority has also licensed a sizable number of players operating as mobile resellers and international gateway operators, as well as those providing general maritime telecom services, private network services, passive broadband infrastructure services, and vehicle management system services, among others.
Separately, the Authority plans to launch an initiative to help the growing number of Domain Name System (DNS) clients in the Sultanate address vulnerabilities that leave open their sites to potential phishing and other cybercrimes.
“Vulnerabilities in the DNS can allow an attacker to hijack the process of looking up a site on the Internet looking their domain name,” said the Authority in its Annual Report. “The purpose of the attack is to take control of the session, for example to send the user to the hijacker’s own fake website for account and password (harvesting), as well as for other phishing and possible criminal activities,” it stated.
According to experts, cyber-criminals typically employ ‘cache-poisoning’ tactics to create fraudulent websites that impersonate, for example, website of a bank or financial services provider. Thus when customers log in, they unwittingly provide their banking credentials to the attacker, who can then access the victim’s account and siphon off any funds.
To address these shortcomings, the TRA plans to provide DNS Security Extensions (DNSSEC), a technology that enables domain name clients to secure their infrastructure. A team of TRA technical staff has been trained in the implementation of the DNNSSEC technology, it said.
“TRA intends to roll out DNSSEC using a phased approach, as it is critical to get everything correct and have the capability to of monitoring, managing and maintaining the DNSSEC once it is fully implemented,” the Authority said. Implementation is planned to be executed in 2019, it added.