24/08/2023
Reinforcing Cyber ​​Security with Anatel's Act 77 and 2436

In an increasingly interconnected world, cybersecurity is emerging as a major concern. This topic takes on critical proportions in the context of telecommunications, where the constant transmission of information demands robust protection against cyber attacks. In order to reinforce the security of networks and devices, Anatel introduced Act 77 in January 2021. This act establishes security requirements for telecommunications equipment, aiming to minimize vulnerabilities through software updates or configuration recommendations. Act 77 is a significant milestone in the cybersecurity scenario in Brazil, aimed at safeguarding users against threats originating on the internet.

Since the beginning of July 2021, when Act 77 came into force, Anatel has required that requests for approval of equipment intended for use in Brazil include a specific declaration. This declaration attests that both the equipment in question and the supplier comply with the safety requirements set out in Act 77/21.

The scope of Act 77 covers a wide range of products, including Internet Connected Terminal Equipment (CPE) and telecommunications network infrastructure devices. If a product presents vulnerabilities that could compromise the security of telecommunications services and its users, Anatel has the prerogative to suspend approval until the vulnerabilities are resolved. This means that critical issues pending correction may lead to the suspension of product distribution in the Brazilian market until the pending issue is properly addressed by the supplier.

The requested requirements refer to updating software/firmware, Remote Management, Installation and Operation, Data communication services, personal data and sensitive data, Mitigation of attacks and Access for equipment configuration, and this article will focus on this last requirement.

Item 5.1.4 of the act concerns how access to configure the equipment should be performed, which includes both access via cable and access via Wi-Fi network.

Below are the items discussed:

a) Do not use initial credentials and passwords to access your settings that are the same among all devices produced.
b) Do not use initial passwords that are derived from information easily obtained by methods of scanning network data traffic, such as MAC addresses - Media Access Control.

To comply with items 'a' and 'b', each equipment has a unique and strong password printed on a label attached to the device itself.

c) Force, on the first use, the change of the initial access password to the configuration of the equipment.

When logging in for the first time, it will be necessary to change the access password, it must meet strong password requirements:

- Have at least 8 characters,
- At least one uppercase and one lowercase letter
- Numbers from 0 to 9,
- At least 1 special character (!, $ , #, %, etc).

The table below shows how long it would take a hacker to crack a password, so you can understand the importance of having long and strong passwords:


Source: (Carlos Eduardo Hara/Superinteressante)

 

d) Do not allow the use of blank passwords or weak passwords.

Blank passwords and passwords that do not meet the requirements mentioned in item 'c' will not be allowed.

e) Have defense mechanisms against exhaustive unauthorized access attempts (authentication attacks by brute force).

The login is blocked after 3 unauthorized access attempts, and the equipment is blocked for access for 1 minute.

f) Ensure that password recovery mechanisms are robust against credential theft attempts.

In case of forgetting the password, it is possible to perform a factory reset on the equipment, so that it is possible to access again with the tag password.

g) Do not use credentials, passwords and cryptographic keys defined in the source code of the software/firmware and which cannot be changed (hard-coded).
h) Protect stored or transmitted passwords, access keys and credentials using appropriate encryption or hashing methods.

The equipment access keys are encrypted in files suitable for this purpose.

i) Implement routines for closing inactive sessions (timeout).

The equipment has a configurable timeout, with a default time between 300 and 500s depending on the equipment model.

Datacom's Commitment

Datacom is strongly committed to meeting Act 77 requirements on its equipment. This compliance bolsters the cybersecurity of customer networks, making them more resilient against cyberthreats. Through the careful implementation of security requirements, Datacom continues to improve the protection of users and digital ecosystems in an increasingly connected and challenging environment. The complete Act 77 can be accessed at this link:

informacoes.anatel.gov.br/legislacao/atos-de-certificacao-de-produtos/2021/1505-ato-77

If you have questions about Act 77, you can contact our support teams (DmSupport self-service portal or through the call center (+55) 51 3933 3122) or pre-sales (suporte.prevendas@datacom.com .br):

For questions and requests for proposals, please do not hesitate to contact Datacom's commercial team: sales@datacom.com.br, via WhatsApp from the account managers or (+55) 51 3933 3000.

Follow our blog, we always bring news of products and relevant technical content for your business.

Follow Datacom on social networks and also subscribe to our YouTube channel, mark the receipt of notifications and share the link on your social networks.

References:

informacoes.anatel.gov.br/legislacao/atos-de-certificacao-de-produtos/2021/1505-ato-77
sidi.org.br/responsabilidades-de-seguranca-cibernetica-anatel
super.abril.com.br/coluna/oraculo/quanto-tempo-um-hacker-demoraria-para-descobrir-minhas-senhas

TAGS