telephone system security best practice
DESCRIPTION
Telephone System Security - Best Practice GuideTRANSCRIPT
Telephone System Security Best Practice
CONTENTS Contents ....................................................................................................................................... 2 Toll Fraud ..................................................................................................................................... 3
Toll Fraud over hacked voicemail systems..........................................................................................3 Industry best practices ........................................................................................................................4 The Firewall Approach ........................................................................................................................5 General Rules .....................................................................................................................................5
Toll Fraud Toll Fraud over hacked voicemail systems Over recent months the telecom industry has received many reports of increased hacking activity, where customers are reporting that they are being billed for Premium Rate or International telephone calls fraudulently made through their telephone systems. This attack involves hackers accessing your telephone system via system options that eventually permit the hacker to place either Premium Rate or International Calls. These hackers most often call a business after-hours utilising some software called a war dialler. This allows them to categorise your telephone lines and decide how best to attack your telephone system. This could be via the use its automated answering system or vulnerable voicemail boxes or unsecured telephone lines (DISA). Experienced hackers sometimes recognise the equipment they are calling by its prompts and know the equipment’s default passwords, allowing them access to mailboxes with unchanged passwords (or they will try guessing at simple passwords such as 1234 and 1111). It is imperative for you to protect yourself against this type of fraud by ensuring your telephone system and voicemail equipment is safeguarded and your employees are educated about password security best practices. For customers who own their telephone and voicemail systems, you are responsible for the protection of your equipment and are responsible for any toll charges.
Industry best practices
• Ensuring your employees change the manufacturers’ default password immediately upon being assigned a voicemail box and frequently thereafter.
• Programming your voice mail system to require passwords with a minimum of 6
characters (8 is preferred – the more complex the password, the more difficult it is to guess)
• Training your employees not to use easily-guessed passwords such as their
phone numbers, local number, simple number combinations or patterns.
• When assigning a phone to a new employee, never make the temporary password the employee’s telephone number.
• If possible programme your voice mail system to force users to change their
password at least every 90 days. If not then introduce a corporate password policy which requires them to do so.
• If possible all forms of automated trunk to trunk (straight through dialling)
should be disabled. Straight through dialling allows you to make telephone calls through your mailbox or telephone system when you are at an offsite location. If this feature is used, it is important that you generate and monitor reports to ensure your mailboxes are not being abused.
• Remove all unassigned mailboxes
The above security measures are of a general nature and will not protect every aspect of an individual telephone system – you are encouraged to contact either your maintainer or a specialist telecom security company to discuss the unique aspects and vulnerabilities of your telephone equipment in greater detail. Remember that you are responsible for paying for all calls originating from, and charged calls accepted at, your telephone, regardless of who made or accepted them.
The Firewall Approach In our opinion this offers the most effective approach to telephone system security; Deny everything – Allow Nothing – Treat every opened facility as a possible vulnerability. General Rules PBX
All DISA lines should be disabled Call forward external from end users phones should be restricted Redirect of incoming numbers to outside numbers should be restricted General Access phones should be limited to calling local numbers only Call Barring levels should be assigned correctly for long distance calling Access to known high toll fraud areas should be restricted. Monitor and track long distance activity using Call Detail Reports
Voice Mail
Deny inbound calls via Auto Attendant to external numbers. Restrict or control Voicemail revert (0) – dialling to pagers and mobiles Restrict or control Personal IVR’s (dial 2 to transfer to my mobile) Restrict or control Voicemail Remote Notification to pagers and mobiles If available use remote notification to email to notify of voicemail messages End Users forced to change Mailbox access passwords on a regular basis End Users password minimum length is set at least to 6 digits or more Administration of mailboxes removing any unused mailboxes Call Barring should be used to restrict outbound access where possible
All Systems:
Passwords should not be posted or distributed Passwords should be changed on a regular basis Passwords must be changed from default passwords Where possible restrict trunk to trunk (inbound/outbound) call transfers Monitor systems using traffic and call detail reports to check calling patterns
• calls to unusual locations • high call volume • long call durations • international and calls to 0990 numbers • high traffic after business hours