PBX Security in the VoIP age

Once upon a time hackers hacked computers and cause the IT department varying

degrees of heartache.

And the corporate telecom manager implemented his corporate PBX Security policy

and locked the communications room door on his way home.

Then along came the Phreak and they started attacking long distance carriers.

And the corporate telecom manager slept quietly in his bed safe in the knowledge

that PBX Security meant locking the comms room door.

Then someone invented Voicemail and IVR systems.

Phreaks started to pay attention to corporate telephone systems.

And the telecom manager started to stir.

Now we have VoIP systems running on virtual servers, web facing collaboration

applications, home workers with SIP handsets and mobile phones which function as extensions linked over WiFi to your

telecommunications server.

Now we have Phreaks attacking DISA, Voicemail and IVR systems, we have hackers

attacking telecommunications servers and their associated web facing applications and to add insult to injury we have

penetration testers telling us that we have not secured our applications properly!

What went wrong?

Well that question, at least, is easy – we never thought it would happen to

us…….

Attacking telephone systems in the current day and age is now a multi billion

dollar industry (estimated $80 billion globally) attracting a lot more that bored school kids, the people perpetrating these

attacks are more likely to be a part of an organised crime or terrorist group.

So, PBX Security needs to come of age, quickly.

Businesses need to implement and adhere to, strict PBX Security policies,

locking down all unnecessary functions and applications. Telecom Managers need to stay up to date on the latest threats

being posed by these attacks.

A new report from the Communication Fraud Control Association has placed the UK

in the top 5 countries which are global fraud hotspots, joining the likes of Cuba and India.

PBX Security Best Practices

• Ensure your employees change the manufacturers’ default password immediately

upon being assigned a voicemail box and frequently thereafter.

• Programme your voice mail system to require passwords with a minimum of 6

characters (8 is preferred – the more complex the password, the more difficult it is to guess)

• Train your employees not to use easily-guessed passwords such as their phone

numbers, local number, simple number combinations or patterns.

• When assigning a phone to a new employee, never make the temporary password

the employee’s telephone number.

• If possible programme your voice mail system to force users to change their

password at least every 90 days. If not then introduce a corporate password policy which requires them to do so.

• If possible DISA should be disabled. DISA is a function which allows you to

make telephone calls through your telephone system when you are at an offsite location. If this feature is used, it is

important that you generate and monitor reports to ensure that it is not being abused.

• Remove all unassigned voice mailboxes

The above security measures are of a general nature and will not protect every

aspect of an individual telephone system – you should contact your system maintainer or specialist PBX Security Consultant.

Remember that you are responsible for paying for all calls originating from, and

charged calls accepted at, your telephone, regardless of who made or accepted them.

For further information visit http://www.chris-mcandrew.co.uk or

http://www.telecompages.co.nr