| Home | Free Articles for Your Site | Submit an Article | Advertise | Link to Us | Search | Contact Us | |
|
Seven Steps to Safeguard your PBX System - Articles SurfingIf your company uses a PBX / Voice Messaging system then you are being targeted by Phreakers (Phone Hackers). Phreakers take advantage of system interface vulnerabilities, known security (factory) passwords, and use social skills to obtain access to your system resources. Once a phreaker has successfully hacked into your PBX system, he/she may exchange the information with other phreakers, implement Call Back schemes, or place long distance calls that are billed to your company. Generally, phreakers use auto dialers to scan numbers that answer with carrier signals. When a system answers, it is then compared to the known programming formats. Phreakers will also manually dial into your Voice Messaging system and attempt to breach your systems security features. Phreakers also recognize *signatures* of systems. When a phreaker dials in and listens to the Voice prompts and instructions of you voice mail system, he/she recognizes what system they are communicating with and use that information to hack into the system. You'll never stop the attempts by phreakers to access your system, nor can you easily identify access attempts, but you can take steps to safeguard your PBX / Voice Messaging system. 1. Factory Passwords 1.1 Vulnerability: Some systems are installed with the default factory passwords still activated or unchanged. This is the most vulnerable setup. Phreakers know your PBX / Voice Messaging system factory passwords and will try that password once connected. 1.2 Protective Action 1: Verify with your vendor that all factory passwords have been changed or deactivated. 1.2.1 Protective Action 2: Change your passwords frequently, especially if your company has a high number of employee turnovers. 1.2.2 Protective Action 3: Create and maintain a process that identifies how often passwords will be changed and 'triggers' that require system password changes. 2. Remote Access 2.1 Vulnerability: Remote access allows vendors to access and perform maintenance or changes to your system remotely. The technician will connect via a modem to a system SDI (Serial Data Interface) port and log in to your system to perform the actions. This connection path may be exploited by phreakers. 2.2 Protective Action 1: Implement the protective actions in Step 1. 2.2.1 Protective Action 2: Consider purchasing a modem with a CLID authentication feature. The authentication feature checks the number dialing in and if it doesn*t match the CLID authentication programming, the call is refused. Communicate with your vendor to determine what number they will be using. Perform an internet search for CLID Authentication modems or contact your vendor. 2.2.2 Protective Action 3: You could place all of your modems in DND (Do Not Disturb). Calls made to the modem will be forwarded to your Attendants or a recorded announcement (RAN). Inform your vendor that they must call the attendant prior to dialing in so that the DND can be removed. They must also contact the attendant when they are done programming. 3. Voice Messaging Systems 3.1 Vulnerability: A Voice Messaging system is vulnerable when it is programmed with auto create mailboxes (also known as mailbox on demand), allows system to network transfers (pass-thru dialing), or uses default passwords when mailboxes are created. Phreakers use auto-create mailboxes as information exchange or pass-thru dialing points. 3.2. Protective Action 1: Disallow auto-create mailboxes. This setting is usually enabled during installation to permit a quick setup. When your initial setup is complete * disable this feature. 3.2.1 Protective Action 2: Pass-thru dialing allows mailbox owners to dial into a Voice Messaging system and dial a code for an outside line. Not only does this open your company to possible phreaker activity; it also exposes your company to employee fraud. 3.2.2 Protective Action 3: Mailbox passwords should be as long as possible and employees should be encouraged to use the longest password. 3.2.3 Protective Action 4: Create and maintain an internal agreement with all Voice Messaging system users. At a minimum the agreement should cover: - Password protection. 4. External Transfers * Call Forward External 4.1 Vulnerability: External transfers and forwarding exposes your company to employee fraud and phreaker activity. Employees could intentional take advantage of this feature to process non-business-related calls for themselves or friends. Phreakers use their social skills to convince employees to connect calls for them. 4.2. Protective Action 1: In most cases External transfer and/or Call forwarding isn*t needed. Many employees like to Call Forward calls to cell phones when out of the office * this is counter productive to your Voice Messaging system. Instead, instruct employees to allow calls to be routed to their mailbox and to check their mailboxes regularly when away from the office. 4.2.1 Protective Action 2: In cases where it is imperative that an extension be allowed to perform external transfers or call forwarding, create an internal procedure that sets: - Time of Day schedules for Call Forwarding (contact your vendor). - A regular review of calls associated with the extension. - A regular review of where calls are being routed. 5. Authorization Codes 5.1 Vulnerability: The most likely problem you will encounter with authorization codes is employee sharing. The act of sharing authorization codes exposes your company to possible employee fraud. Phreakers are savvy and are likely to know the authorization code procedures used by your particular system. 5.2 Protective Action 1: Create and maintain procedures that encompass the following security procedures: - Cultivate non-sharing of authorization codes within your company. 5.2.1 Protective Action 2: Ensure that authorization code entry is blind or hidden when entered on display phones and that redial of authorization codes is blocked. You may need to contact your vendor to activate these features. 6. Workstation/Internal modems 6.1 Vulnerability: Workstation/Internal modems not only provide phreakers with access to system resources, it also exposes your data network to hackers, worms and viruses. 6.2 Protective Action 1: Avoid modem polls. Many companies use modem pools to reduce the total cost of analog card ports. Modem pools allow phreakers and hackers to dial in and peruse your system for vulnerabilities. 6.2.1 Protective Action 2: Determine if a modem will have dial in and/or dial out capabilities. Most modems should be dial out only. To make a modem dial out only have your vendor program the extension as a non-Direct Inward Dial (DID). Modems that are Direct Inward Dial should adhere to the discipline discussed in Step 2. 6.2.2 Protective Action 3: Set the software associated with modems to not auto-answer. Many software programs or emulation programs have built in security features that prevent unauthorized access. 7. Fraud Scams 7.1 Vulnerability: Phreakers or scammers will use social skills to convince your employees to: - Release company information (mailbox log in procedures, switch room and modem numbers). 7.2 Protective Action 1: Educate your employees on authorized contacts from your vendor or communications personnel. Vendors should always identify themselves. 7.2.1 Protective Action 2: Educate your employees on existing scams and how to identify possible scams. Existing/common scams: - Call Forwarding scams. Your employee is asked to forward calls as a test for a vendor. Related Websites: * http://www.fcc.gov * Federal Communications Commission. Article by Charles Carter
RELATED SITES
Copyright © 1995 - 2024 Photius Coutsoukis (All Rights Reserved). |
ARTICLE CATEGORIES
Aging Arts and Crafts Auto and Trucks Automotive Business Business and Finance Cancer Survival Career Classifieds Computers and Internet Computers and Technology Cooking Culture Education Education #2 Entertainment Etiquette Family Finances Food and Drink Food and Drink B Gadgets and Gizmos Gardening Health Hobbies Home Improvement Home Management Humor Internet Jobs Kids and Teens Learning Languages Leadership Legal Legal B Marketing Marketing B Medical Business Medicines and Remedies Music and Movies Online Business Opinions Parenting Parenting B Pets Pets and Animals Poetry Politics Politics and Government Real Estate Recreation Recreation and Sports Science Self Help Self Improvement Short Stories Site Promotion Society Sports Travel and Leisure Travel Part B Web Development Wellness, Fitness and Diet World Affairs Writing Writing B |