rixride

I’ve been working on PBX’s for longer than I care to admit, in that time I’ve only experienced one real occurrence of hacking. This particular hack was the result of, a now defunct, service provider’s technician who literally set up a phone to forward to the PSTN.

Because this individual was not the brightest bulb on the Christmas tree and I had setup the appropriate security precautions for my PBX, it was very simple to prove who had done what as well as exactly when it occurred.

How can you avoid becoming a victim, read on and I will detail some of the items for you to consider. While no writing on this subject can attempt to solve all of the world’s ills please use this as a guideline to help you avoid some of the more obvious methods of abuse.

I will not address ancillary devices i.e., voicemail, auto attendants, etc. here as there are just to many individual system quirks to cover in a broad-brush approach like this. Suffice it to say that MOST of the items outlined herein could apply to these systems as well.

Should you have any questions and/or additional suggestions please post on PBXINFO.COM. Of course you could always jump into the Nortel CHAT room and ask SD for a Nortel password as he’s got a few universal ones he loves to share .

Regards,

Jack


“What should you be doing to protect your PBX?”

This is a long list but let’s start with the easiest things and move on from there --

Passwords

·Make them LONG!!!

·Make them Alpha-numeric.

·Make them case-sensitive.

·Change them OFTEN!!!!!!!! At least once per quarter. As well as after EVERY install, upgrade and project.

·Protect them! Do not allow them to be written on the bottom of keyboards, on Post it Notes attached to the monitor, imbedded in login scripts, or saved in non-password protected files on your computer.

·Require that any outside technician get the password from their organization rather than directly from you.

Remote Access

·Use an ASAP/SEB type modem for remote access that has a different password than the PBX’s. If you manage multiple sites, DO NOT make the remote access passwords the same for all sites.

·Where possible IP enable your PBX and use your organization's existing data remote access solution to access the PBX.

·If you are using separate access numbers and modems for your cores leave the modems off until needed.

·Change the modem’s phone number periodically.

Manage your Vendor

·You can negotiate ANYTHING in your maintenance contract!!

·Make sure that the Vendor knows that sharing of passwords amongst technicians is not an option.

·Make sure that the Vendor alerts you as to when technicians have left (or been reassigned within) their organization so that passwords can be changed.

·Insist on getting the same technician whenever possible, unless a time critical outage exists. Familiarity does not have to breed contempt.

·Spell out exactly who amongst the vendor’s employees should be allowed access to your passwords.

·Treat your Vendor and their technicians with respect. An adversarial relationship is not going to produce a positive result whereas a partnership approach will benefit all involved.

·Get (and keep up to date) escalation lists of your Vendor’s management team. These should go up to at least Regional VP and if possible include home numbers in addition to office, pager and cell numbers.


Within the PBX

·Enable and use limited access passwords.

·Enable TTYLOG on all of the TTY ports that have login access.

·Enable History and Audit files.

·REVIEW THESE FILES REGULARLY!!!!!!

·Never allow maintenance phones -- CLS = MTA to be in an unsecured area, including your own phone.

·Make trunk access codes (ACOD’s) as long as dial plan allows. ACOD’s should be treated the same as passwords, guard them carefully. Know EXACTLY which phones have the ability to dial ACOD’s, and verify the need for this on a regular basis.

·Set your Failed Log in threshold LOW and your Lockout timer HIGH!!!!

·CLS = CFXA is EVIL!!!!!! ALWAYS AVOID!!!! There is just no reason to put this on an end users phone. Use LD 81 LST feature to verify that none of your stations have this feature.

·All requests for the ability to forward offsite should be submitted in writing and reviewed on a regular basis to determine if the requirement still exists.

·If the requirement is valid, best to set this up so that the user enters a specific extension -- cdp entry, phantom port, acdn, etc. -- that only goes to a specific number. The end user should have NO control over the programming of this other than forwarding their phone.

·DISA IS EVIL!!!!!!!!!!!!! Don’t use it!!!!

Physical Security

·Switchroom, Netpop or wire closets doors MUST NEVER be propped open!!!

·Keycard and or key control logs should be kept and reviewed.

·Educate your receptionist and security personnel that all access to the Switchroom, Netpop or wire closets is only to occur with your express permission.

·Never store non -PBX related material in the Switchroom, Netpop or wire closets. There really is a better is a better place for the lobby Christmas decorations than the phone room!!!!

·Know where your outside plant facilities are and confirm that they are secure. Anyone can purchase a butt set from Home Depot now a day. Remember even digital feeds are not necessarily secure from a physical attack.

·Treat any documentation regarding your PBX the same as you would any other corporate documents. This includes your phone usage bills.

·Verify the amount of access allowed on common area telephones -- lobby, lunchroom and conference rooms -- to determine if that level of access is needed. Remember extra analog lines in conference rooms for speaker phones and/or laptop access.

·Confirm any and all modem ports for access as well as the need for DID access to them.

CDR & Billing

·By the time the bill comes it is often too late!!!

·Wherever possible use CDR all of the time, even if you do not charge back for service.

·Review your CDR & Billing to determine your organizations calling patterns -- are 12 hour calls to Afghanistan, in the middle of the night normal?

·After you have developed your calling patterns, work with your LD Vendor to develop a fraud prevention program. This program can be as simple as the vendor notifying you of calls that differ from your pattern to the vendor turning off service until you’ve identified where the problem exists. Some of the more complex CDR packages -- Switchview for example -- have this ability within their suite of products.

·When reviewing be on the look out for -
·Long duration calls
·Calls outside of normal business hours
·Long Distance/International calls
·Calls to your incoming toll free numbers
·Calls to you Auto Attendant
·Collect calls -- very few business have the need to accept collect calls, work with your carriers to block all of these (as well as third party billed calls) wherever possible.
·Short duration inbound calls.
·All trunk busy conditions -- this can also be managed via the traffic reports on the switch.
·Any cramming/slamming by third party carriers.
·Any out calling from auto attendant and/or voicemail ports.

The Human Factor

·Educate ALL of your employees to the reality of hacking of phone systems. This should include a corporate dictate that the telephone is the property of the corporation is intended to be used solely for corporate business purposes.

·The desire to assist a caller often overrides common sense, make sure that your employees -- especially switchboard attendants and receptionists understand that a caller is NEVER to be transferred to an outside line!! Explain the transfer me to ext 9000 scam. Instruct them that all calls that are slightly suspicious should be transferred to yourself or your corporate security department.

What You need to Do

·Create a plan of action specific to your organization’s needs and then sit down with your boss and explain what you are doing and why. This is also a great opportunity to explain to your boss the necessity of additional training for yourself so that you can properly perform your job.

·MAKE the time to review your system’s files and logs on a regular basis.

·Be sure that you understand EXACTLY what implications changes to your CDB, RDB and/or CFN will have in relation to the security of your PBX. Remember quick hit fixes will be your downfall!!

·Sit down and think about your specific organization and determine what makes the most sense for you.

·Make use of existing resources such as PBXINFO.COM -- see Rhack‘s NCOS analyzer in the download section, GHTROUT’s (http://home.wi.rr.com/browser/ght/m1sa1.html) Excellent security audit outline!! And transfer me to an outside operator overview!!, as well as the great data parsers from both Dave Higham (http://home.wi.rr.com/browser/ght/m1sa1.html) and at RussellWeb (http://www.russellweb.co.uk/nortel/).

·DO NOT get overwhelmed by the whole PBX Security riff, while it certainly could constitute a full time job in many organizations, it really is not that time consuming once you are set up.

·Send your check to PBXINFO.COM to continue this resource!!


A special Thank you to Jack for this excellent resource.

__________________
-=Welcome to PBXInfo=-
-Become a PBXInfo Supporter
-Get more PM Space, Profile Picture, a Signature
-Add yourself to Pbxinfo's Frappr
-Find Nortel Software