While not all of the recommendations below may be applicable to your particular scenario or PBX systems, we suggest you review these with your IT staff.
Surveys taken from fraud and security experts working within the industry who are directly involved in identifying and stopping communications fraud reported a Global Fraud Loss Estimate of $46.3 Billion (USD) annually—A 15% increase from 2011. This is approximately 2.09% of telecom revenues.
PBX hacking was estimated at $4.42 Billion for the year of 2013. The CFCA has put together a list of security recommendations to help assist businesses in focusing their attention on some of the common risks associated with PBX hacking.
The following is a list of best practices when deploying and administering telephone systems.
Install Firewalls:
- Hardware or software – inspect network traffic; deny/permit passage based on rules.
- Firewalls are extremely important. If the network enabled PBX is not behind a firewall, it will be hacked.
- Web/SSH access should be by whitelist only.
- The SIP traffic should be monitored by a program, automatically banning offending IP addresses that are SIP scanning the equipment for access.
- Fail2ban comes installed on most IP PBX distributions these days.
When Provisioning:
- Do not use the default extensions, or extension passwords for registrations, use letters, capital and lowercase with numbers, and special characters.
- Voicemail passwords should be changed often by the user and not defined the same as the extension.
- Dialing out or returning calls through the voicemail system should be disabled.
- The passwords are not secure since they are numeric and can easily be scanned.
- The amount of login attempts should be lowered to the max length 3 login attempts before the voicemail system disconnects the call.
- Block international Dialing in dial plans. If you need to place calls internationally, put specific numbers only on dial plans or password protect 011 or NANP international dialing, set spending limits on accounts, whitelist calls to desired countries and blacklist everything else if possible.
- You should also set up billing notifications with your provider if available to be notified when your spending goes up.
Network Enabled PBX Systems:
- Make sure the software version of the PBX is a current supported version, long term support release where security patches are routinely developed. Also make sure that the core system is updated and patched for vulnerabilities that are discovered and published. If you have a software version that is no longer supported, update or migrate to an updated version, otherwise you will not be able to obtain security patches for current and future exploits.
- When calls are forwarded but not seen in the Graphical User Interface of the PBX administration, check the telephone system database. Identify the section that deals with call forwarding for any numbers or addresses that are possibly call forwarded. Attackers will mask their call forwarding in the database where most people never look. Seriously consider consulting a certified professional for any installation, maintenance or security audits.
When Network Enabled PBX Systems are Hacked:
- If the web interface is exposed to the public internet, then it will not matter how complicated the login password is for the administration, the attackers will just exploit the code on the interface to gain access and then dump every password. In the event of a security breach, it is absolutely necessary to rebuild the system over again, formatting the disk. If you have a trusted backup prior to the attack then all passwords will need to be changed and new security measures put in place that were lacking initially.
When an Employee is Terminated:
- Whenever an employee is terminated, always make sure that the ex-employee access is removed to company systems just moments prior or during the termination. You will need to change all passwords related to user and remember to remove email access for that individual.
Social Engineering:
- Make sure all staff is aware of what social engineering is, and prepare your employees when someone attempts to trick them into revealing confidential and private information regarding infrastructure and customer information. The attackers will sound convincing. Make sure they are absolutely certain they know who they are dealing with.
General Tips:
- Whitelist access to the PBX for Administration to specific IP Addresses
- Run periodic security audits to check for exploits in the PBX
- Frequently audit and change all active codes
- Restrict Toll Free dialing from areas where there is no business requirement
- Do not allow pass-through dialing
- Eliminate trunk to trunk transfer capability
- Restrict 0+, 0- and 10-1XXXX dialing out of PBX
- Restrict all calls to 900, 976, 950 and 411
- Restrict all possible means of out-dial (through-dial) capability in your voice mail system
- Consider allowing only attendant-assisted international calling
- Restrict 1+ dialing to extent possible
- Disable DISA (Direct Inward System Access) if possible. If not possible, use maximum number of digits for DISA code
- Deactivate unassigned voice mailboxes and DISA codes
- Restrict after-hours calling capability: DISA, International, Caribbean and Toll calls
- To combat Social Engineering, make sure that system administration and maintenance telephone numbers are randomly selected, unlisted and that they deviate from normal sequence of other business numbers
- Use multiple levels of security on maintenance access
- Do not allow unlimited login attempts to enter system. Program PBX to terminate access after third invalid attempt
- Enable system lock-out feature on voicemail – this allows only X attempts at password before someone is locked out
- Monitor Call-Forwarding activities
- Shred anything listing PBX access numbers, passwords or codes
- Never divulge system information unless you know who you are actually communicating with
- Use random generation and maximum length for authorization codes and passwords
- Deactivate all unassigned authorization codes
- Do not allow generic or group authorization codes
- Test all PBX voice menus to ensure there’s no unintended routing or access exposure to outside lines or internal systems
- Send e-mail reminders to all employees to change passwords on their voicemail periodically
- Frequently change default codes/passwords on voice mailboxes
- Do not use “alpha” passwords that spell common words or names
- Delete/change all default passwords
- Immediately deactivate passwords and authorization codes to known terminated employees
- Change all passwords when there are personnel changes
- Delete all ex-employee voicemail boxes and email access
- Analyze call detail activity frequently for unusual activity
