inCOM3 Communications - Security PBX

Telephone fraud is an increasing menace to every business and can be especially devastating to small and medium sized businesses. As with all cost-based systems, telephone service is a target for criminals looking to defraud you. Over the years their techniques have evolved from using blue boxes that replicate sounds for touch tone phones to using talented hackers to break into PBXs to steal and then resell your service to denial-of-service attacks designed to cripple your ability to make or receive calls. Following the industry best practices outlined below will lessen the risk that your business will be victimized by fraud. But the criminals looking to steal from you are smart, dedicated and creative.
Whether your PBX is in the cloud or the back room of your business, there are several security principles that are universal:

Your phone vendor or equipment supplier is the best source of information for specific security needs or concerns. Consult them.
Vigilance is your most important protection against fraud. Monitor your bills and usage for unusual calling patterns, use secure passwords and change them regularly, limit password knowledge to those with a true need-to-know and always think of your phone system as potential path for criminals to enter your business. You treat the physical security of your business seriously and you need to do the same for your digital security. Hardware PBX Security Best Practices.

1. Change all default passwords to secure passwords at turn-up and often thereafter. The PBX may have several administrator passwords that will need to be changed as will each mailbox. Restrict access to the PBX to only allow HTTPS connections.

2. Password security. Entire books could be devoted to this topic, but what is below is a good beginning:
a. Use a combination of at least 8 upper and lowercase letters; use numbers and characters wherever possible. There are good software programs available for all operating systems that—when used properly—can generate and securely store these passwords for you.
b. Never use a phone extension or number as a password.
c. Use automatic settings or schedule-forced password changes every 30 days for your PBX and all voicemail boxes.
d. Never keep a list of passwords unsecure.
e. Make sure employees don’t change the password to something easy such as an extension or phone number.
f. Make sure employees don’t write down passwords or place them under the phone or keyboard.
g. Since your PBX sits on a public IP address, make sure that the underlying operating system, Linux or Windows, is updated patched, and secured with strong passwords and access.

3. Because SQL and PHP hacks are so common, maintain your PBX as a separate piece of hardware which contains no SQL or PHP.

4. Set up a dedicated PBX firewall/IPS with an ACL to only allow specific IP addresses and set up firewall alerts so when an incident occurs, an email is sent to you and/or your vendor. Set up an ACL to block access to the PBX from any unknown source and also set the PBX to block IP addresses from repeated wrong username/password requests. If possible—given the needs of your business— set the PBX to block all outbound calls outside of normal business hours and on weekends.

5. Disable or restrict outbound calling through voicemail or an automated receptionist. If you need to enable outbound calling through voicemail or an automated receptionist or if smart phones are used with your PBX, set up account codes to help secure it.

6. Educate your employees about the risk of security compromises through spear phishing, social networks, or prank/hang-up calls. Criminals often gain access from inside the network via key logger or trojans placed on PCs in the office. Educate employees about the risks involved and make sure they are using business equipment only for business purposes.

7. Restrict inbound toll-free calls from 212, 718 and any area codes where you do not receive normal business calls.

8. Limit outbound calls to country codes and area codes where you do business; block all others.

9. Keep voicemail boxes up-to-date and disable those not in use. Disable voicemail boxes immediately for employees who leave the company.

10. Monitor PBX logs for suspicious activity.

11. Make sure all software, firmware and hardware is patched and kept current.
Additional Resources

Phone Fraud
http://en.wikipedia.org/wiki/Phreaking

http://www.infosecisland.com/blogview/20483-Prevent-VoIP-Toll-Fraud-with-Proper-Configurations.html

Asterisk
http://www.asteriskguru.com/tutorials/

VOIP security
http://www.voipsa.org/
http://www.networkworld.com/topics/security.html
http://www.secvoip.com/

For Support or questions contact us at 877-817-0227.

Help is just a phone call away!

Ethernet - T1 Service

Contact Support