Mitigating Voice Telephony Security and Fraud Risks

RFG believes the recent interest in IP-PBX voice telephony systems and the increased use of voice over IP (VoIP) technology in converged enterprise environments has sparked a renewed interest in voice systems among hackers. Hackers have traditionally attempted to steal long distance services in traditional private branch exchange (PBX) environments. In addition, hackers are now attempting denial of service (DoS) attacks and the exploitation of call override features to take control of and, in some cases, disable corporate PBX and voice mail systems. To avoid these attacks, IT executives should develop and implement security plans that will mitigate the chances of a hacker's success in implementing a potentially devastating and very expensive system attack.

Business Imperatives:

  • Hackers, disgruntled employees, and other potentially dangerous intruders are making an increased effort to enter and misuse enterprise voice telephony systems and services by attempting to guess and simulate user passwords. IT executives and system managers should implement effective security measures to protect and regularly update passwords and limit unauthorized access, to avoid system exploitation.
  • The recent trend toward the convergence of telephony and computer systems has exposed voice systems to abusers who have traditionally limited their efforts to attempted breaches of data networks and systems. In order to avoid the abuse of converged voice/data networks and systems, IT executives should implement standard safeguards designed to minimize the opportunity for service attacks.
  • The increased use of corporate voice services by remote and traveling employees has introduced a new challenge to the management and protection of enterprise systems. IT executives should implement user authorization features that can be easily administered and monitored, to mitigate the increased system vulnerability introduced by employees working outside the enterprise campus.

The continuing convergence of computer data and voice telephony enterprise systems has expanded the economics, flexibility, functionality, and overall usability of voice systems significantly. However, this expansion of system capabilities has increased the vulnerability of voice telephony systems to unauthorized access by intruders and people intent on inflicting denial of service attacks aimed at bringing down corporate information networks. Fortunately, there are several basic actions that can be taken by enterprise IT management to minimize the risk of unauthorized system access and mitigate the damage that may be done by those who succeed. (See the RFG Research Note "Identifying and Addressing Information Security Risk Factors.")

The most obvious and effective actions should be aimed at hackers attempting unauthorized access to voice telephony systems, such as office telephone and voice messaging systems. With increased frequency hackers are attempting to invade private corporate systems by attempting to methodically "guess" user passwords. While the hackers' chances of success are still rather low, the rewards for success are numerous and valuable. These include the collection of corporate and private personal messages and information and access to free telephone services.

There are several standard measures and rules that can be implemented and enforced on a corporate-wide basis aimed at mitigating password abuse. Figure 1 summarizes the measure that should be taken to hinder such activity.

Figure 1: Suggested Password Safeguards
1) Deletion of all inactive voice mailboxes Monitor mailbox use regularly and eliminate those that are unused or inactive on a monthly, if not weekly, basis in order to avoid the misuse of unmonitored boxes.
2) Deletion of testing and service codes Delete all authorization codes that were used by testing and servicing personnel who installed the system and replace them with new codes known only to system administrators.
3) Implementation of password change routines Initiate an automated program to force the changing of passwords by employees and administrators on a regular basis. This should happen on a semi-monthly or monthly basis, at minimum. This should be made a business process even if not automatically supported by the telephony voice system software.
4) Restriction of log-on attempts The number of unsuccessful log-on attempts should be limited to three, meaning that those calling into a system are allowed to enter a password only three times and then be thrown off the system if their sign-on attempts fail. Systems should be automatically monitored for multiple unsuccessful intrusion attempts and administrators notified after predetermined thresholds have been met.
5) Temporary password replacement Immediately replace all temporary passwords that were assigned when service was initially implemented with permanent and more difficult to guess or predict passwords. This should be done at the system and employee level. Passwords should be alphanumeric and be at least eight digits long.

Source: Robert Frances Group

These password guidelines may seem rather fundamental and taken for granted by good system administrators. However, it is amazing how few corporations implement or adhere to even such a basic written list of password rules.

In addition to password abuse, modern voice telephony systems are frequently left exposed to a litany of vulnerabilities that IT executives should guard against. As an example, the business telephone system or PBX should be programmed to block all collect-call options. In small- and medium-sized companies, this could be as simple as not implementing direct inward dialing (DID) access, which allows employees to be called directly at their telephone extension from outside the company. This can also be implemented by the use of a system that requires all calls to be answered by an automated switchboard operator, or an attendant trained to turn down collect calls. In many cases avoiding such system abuse can easily cover the cost of a system attendant.

Another related safeguard has to do with the avoidance of unnecessary long distance charges on PBX systems. Where feasible, many corporations should actively eliminate access to outbound long distance calling by all employees not authorized to make such calls. Too many systems are programmed by default to allow calls to destinations outside local area codes by an employee simply dialing a prefix number before the telephone number. In companies where outbound long distance access is not required, the long distance calling capability should be blocked totally.

Remote access capabilities of modern PBXs expose those systems to a broad range of abusive tactics that can be all but eliminated with proper management. As an example, today's PBX systems often allow remote employees to dial into the system, typically via a toll-free 800 number, to make outbound long distance calls that will be charged to the company. While this can be a convenience and a money saver for remote or traveling employees in the form of consolidation of long distance billing on attractive corporate rate plans, it is often abused. Furthermore, the abuse is rarely tracked and quantified by employee.

In many cases RFG has found, from a security perspective, it is safer and more beneficial for a company to issue employee long distance calling cards. At minimum, if a corporation must provide remote long distance access through the PBX, administrators should establish a toll free access number that is unlisted instead of the published corporate number or a well-known 800 number. (See the RFG Research Note on "Addressing Teleworker Network Security Risks.")

In order minimize risk in systems providing remote employee access, remote access calls into the corporate PBX should be intercepted by a voice recording or "silent prompt" instead of the standard "steady tone" that normally responds to such inbound calls for system access. This will go a long way toward thwarting access by hackers trying to randomly dial into corporate remote access numbers to steal long distance services. This is a practice that has become all too common in today's corporate environments. IT executives should therefore proactively guard against such theft of service attempts.

In addition, in high-risk situations where abuse is suspected or experienced, PBXs should be programmed to pick up calls only after five or more rings. This can help to foil hackers using automatic dialing programs that switch to the next targeted number when call pick-up is not immediate. If a PBX allows incoming callers to transfer or forward calls to another extension, administrators should program the system to block all digits that callers may use to access an outside line. Finally, administrators in an unusually high-risk environment should consider implementing a "barrier code system" as an additional level of security on enterprise telephone systems. This process involves requiring the input of a numeric password to add another level of security to their system.

Regular system monitoring and call detail recording (CDR) is an important aspect of risk and fraud containment in voice telephony systems. Voice system administrators should ensure that systems are monitored for suspicious and unusual activity. Special emphasis should be on detecting repeated calls of short duration, unusual increases in the number of inbound and/or outbound calls, usage of toll free numbers, and large fluctuations in after-hour calling on the system. All of these occurrences can indicate unauthorized and illegal system access that should be thoroughly researched for legitimacy.

Many of the more recently introduced voice telephony systems are operating on standard open platform computer servers. In addition, many are based on Internet protocol connectivity (IP-PBXs) and voice over IP technology in the converged voice/data enterprise environment. These platform introductions have resulted in a broadening of security and fraud risks in corporate environments. Individuals experienced in computer system hacking are using those skills to attempt DoS attacks on voice systems, and to exploit call management override features to break into and control voice call functions on the system. (See the RFG Research Note "The IP-PBX Planning Now for the Inevitable.")

Extreme security violations can lead to unauthorized outsiders embedding tone codes into recorded voice messages to wreak havoc on voice mail systems, and to perform other nuisance-inducing voice system virus attacks on corporate telephony systems. In order improve the chances of eliminating such attacks, system administrators should implement a few basic safeguards within their security initiatives, and test those safeguards frequently.

For example, a VoIP security system should not be allowed to add more than 20 milliseconds of latency to any voice transmission. This means that many virtual private network (VPN) solutions currently in place may not be useful in VoIP environments. Figure 2 depicts three specific attack types and recommended safeguards.

Figure 2: Recommended Safeguards Against Hacker Attacks on Voice Telephony Systems
1) Code-Embedded Messages Attempts Attempt to initiate these messages on your system to test system reaction. Results will vary by system and specific playback feature sets that are available on the system. At minimum, the system administrator should gain an appreciation for specific system vulnerabilities.
2) DoS Attacks Frequently test and adjust time limits on the system and look for unusually long messages made up of random noise. Restrict message space limits on individual user mailboxes of voice mail systems to a reasonable length.
3) Override Exploit Attacks Test system vulnerability to this type of attack by making test calls between two telephone extensions, attempting to override voice control functions, and looking for override warnings. This should be done using both inside and outside lines to compare differences in system warnings between internal and external callers. Look to primary PBX equipment vendors to acquire tools useful in disabling overrides initiated by outside callers.

Source: Robert Frances Group

Users and managers of IP-PBXs, systems that can introduce a new level of fraud opportunities to the voice telephony world, should take additional precautions. One recommended action is the addition of anti-virus program protection to the operating system. Another is configuration of IP-PBXs that allow temporary user- or extension-specific feature changes to revert back to a "normal" mode after each call or a relatively short, predetermined time period. This will prevent hackers from taking advantage of a user who changes a feature when working remotely, but forgets to reset the feature at the end of the remote session.

1 2 Page 1
Page 1 of 2
Make your voice heard. Share your experience in CSO's Security Priorities Study.