[ISN] Telecom Fraud, Cost Of Doing Nothing Just Went Up
InfoSec News
isn at c4i.org
Wed Mar 30 01:36:54 EST 2005
http://www.biosmagazine.co.uk/op.php?id=238
Craig Pollard
Head of Security Solutions
Siemens Communications
29.03.05
In today's business environment, IT network security is vitally
important, with security breaches across voice and data networks
growing by the day.
Emotive terms such as 'cyber attack' and 'cyber-terrorism' are always
certain to generate plenty of media excitement, with science-fiction
visions of malevolent hackers creating vicious computer viruses to
rampage through cyberspace, doing unseen and untold damage to the
infrastructures that support our way of life.
However, while the reality of IT security is far more mundane than
such science-fiction ideas, the threat to a network from malicious
attack remains real and the consequences just as frightening. Every
business is dependent upon information technology, which brings with
it inevitable vulnerability.
Dark rumours of underground hacker networks and conferences give rise
to the belief in a vast and growing number of aggressive, deliberately
destructive hackers. Significantly, the methods these hackers adopt to
gain unauthorised access to corporate resources are now also extending
to embrace telecommunications systems.
The hacker phenomenon has a serious and far-reaching influence. Were
communications on two continents ever disrupted by moving
telecommunications satellites? Have computing resources belonging to
government agencies ever been hacked? Have environmental controls in a
shopping centre ever been altered via modem? The answer to all of
these questions is yes. But, unlike other crime groups who receive
high profile coverage in the media, the individuals responsible for
these incidents are rarely caught.
As if that is not enough, unauthorised use of telecommunications
facilities is the preferred methodology for people who sympathise or
support terrorist organisations, and want their activities to remain
invisible.
The French authorities studying the Madrid train bombings in March
2004, for example, are investigating whether the bombers hacked into
the telephone exchange of a bank near Paris as they were planning
their attack. The telephone calls involved were made by phreaking - a
practice similar to hacking that bypasses the charging system.
The PBX is among the most susceptible areas to telecommunications
fraud. Typical methods of fraudulent abuse involve the misuse of
common PBX functions such as DISA (Direct Inward System Access),
looping, call forwarding, voicemail and auto attendant features.
Another area popular for frequent fraudulent exploitation is the
maintenance port of PBXs. Hackers often use the dial-up modem attached
to such ports to assist in remote maintenance activities.
When a PBX is linked to an organisation's IT network - as is
increasingly the case with call centres, for instance - a poorly
protected maintenance port can offer hackers an open and undefended
'back door' into such critical assets as customer databases and
business applications.
It is clearly important to balance the cost of securing your voice
infrastructure from attack against the cost of doing nothing. The
consequences from inaction can include direct financial loss through
fraudulent call misuse (internal or external), missed cost saving
opportunities through identification on surplus circuits, adverse
publicity, damage to reputation and loss of customer confidence,
litigation and consequential financial loss, loss of service and
inability todispense contractualobligations, as well as regulatory
fines or increased regulatory supervision.
As is the trend with hacking data networks, the threat to PBXs comes
primarily from within. For example, an employee, a contractor, or even
a cleaner could forward an extension in a seldom-used meeting room to
an overseas number and make international calls by calling a local
rate number in the office.
The perpetrator could likewise be the beneficiary of a premium rate
telephone number in this country or abroad and continue to leave
phones off the hook or on a redirect to that number netting thousands
of pounds in illicit gains in a weekend.
And, of course, let's not forget about the new telecommunications
technologies which are based around open communications via the
Internet. These include IP-driven PBXs supported by all the adjunct
devices, the deployment of CTS (Computerised Telephone Systems), CTI
(Computer Telephony Integration) and Voice-over-IP.
The introduction of these technologies means IT and telecoms managers
need now to become even more alert to prevent new and existing threats
that are typically associated with data networks, now impacting upon
voice networks. Without diligent attention, telecoms systems are in
grave danger of becoming the weak link in the network and utterly
defenceless against targeted attacks by hackers.
So what practical measures can telecom or IT managers take to help
prevent becoming a victim of telecom fraud? One of the most effective
approaches to improving the security of telephony systems includes
conducting regular audits of: station privileges and restrictions,
voice and data calling patterns, public and private network routing
access, automatic route selection, software defined networks, private
switched and tandem networks, and system management and maintenance
capabilities.
You should also audit auto attendant and voicemail systems, direct
inward system access (DISA), call centre services (ACD), station
message detail reporting, adjunct system privileges, remote
maintenance protection, and primary cable terminations and physical
security of the site and equipment rooms.
Other measures include reviewing the configuration of your PBX against
known hacking techniques, comparing configuration details against best
practice and any regulatory requirements that may pertain to your
industry sector.
Ensure default voicemail and maintenance passwords are changed and
introduce a policy to prevent easily guessable passwords being used.
Make sure that the policy demands regular password changes and take
steps to ensure the policy is enforced.
Installing a call logging solution, to provide notification of
suspicious activity on your PBX, is a useful measure and one that can
often give valuable early warning of an attack. In addition, review
existing PBX control functions that might be at risk or which could
allow errors to occur.
Be aware that many voice systems now have an IP address and are
therefore connected to your data network. You therefore must assess
what provisions you have to segment both networks. Security exposures
can also result from the way multiple PBX platforms are connected
across a corporate network or from interconnectivity with existing
applications.
Research and investigate operating system weaknesses, including
analytical findings, manufacturer recommendations, prioritisation and
mitigation or closure needs - and implement a regular schedule of
reviewing server service packs, patches, hot-fixes and anti-virus
software.
Finally, formalise and instigate a regular testing plan that includes
prioritisation of the elements and components to be assessed, and
supplement this by conducting a series of probing exercises to confirm
the effectiveness of the security controls used.
More information about the ISN
mailing list