Page 869 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 869
Another voice communication threat is private branch exchange (PBX)
fraud and abuse. Many PBX systems can be exploited by malicious
individuals to avoid toll charges and hide their identity. Malicious
attackers known as phreakers abuse phone systems in much the same
way that attackers abuse computer networks. Phreakers may be able to
gain unauthorized access to personal voice mailboxes, redirect
messages, block access, and redirect inbound and outbound calls.
Countermeasures to PBX fraud and abuse include many of the same
precautions you would employ to protect a typical computer network:
logical or technical controls, administrative controls, and physical
controls. Here are several key points to keep in mind when designing a
PBX security solution:
Consider replacing remote access or long-distance calling through
the PBX with a credit card or calling card system.
Restrict dial-in and dial-out features to authorized individuals who
require such functionality for their work tasks.
If you still have dial-in modems, use unpublished phone numbers
that are outside the prefix block range of your voice numbers.
Protect administrative interfaces for the PBX.
Block or disable any unassigned access codes or accounts.
Define an acceptable use policy and train users on how to properly
use the system.
Log and audit all activities on the PBX and review the audit trails
for security and use violations.
Disable maintenance modems (i.e., remote access modems used by
the vendor to remotely manage, update, and tune a deployed
product) and/or any form of remote administrative access.
Change all default configurations, especially passwords and
capabilities related to administrative or privileged features.
Block remote calling (that is, allowing a remote caller to dial in to
your PBX and then dial out again, thus directing all toll charges to
the PBX host).
