Page 870 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 870

Deploy Direct Inward System Access (DISA) technologies to
                    reduce PBX fraud by external parties. (But be sure to configure it

                    properly; see the sidebar “DISA: A Disease and the Cure.”)

                    Keep the system current with vendor/service provider updates.

               Additionally, maintaining physical access control to all PBX
               connection centers, phone portals, and wiring closets prevents direct
               intrusion from onsite attackers.






                   DISA: A Disease and the Cure



                  An often-touted “security” improvement to PBX systems is Direct
                  Inward System Access (DISA). This system is designed to help
                  manage external access and external control of a PBX by assigning
                  access codes to users. Although great in concept, this system is

                  being compromised and abused by phreakers. Once an outside
                  phreaker learns the PBX access codes, they can often fully control
                  and abuse the company’s telephone network. This can include
                  using the PBX to make long-distance calls that are charged to your
                  company’s telephone account rather than the phreaker’s phone.



               DISA, like any other security feature, must be properly installed,
               configured, and monitored in order to obtain the desired security
               improvement. Simply having DISA is not sufficient. Be sure to disable

               all features that are not required by the organization, craft user
               codes/passwords that are complex and difficult to guess, and then turn
               on auditing to keep watch on PBX activities. Phreaking is a specific
               type of attack directed toward the telephone system. Phreakers use
               various types of technology to circumvent the telephone system to
               make free long-distance calls, to alter the function of telephone
               service, to steal specialized services, and even to cause service

               disruptions. Some phreaker tools are actual devices, whereas others
               are just particular ways of using a regular telephone. No matter what
               the tool or technology actually is, phreaker tools are referred to as
               colored boxes (black box, red box, and so on). Over the years, many
   865   866   867   868   869   870   871   872   873   874   875