We all need to take a serious look at our PBX and start locking down points of entry.
A few of the points of entry to monitor closely are the following:
- DISA: Direct Inward System Access. This method is a way into your PBX where associates need to dial back into the office and use the PBX dial tone to make calls out. This application can be password protected to aid in the security of the application. From my experience, this method is fraught with security issues and should be tightly controlled. DISA is not one of my favorite applications as it can easily get out of control and misused/abused in an organization.
- voicemail password: passwords should be as long as you can possibly make them without annoying the majority of the users. The shorter the password length, the more you are prone to hackers.
- voice menus: do not use simple passwords to your voice menus. Passwords such as 1111 or 3333 are commonly used passwords that make it easy for hackers to gain access to your PBX and obtain dial tone to start placing calls. Be it long distance or local calls, once your PBX is compromised, it can be crippling to your organization
- authorization codes: some organizations use long distance authorization codes to allow their users to make long distance calls out of the PBX. Monitor these codes closely and cancel them once an associate no longer works for your organization.
- calling cards: monitor your reports closely and know your organization's call pattern. Once an individual has left your organization, cancel the cards. Calling cards are prime for misuse/abuse. Much like a debit/credit card, the numbers can be memorized and unless you monitor your reports closely, you would not necessarily notice that a card is still being used long after employees have left. These cards are also prime for "shoulder surfing". If you use your card at an airport as an example, by punching in the numbers, hackers can easily make note of the digits on your card and reuse the card or sell the numbers, and again, no one is the wiser until you get your invoice.
If you cannot recall the last time you did a security audit on your phone system, it might be wise to have one completed before you get in a reactive mode. Your PBX vendor should be able to complete one for you at a minimal cost.
Let me know of horror stories you have come across?
Better to be proactive than reactive!