What
is a PBX?
A
PBX (Private Branch Exchange) is a telephone switch that
is installed on the premises of a medium to large size
company. The PBX allows many users to share outside lines,
significantly reducing the number of lines needed to be
leased from the local phone company.
The
on-site PBX provides more telecommunications services
control to the organization. Today, even the most basic
PBX systems have a wide range of capabilities that were
previously only available in large scale switches.
Unfortunately,
more control also brings with it the opportunity for a
variety of fraud and unwanted intrusions to your PBX.
The
Many Types of PBX Threats
The
ongoing threats to your PBX phone system are many. Some
are more common than others and the threat is dependent
on the goal of the attackers or hackers. Almost all will
fall into one of the following types:
Theft
of Service
Toll fraud is by far the most common threat to your PBX.
Remote access features allow employees who are away from
the office to call into the PBX to gain access for placing
outgoing calls.
These
calls are billed to the outgoing telephone line connected
to the PBX. Unauthorized individuals who obtain access
to the PBX itself and the authorization codes to make
long distance calls can obviously rack up huge bills for
their corporate victims.
Once
in possession of this valuable information, professional
toll fraud crooks can place calls to anywhere in the world
- all at the company's expense. Some will sell this information
to others only to further compound corporate telecom losses.
Many
cases of toll fraud result from insiders or vendors who
disclose the phone numbers, IDs and passwords necessary
for breaching PBX security.
Disclosure
of Information
This includes data disclosed without authorization, either
by deliberate action or by accident. Examples could include
eavesdropping on conversations or unauthorized access
to routing and address data.
Modifying
Data
This threat includes data altered in some meaningful way
by reordering, deleting or modifying it. For example,
an intruder or hacker may change billing information,
or modify system tables to gain access to additional services.
Unauthorized
Access
Includes actions that permit an unauthorized user to gain
access to system resources and/or privileges.
Denial
of Service
Includes actions that prevent the system from functioning
in accordance with its intended purpose. For example,
a piece of equipment or entity may be rendered inoperable
or forced to operate in a degraded state. Also, operations
that depend on timeliness may be delayed.
Traffic
Analysis
This threat is a passive form of attack in which an intruder
observes information about calls and makes inferences,
e.g. from the source and destination numbers, or frequency
and length of the messages.
For
example, an intruder may observe a high volume of calls
between a company’s legal department and the Patent
Office, and concludes that a patent is being filed.
The
threat of PBX fraud is real. To effectively prevent losses
you need a contingency plan for keeping your PBX safe
and secure. Download
this free-66 page PBX Security Report for help in
setting up your plan.
or simply...
