Gerald Kovacich has more than 40 years of industrial security, investigations, information systems security and information warfare experience in both the U.S. government as a special agent and business as a technologist and manager for numerous technology-based, international corporations. He is the founder of
ShockwaveWriters.com and author of numerous infosec books, including The Information Systems Security Officer's Guide: Establishing and Managing an Information Protection Program.
The use of telecommunications systems continue to rapidly grow. One aspect of the phenomena is the company-owned telecommunications switches. These private branch exchanges (PBX) play an important role. They give companies control over their voice and data communications networks, which was not possible just a few years ago. These modern telephone switches are nothing more than "just another computer." However, as with any computer, comes their potential for exploitation by hackers, or in this case "phreakers."
Although most companies are beginning to secure their computer networks that are attached to the outside world, many of them have failed to realize that the PBX is also a computer that must be secured. In many companies, the organizations responsible for the "normal" computer systems are not the same as those responsible for the PBX. This has historically been the case because computer systems were maintained and operated by data center people, while telephone systems were maintained and supported by the telecommunications people.
Although in the past, communication between the two organizations was not that necessary in order for both to get their respective jobs done, this is no longer the case. Companies have been slow to recognize the need to integrate these two segregated groups into one. The lines between telephone switches and other types of computers are rapidly blurring.
While telecommunications people didn't concern themselves that much with any types of threats other than such things as fire, flood, etc., the computer technicians have for sometime been concerned with both the internal and external threats to their systems.
The telephone technicians, until the advent of the PBX, were primarily concerned with ensuring that the phone systems were operational. When a company purchased their PBX, little attention was paid to securing the system from phreakers. In fact, even the PBX suppliers paid little attention to the threats to the systems. They did not provide any type of training or awareness briefings to their customers relative to the features of the PBX which are vulnerable to exploitation by phreakers -- primarily because many of them were not aware of the threats themselves!
It's amazing that companies had to learn the hard way all over again. They did not seem to, and some still do not, take the hard-learned lessons of securing their computers and use those techniques to secure their PBX.
The penetration of a PBX still appears to be primarily for using its direct inward system access (DISA) feature to dial through the switch to a long distance number, with the charges being picked up by the owner of the PBX. The penetration of the PBX to use and store messages in vacant voice-mail boxes, and listening to and destroying messages of a voice-mail box which has been penetrated, is becoming an ever-increasing threat.
The following security requirements are provided to assist the PBX owner in providing a security policy and procedures to assist in establishing a baseline for mitigating both external and internal threats.
Telephone voice messaging operation
1. Policy: This document outlines the minimum security requirements for Telephone Voice Messaging (TVM) systems that support the services of voice mail, call answering, mailboxes and call processing.
The security controls for TVM must, with reasonable dependability, prevent: (1) unauthorized access to company information during, or resulting from, the processing of such information and (2) unauthorized manipulation of the system which could result in the compromise of company information.
The company's PBX security controls and operating procedures must be documented in writing and approved by security personnel. The purpose of the documentation is to ensure that all security aspects of the systems are addressed; to serve as a baseline for investigation in the event of a penetration or attempted penetration; to assist in conducting a risk analysis; and to assist in conducting damage assessments in the event information or equipment is stolen or damaged.
2. Requirements: Requirements are provided using the following 13 sections as the baseline for a procedures document:
2.1. Identification: This section provides basic TVM system, user and management identification.
2.1.1. Provide a unique name for the system.
2.1.2. Identify personnel responsible for maintaining controls and safeguards:
- System security manager
- Security custodian and alternate(s)
- Owners of hardware and software resources
2.1.3. Specify physical location(s) of resources.
2.1.4. Specify the location of all users.
2.2. System Usage: This section describes TVM system purpose, sensitivity levels of the information processed, type and usage of electronic media, and the specific mode of operation.
2.2.1. Describe the specific services of voice mail, call answering, mailboxes, call processing, etc. provided to each users (or group of users).
2.2.2. Indicate the days and hours of operation.
2.2.3. List the highest sensitivity level of company information transmitted/stored in mailboxes.
2.3. Hardware: This section identifies TVM system equipment, provides for hardware layouts, configurations and disconnect methods.
2.3.1. Provide a current list of equipment that includes manufacturer model and serial number (and optionally, any company property tag numbers.)
2.3.2. Describe company and non-company premises where all hardware components for the system resides.
2.3.3. Provide an inventory of the type and size of internal memory.
2.3.4. Provide an inventory of the type and usage of storage media.
2.3.5. Describe all removable/non-removable media used.
2.3.6. Describe the configuration-management techniques in place to ensure that all hardware components function in a cohesive, identifiable, predictable and reliable manner.
2.4. Software: This section describes TVM operating system and application software.
2.4.1. List all installed software, including vendor and release number.
2.4.2. Describe operating system security/protective features.
2.4.3. Describe messaging software security/protective features.
2.4.4. Specify the telephone time-out interval and method of warning established for interactive voice messaging.
2.5. Teleprocessing: This section describes TVM communication capabilities and circuits.
2.5.1. Provide current network diagrams, schematics and floor plans of the systems, telephones, as well as capabilities and restrictions on the use of cellular phones, company-owned pagers, etc. as applicable.
2.5.2. Describe the methods for restricting voice messaging to company use only.
2.5.3. Describe techniques for safe storage of all incoming/outgoing message traffic against power or equipment failure, power surges or spikes.
2.5.4. Describe configuration-management techniques in place to ensure that all elements and components function in a cohesive, identifiable, predictable and reliable manner.
2.6. Personnel: This section describes the TVM system personnel access controls.
2.6.1. Describe the security responsibilities of the following personnel:
- System security manager
- Security custodian and alternate(s)
- Owners of hardware and software resources
- Users of mailbox information
2.6.2. Describe supplemental custodian and user security awareness and training.
2.7. Physical: This section describes the physical security measures to protect the TVM system.
2.7.1. Describe the system hardware and media access controls in place during working and non-working hours.
2.7.2. Describe how all teleprocessing circuits are physically secured against tampering.
2.7.3. Provide evidence that information carrying sensitive information is not connected to systems that are not approved to transmit sensitive company information.
2.7.4. Provide evidence that connectivity to non-sensitive systems/telephone equipment outside of approved company areas is accomplished with controls in place that would preclude the intentional and/or accidental introduction of sensitive company information.
2.8. General Access Controls: This section describes TVM controls that restrict access to the system such as passwords, detection of unauthorized use and sign-on/sign-off procedures.
2.8.1. Describe method for user identification and authentication of employees using the system from outside company facilities.
2.8.2. Describe method for user identification and authentication of employees from within company facilities, including all of the following:
- Authorized user identification
- Restrictions on use of guest mailboxes
- Automatic password/PIN expiration interval
- Password/PIN minimum length
- Password/PIN change interval
- Non-working hours restricted mailbox access
- User failed-logon suspense criteria
2.8.3. Describe procedures for periodic review of user mailbox access and call processing authorization.
2.8.4. Describe mailbox group list update procedure upon notification to or by an employee organization reassignment.
2.8.5. Describe mailbox access list update procedures upon notification to or by an employee of intent to terminate employment.
2.8.6. Describe method to prevent audible disclosure of passwords/PIN codes (e.g. conference speaker phones).
2.9. Operating Procedures: This section describes TVM system start-up, in-process and shut-down procedures used for sensitive processing.
2.9.1. Discuss how security-approved procedures will be used to enforce continuity, accuracy and protection of mailbox information.
2.10. General Storage, Protection and Control: This section describes TVM methods of marking, handling, storing and controlling of system media and information.
2.10.1. Describe provisions during call answering and call processing for system identification as company business use only system.
2.10.2. Describe company-wide method to enforce labeling of voice mail as company-sensitive.
2.10.3. Describe how the owner of each message contained in a mailbox is captured.
2.10.4. Describe method for safeguarding operation system software, messaging software message distribution lists and mailbox contents.
2.11. Audit Trails: This section lists, describes and provides exhibits of all automated and manual audit trail records to provide a documented history of TVM system use, violations and maintenance.
2.11.1. Describe audit trail reports/logs used to capture accesses to the system, attempts to break in, attempts to bypass established system parameters, accesses to another user's mailbox without proper authorization, etc.
2.11.2. Describe the review process for reports/logs. Show how all anomalies or violations of security policies and procedures are evaluated, how the reason for them is determined, and what corrective action will be determined and taken.
2.11.3. Provide examples of the following minimum set of audit trail logs and reports:
- Custodian Acknowledgment Statement
- User Acknowledgment Statement
- System Access List
- Mailbox Group List Request
- Mailbox Access Change Request
- Vital Software Index
2.12. Subcontracting: This section describes TVM arrangements for subcontracting time and/or services, as applicable.
2.12.1. Identify all authorized subcontractor(s), vendors or other non-company personnel that interface with this TVM.
2.12.2. Describe the voice messaging services and features authorized for subcontractors, vendors or other non-company personnel.
2.12.3. Describe security restrictions unique to non-company personnel, how they are enforced, etc.
2.13. Emergency Plans: This section describes TVM procedures to identify, recover and protect information during system crashes, security violations or other emergencies and the backup recovery process for information processed on the system.
2.13.1. Specify and prioritize vital system software, messaging software distribution lists and mailbox information.
2.13.2. Provide a list of personnel to notify in case of emergency, to include telephone numbers, fax numbers, home addresses, etc.
2.13.3. Specify emergency procedures for protection of hardware, system software, messaging software, distribution lists, mailbox information and audit trials.
2.13.4. Provide evidence of periodic testing of backup procedures.
2.13.5. Provide procedures for rapid resumption of vital voice messaging functions.
2.13.6. Document procedures for long-term restoration of normal messaging service levels.
The establishment of a security policy and procedures documentation for each PBX will help mitigate but not prevent attacks by phreakers and internal threats. However, by establishing such policies and documentation, the major security threats, vulnerabilities and risks, and applicable countermeasures must be addressed by the PBX staff. This can then form the baseline on which to develop a more secure system.
This was first published in June 2003