Is Your PBX System Secure?
A small business guide for keeping your PBX system secure
The telecommunication needs of every start-up and growing business are very different, however, security is an issue often overlooked. Once an individual or organisation decides to implement a Private Branch Exchange (PBX) system, they need to ask themselves what measures are required to keep their system safe and secure? When installed and run properly a PBX system simultaneously saves money and gives businesses much needed flexibility, but often the security implications that come with adopting a PBX system are neglected, leaving themselves at risk to serious financial loss and data theft.
The ‘net’ connected world is a breeding grounds for cyber-criminals who want to hijack your data and systems. One of the most lucrative targets for a cyber-criminal is a PBX, because of this the number of threats to PBX systems is steadily increasing. Threats are diverse and varied but the vast majority of them can be avoided by staff having a strong focus on security and a better understanding of the risks.
PBX hacking is commonly known as Phreaking, and most Phreaking attempts aim to commit “dial through” fraud. This is where the cyber-criminal makes unauthorised calls through the PBX. The extent of risk should not be underestimated; over the course of a single weekend the cost of unauthorised calls could put you out of business. With “dial through” fraud profit is generated by either charging others for calls or collecting revenue share, often destinations called will be rated over one pound per minute. It’s the PBX owners, not the phone service provider, who are liable for these calls.
Don’t Make it Easy
There are a number of simple measures you can take to protect yourself:
- Use a professional PBX installer who understands the security risks and can give advice.
- Perform regular maintenance, security checks, scans and updates.
- Remove all default usernames and passwords, always use very strong passwords.
- Limit staff access and have proper access procedures. Disable any remote access or correctly secure it, if it is essential.
- Separate the PBX from the Internet and your data network, physically if possible but if not use adequate firewalls.
- Ask your phone service provider what risk prevention measures they will provide on your trunks. Simple examples are channel limitation and destination barring.
- Completely separate inbound and outbound dial-plans on your PBX. Take care configuring Auto-attendants and voicemail systems which may allow dial out.
- Block destinations you will never dial, use PIN codes for restrictive dialling.
- Analyse call records and systems logs regularly for unusual activity
Who’s in Control?
A system administration compromise is the most dangerous threats because it’s likely you will discover that your PBX system has been hacked by an intruder too late. A cyber-criminal can observe your system whilst collecting confidential information from company calls and messages. An intruder can get an accurate insight into company data or gather information which can be used in another form of attack. If a company falls victim to the threat of a system administration compromise, they need to react by changing all passwords and immediately contacting their supplier to ensure the integrity of the system and discover the source of the breach to ensure they don’t fall foul to the same threats again in the future.
The Aftermath of an Attack
If a business suffers from an attack in minor cases it can result in their PBX system not working as designed, in major cases data loss or serious fraud can occur; whatever the case it’s preferable to prevent an attack that to have to clean up after one. For a business intending on using a PBX system, security should be a priority. Without a strong focus on security you can relinquish control over your companies’ data. Simple procedures like those outlined above will have a considerable effect on the security of your PBX system. There are multiple benefits to a PBX system for start-ups and growing businesses, but managed incorrectly it can be another opportunity for cyber-criminals to target confidential company data or worse, commit serious fraud, so security should never be too far from the minds of business owners.
By Kevin Brennan, Managing Director at LazyPBX