Critical Issues and Vulnerabilities

Securing access to the PBX, Voicemail, Administration, and Programming. Allowing calls originating from the public switched network and answered by the automated attendant to return to the PBX through the voice mail system. Managing ACD routes, which allow access to the public switched network Indiscriminant use of trunk-access codes. Allowing remote call forwarding to access the public switched network.

PBX/Phonemail/Voicemail maintenance port protection issues.

Following are excerpts from the TeleDesign Management PBX Security Analysis in the form of findings and their significance as compiled from past security audits:

• The PBX remote access maintenance port(s) are not protected from the public switched network by remote access security device(s).

  Significance: The remote access maintenance port(s) provide access to all PBX system change feature capability. Password protection is not adequate protection against hacker software like ToneLoc. Industry specialists agree that when remote unauthorized access occurs on this port, the perpetrator owns your system.

• The voicemail remote access maintenance port is not protected by a remote access security device.

  Significance: Unsecured automated attendant features are a primary avenue for fraudulent hacker access to trunk and station features. Hacker access to the voice mail system configuration may enable access to the public switched network.

• All remote maintenance port access (4 port card) is not protected.

  Significance: The remote access maintenance port(s) card may provide access to other PBX services and without port protection potentially, enables access to system software.

• Maintenance software does not deny access from all I/O sources.

  Significance: The blending of voice and data networks through CTI computer telephony integration may enable access to system software if access/port protection is not maintained.

• All remote maintenance activities (adds, moves and changes) are not approved/valid.

  Significance: Without total control of PBX system configurations, the system may provide unauthorized access to the public switched network. The only method of assuring that adds, moves and changes are valid, is periodic review, and use of port access security devices.

• LAN/WAN and CTI services were implemented without provisions for security.

  Significance: Security provisions must be implemented for all system access, both local and remote. Passwords are not considered adequate security in our current environment. Always use a form of access protection.