Is your PBX safe and secure?

That is a question that more and more businesses are asking themselves. The use of sophisticated PBX systems by a growing number of organizations provides fertile ground for hackers and those bent on committing what can result in serious toll fraud.

How bad can it be? Here are just a few samples of charges incurred due to PBX fraud (source:police records)

• New York City Human Resources - $704,000
  

• Proctor and Gamble - $300,000
  

• Sumitomo Bank - $97,000
  

• Tennessee Valley Authority - $65,000

What is a PBX?

A PBX (Private Branch Exchange) is a telephone switch that is installed on the premises of a medium to large size company. The PBX allows many users to share outside lines, significantly reducing the number of lines needed to be leased from the local phone company.

The on-site PBX provides more telecommunications services control to the organization. Today, even the most basic PBX systems have a wide range of capabilities that were previously only available in large scale switches.

Unfortunately, more control also brings with it the opportunity for a variety of fraud and unwanted intrusions to your PBX.

The Many Types of PBX Threats

The ongoing threats to your PBX phone system are many. Some are more common than others and the threat is dependent on the goal of the attackers or hackers. Almost all will fall into one of the following types:

Theft of Service
Toll fraud is by far the most common threat to your PBX. Remote access features allow employees who are away from the office to call into the PBX to gain access for placing outgoing calls.

These calls are billed to the outgoing telephone line connected to the PBX. Unauthorized individuals who obtain access to the PBX itself and the authorization codes to make long distance calls can obviously rack up huge bills for their corporate victims.

Once in possession of this valuable information, professional toll fraud crooks can place calls to anywhere in the world - all at the company’s expense. Some will sell this information to others only to further compound corporate telecom losses.

Many cases of toll fraud result from insiders or vendors who disclose the phone numbers, IDs and passwords necessary for breaching PBX security.

Disclosure of Information
This includes data disclosed without authorization, either by deliberate action or by accident. Examples could include eavesdropping on conversations or unauthorized access to routing and address data.

Modifying Data
This threat includes data altered in some meaningful way by reordering, deleting or modifying it. For example, an intruder or hacker may change billing information, or modify system tables to gain access to additional services.

Unauthorized Access
Includes actions that permit an unauthorized user to gain access to system resources and/or privileges.

Denial of Service
Includes actions that prevent the system from functioning in accordance with its intended purpose. For example, a piece of equipment or entity may be rendered inoperable or forced to operate in a degraded state. Also, operations that depend on timeliness may be delayed.

Traffic Analysis
This threat is a passive form of attack in which an intruder observes information about calls and makes inferences, e.g. from the source and destination numbers, or frequency and length of the messages.

For example, an intruder may observe a high volume of calls between a company’s legal department and the Patent Office, and concludes that a patent is being filed.

The threat of PBX fraud is real. To effectively prevent losses you need a contingency plan for keeping your PBX safe and secure. Download this free-66 page PBX Security Report for help in setting up your plan.