1 / 15

Voice Systems Security

Voice Systems Security. It’s not just about toll fraud anymore. Chuck Dunbar Voice Systems Network Engineer Wells Fargo. How secure is your system?. Do you depend on the AVAYA installation to provide your security? What AVAYA has to say:

geranium
Download Presentation

Voice Systems Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Voice Systems Security It’s not just about toll fraud anymore Chuck Dunbar Voice Systems Network Engineer Wells Fargo

  2. How secure is your system? • Do you depend on the AVAYA installation to provide your security? • What AVAYA has to say: • “The final responsibility for securing both (these) systems and (their) network equipment rests with you…..” • Do you know what steps to take to secure your systems?

  3. Some of the things you already Know • Toll Fraud • International Calls • 900/976 Calls • Domestic • Factory presets and defaults • “Cust” logins • Default passwords • Logins without passwords

  4. Some vulnerabilities you may not have considered • Remote Access • Voice Messaging Systems • Physical Security • Server Based Systems • Network Topography • IP Telephony

  5. Remote Access • Useful if remote locations require access to the PBX features • Can be used maliciously to attack and gain direct trunk access • Are barrier codes in use • How often is it changed • Do they expire in short intervals • Are individual access codes in use • Are you using time of day or night service to limit access • Is dial-tone suppressed after the barrier code

  6. Voice Messaging Systems • Does your system allow callers to transfer out of a voicemail box? • Is the transfer permission limited to only subscribers on the voicemail system? • Restrict the COR of your voicemail system’s extensions to prevent access to outside trunking

  7. Physical Security • Your MDF room is secured, what about the IDF(s)? • Would you recognize any “extra” hardware or wiring? • Do you TTI out or remove any unused extensions? • Are your fax, modem, and analog lines easily identifiable?

  8. General Privacy • Do you utilize Service Observe? • Who are your observers • Who is being observed • Are you selective about who can be observed • Do you have an IVR? • Can it be service observed • DTMF Interceptors • Account Numbers • SSN • PIN

  9. System Security • Server based systems • Do they have publicly routable addresses? • Do they have HTTP, WWW, FTP, & SMTP access? • Anti-Virus • Intrusion Detection • Private – Extreme and Cajun Networks • Just one accessible device could place your system in jeopardy

  10. VoIP – Everything Changes • Now all of your phones themselves are a potential source of an attack • Do your telephone sets have publicly routable addresses • Is the web interface enabled on your VoIP sets • Are your gateways secure

  11. Vulnerabilities • DOS Attacks • Quality of service impacts • Internal and external dissatisfaction with system • Potential life safety issues • VoIP toll fraud • Hijacking a gateway for access to trunking then reselling that access for profit • SPIT – VoIP Spam • Unauthorized Service Observing • Disclosure of confidential information

  12. Where Hackers Get Information • Google Search • “VoIP Bank Colorado” • 1st page alone • HCWT Completes a Nortel BCM VoIP Phone System for Foothills Bank • Pacific Coast Bankers' Bank Selects Open Solutions • June 13, 2005 TCF Bank Improves Customer Service With VoIP System from Spanlink • AT&T Enables UMB Bank to Deliver on Its VoIP Strategy • VoIP Gains Ground With Bank Of America Deal

  13. Where hackers get information (cont.) • Company web sites and job postings focusing on a particular technology • User Group Pages • INAAU lists company names of all of the local user group presidents • RMAUG has Board Member e-mail addresses • Exploiting the vulnerabilities is easy once you know what you are attacking

  14. Resources for Security Assistance • AVAYA publishes a security product manual for every product • Checklists are included for initial and ongoing review • AVAYA CSI (PSA) security tests and analysis available • Independent Security Analyst firms • Perform real-world testing to attempt to exploit system vulnerabilities • Self administered testing applications for VoIP Security • SANS Reading Room - http://www.sans.org/reading_room/

  15. Questions?

More Related