1 / 22

Telecommunications Security: Risks, Controls & Best Practices

Understand telecommunications infrastructure risks, controls, VoIP & PSTN technologies. Learn about phone switches, PBX, VoIP components, and security management concerns.

aallison
Download Presentation

Telecommunications Security: Risks, Controls & Best Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Raval • Fichadia John Wiley & Sons, Inc. 2007 Telecommunications Security Chapter Ten Prepared by: Raval, Fichadia

  2. Chapter Ten Objectives • Learn the basic concepts of telecommunications (PSTN, PBX, VoIP) and associated terminology. • Understand the risks that impact telecommunications and the controls to mitigate them. • Gain the skills to assess the security posture of a telecommunications infrastructure and make management recommendations. • Apply security principles and best practices to a telecommunications infrastructure.

  3. The Big Picture Elements of the telecommunications infrastructure. Some risks that impact the infrastructure.

  4. Telecommunication primer Telecommunication: telephone-based communication across different parties using either PSTN or VoIP technologies. • Traditional telephone communication occurs via the Public Switched Telephone Network (PSTN). • PSTN involves transmitting analog voice signals over copper wires to a local station where it is digitized and sent on a dedicated network to its destination end node. • VoIP is newer technology that involves the digitized voice via small packets over shared network. • Vendors that provide PSTN includes AT&T, Qwest. VoIP providers include companies like Vonage.

  5. Telecommunication primer Telecommunication: PSTN components include the following: • End nodes are your basic telephones (for people), modems (for computers), telephony cards (for AVRs). • Phone switches are equipment where a dedicated channel between various callers and receivers is established. • Transmission media typically includes copper wire between end nodes and local phone switch and digital/fiber connections between various switches. • Signaling system that provides call control (connecting / disconnecting callers, determining best route etc.)

  6. Telecommunication primer Telecommunication: Need for phone switches • Connecting phones to every other phone is untenable. For e.g., 10,000 phones need ~50M connections (n*(n-1)/2). • Phone switches solve this problem by acting as a central hub which connects to all phones. 10,000 phones need 10,000 connections (n).

  7. Telecommunication primer Telecommunication: Function of phone switches • Phone switches act as a broker by opening a dedicated circuit when a caller request for it. • Number of circuits are determined by Earlang equations. • Different categories of phone switches: • Private Branch Exchange (PBX): is a privately owned switch • Central Office (CO) is a phone company owned switch that interfaces with end users phones. • Tandem switches: large scale switches that interface to various COs and other tandem switches.

  8. Telecommunication primer Telecommunication: Hierarchy of phone switches • Phones connect to CO switch via local loop. • CO switch connects to tandem switch via trunk lines. • Tandem switches connect to each other.

  9. Telecommunication primer Telecommunication: VoIP components include the following: • End nodes are VoIP-enabled telephones. They could be like regular phones (hardphones) or be softphones. • Call processors – also known as softswitches – that setup calls, translate phone numbers into IP addresses, do signaling, authorize users, etc. • Media processors that broker transmissions between VoIP and PSTN networks. • Signaling gateways that mediate between signaling on VoIP networks and signaling on PSTN networks.

  10. Management concerns Concerns about telecommunications system security typically include the following: • Maximizing the communication infrastructure availability for employees and customers. • Ensuring the integrity of communications infrastructure. • Keeping up with existing and upcoming telecom scams, toll frauds, social engineering attacks and implementing mitigating controls. • Having an effective backup, recovery, business resumption and a disaster recovery plan.

  11. Risks and controls Remote access risks: • Phreakers war-dial/dumpster dive/social engineer to identify maintenance port numbers & crack the passcodes leading to toll-fraud, silent monitoring, call rerouting and deny service. Controls: • Disable maintenance ports if not reqd. Else, use strong passcodes or stronger authentication means. • Enable intruder lockouts. • Disable dial tones on DISA ports to foil war-dialers. • Analyze the logs to identify intrusion attempts.

  12. Risks and controls Silent monitoring: Feature of PBX that allows a user to listen in on other’s conversations. • Businesses often have a need to silently listen, record, and/or store conversations among users. • Supervisors listen in on conversations to ensure customer service in a call center/telemarketing type environment. • Sometimes calls are recorded and/or stored for liability or compliance reasons (e.g. air traffic controller).

  13. Risks and controls Silent monitoring risks: • Legal ramifications can arise if calls are monitored without reviewing applicable law. Laws vary by state. • Unauthorized monitoring could occur if administrators aren’t diligent. Controls: • Procure legal consultation before enabling the feature. • Inform callers and employees about the monitoring/ recording practice. Obtain consent forms from latter. • Periodically review the business need for users with the privileges to monitor.

  14. Risks and controls Telecom scams: Several scams usually aimed at toll-fraud, are prevalent within telecom industry. • Shoulder surfing attack includes attackers filming use of calling cards by callers. • Pager/beeper/fax-back scam aims at tricking people calling into expensive toll-numbers. • Operator deceit is a social engineering attempt wherein callers fool company employees to transfer them the operator and asking the operator to make a long-distance call on behalf of the employee. • Employees can misuse call-forwarding feature by forwarding calls to their home numbers and having their friends call the company toll-free number reach them.

  15. Risks and controls Telecom scam risks: • Toll-fraud. Controls: • Educate users about these scams and implement technical controls where possible. • Restrict places to where calls can be made. • Log long-distance activity and analyze logs for abuse. • Limit the call forwarding feature.

  16. Risks and controls Voicemail & conferencing systems: Allows for exchanging message exchanges & conducting conference calls. • Often sensitive information is exchanged via voicemails and/or discussed on conference calls. • Security on these systems is often ignored. Passcodes are almost never changed. Recurring conf calls typically have the same passcodes. • Sometimes these systems allow for zero-out options where the caller can reach an operator – leading to an operator deceit scenario. • “Yes-Yes” scam with mailboxes can lead to third-party billing abuse.

  17. Risks and controls Voicemail & conferencing systems risks: • Poor passcodes can lead disclose sensitive information. • Toll-fraud. Controls: • Ensure strong password & password management. • Educate users and operators about scams. • Disable zero-out and third-party billing options. • Delete unused mailboxes.

  18. Risks and controls VoIP: Technology that involves transmission of digitized voice packets over a shared packet-switched network. • VoIP transmissions are no different that data network transmissions. Hence it suffers from same security issues (see Network security chapter). • VoIP devices are less proprietary in nature (than PSTN devices) and communicate via standard TCP/IP protocols. Hence it is more prone to attacks. • A compromise of data network impacts both computer and telephone traffic. • A compromise of user’s computer could easily impact voice traffic (softphones, web-based voicemail etc.).

  19. Risks and controls VoIP risks: • Sniffing attacks could capture transmissions. • Calls could be hijacked. • DoS attack could disable voice communications. Controls: • Encrypt all VoIP traffic to mitigate sniff risk. • Use Virtual LANs to logically segregate VoIP traffic from the rest of the traffic. • Secure operating systems for PCs and VoIP devices. • Secure networks via firewalls and Intrusion Detection Systems.

  20. Assurance considerations An audit to assess telecommunication security should include the following: • Evaluate the physical security of telecommunications equipment. • Assess the security pass-through/zero-out features available via the PBX, voicemail systems, and conferencing systems. • Review end user education programs to warn them of various telecommunication scams and social engineering attacks.

  21. Assurance considerations • Review the security all servers that allow for VoIP communications (operating system audit). • Review the security of the network that carries VoIP traffic (network security audit). • Ensure that functional plans for backup and recovery, business resumption, disaster recovery are in place.

  22. Recap

More Related