If you have any of the following services (ISDN/PRI, ISDN/BRI or SIP Trunk), it is imperative that as a business you follow some basic security practices so that you can ensure the safety of your telephony service.
Below is a list of safety precautions which should to taken in order minimize your business risk of your telephony system being compromised:
- Do not use any preconfigured default codes and passwords. Be sure to change those default settings after the PBX is installed and change them regularly. Hackers use these default codes and passwords from different PBX vendors during attacks.
- Always install the latest security patches from your PBX vendor or operating system updates and security patches if PBX software is running on Linux or Windows machines.
- Choosing complex, random passwords of at least six to eight digits, will make it more difficult for a hacker to detect. If PBX supports them, alphanumeric and special characters, are more complex to detect.
- Don’t use obvious passwords such as extension numbers, birth date, phone number, or repeating or successive numbers, i.e. 000000, 123456. Don’t use sequential, ascending or descending numbers or any part of the telephone number for your passwords.
- Ensure that only trusted system administrators know the administrator password and be sure to change passwords quickly after any staffing changes. Eliminate the advertising or publication of default passwords.
- Do not use the same codes or passwords for the same features or extensions etc.
- If SIP extensions are used, the SIP username and passwords should not be the same or the same password used for all SIP extensions. Make these passwords as complex as possible and difficult to predict.
- Do not expose IP interfaces of your PBX to the Public internet. If it is absolutely necessary then it should be done using a Firewall with all the necessary security rules to allow only the necessary traffic to pass.
- If remote extensions are used, these should always be accessing the PBX through a managed Firewall where the remote extension’s IP address and protocols used (e.g. 5060 and RTP ports) are allowed only.
- Remove any unused extensions from PBX. Make sure that DIDs’ associated with unused extensions are also removed.
- Disable any features that are not used on PBX like voicemail, DISA etc. You need to familiarize yourself with all available features that are on by default on your PBX and the security implications if unauthorized access is gained.
- In case some features are needed, limit them to the employees that actually need these features with authentication codes that are difficult for unauthorized personnel or hackers to detect.
- Disable the external call forwarding feature in voice mail, unless it is absolutely required. Remove any inactive mailboxes.
- If you do not have excessive traffic to international destinations, it is best to block international traffic and allow it only after the user has dialled an authentication code.
- Consider disabling the remote notification, auto-attendant, call-forwarding and out-dialling capabilities from voicemail if these features are not used. In case they are needed, limit them to the employees that actually need these features with authentication codes that are difficult for unauthorized personnel or hackers to detect.
- Install necessary Call Detailed Record (CDR) generation and traffic reporting mechanisms that your PBX supports either onboard or using other supported 3rd party vendors.
- Run daily traffic reports from your PBX and familiarize yourself with your traffic patterns from these reports. This way you can detect from your PBX reporting mechanism any fraudulent call behaviour. For example, if you do not have any employees working after 18:00 or during weekends and you see calls made during these timeframes they should be subject to further investigation.
Customers should also consult with their PBX vendors or PBX solution providers and discuss all the above or any other security measures that should be in place to protect their PBX from hackers.