BT MERIDIAN-1 SECURITY WARNING ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Meridian-1 is a sophisticated, feature rich system which is designed to be flexible enough to meet a wide variety of customer requirements. It is in essence a computer system and like every computerised network system is potentially the target of "hackers" seeking ways to use the product fraudulently. This document is an overview of how to control unauthorised access and provide security for the PBX. It describes in general terms the reason for implementing system security and provides general recomendations for preventing abuse and damage to your telecommunications facilities. Hackers or fraudsters do not strike very often but if they do, they can very quickly place thousands of unauthorised calls. This is done primarily through Direct Inward System Access (DISA) and Voice Mail features. A few simple and easily executed precautions can deter fraudsters. Each telecommunication system must be protected to deter unauthorised and fraudulent use. Your system may be vulnerable to abuses by employees as well as outside sources. Security requirements for each system are unique and based on the configuration, functions, and features it supports. It is impossible to design a totally secure product without sacrificing flexibility and ease of use. However, Meridian-1 has numerous features to help users minimise the risk of unauthorised use. These are continually reviewed and enhanced to provide greater levels of protection. By providing internal and external users access only to the facilities and calling privileges their jobs require, and encouraging them to practice sensible security, you can greatly decrease the potential for system abuse and fraud. For comprehensive details of security features you can use, please refer to the manuals supplied for the Meridian-1 PBX and Meridian Mail. Each Mail system is delivered with a guide "Controlling Access Privileges" which also provides valuable detailed advice. New Meridian-1 systems are now supplied with a System Security Guide which covers both system and Mail. If you require further copies, please contact your BT account manager. BT's Investigation Department have, in many cases, assisted in tracing causes of fraud and have successfully prosecuted the offenders. If you feel that you need their help, then please contact your account manager. The Investigation Department will only become involved in cases where BT have either provided or maintain the switch. Should BT only be involved as a network provider, whilst we will happily assist the police, we will not undertake an investigation. AFTER READING THIS BRIEF OVERVIEW, IT IS IMPORTANT THAT YOU SHOULD FOLLOW THIS UP WITH AN EXAMINATION OF YOUR SYSTEM AND IMPLEMENT THE SECURITY FEATURES NECESSARY TO PROTECT AGAINST ABUSE. CUSTOMERS ARE RESPONSIBLE FOR THE SECURITY OF THEIR SYSTEM AND WILL BE LIABLE FOR COSTS INCURRED THROUGH FRAUDULENT USE. Common Types of Fraud ~~~~~~~~~~~~~~~~~~~~~ The DISA (Direct Inward System Access) feature gives remote access to secondary dial tone. This is typically used for travelling employees to call into the PBX, enter an authorisation code and then use the system features or make long distance calls. Failure to manage authorisation codes and call restrictions can lead to huge bills for false international calls. Fraudsters attempt to break these access and authorisation codes by dialling in and trying digit combinations. Highly sophisticated automated methods can be used in this search. Once the codes have been cracked, the information is often circulated within the fraudster community, using computer bulletin boards. 0800 numbers are particularly vulnerable as there is no charge tto the fraudster as they continually dial in looking for the right codes. Other sources of code information are Call Detail Records, printouts of system configuration and credit card receipts. Even displays on public phones can be seen over someone's shoulder! These codes should be guarded as you would your bank account's PIN. Voice Mail is another avenue of fraudulent use. Through-dialling is a feature which allows a caller to dial another number while connected to the mail system. Meridian Mail has the capability to place restrictions on this feature. Unless such restrictions are programmed, the way is open to call anywhere in the world. There are three types of Through-diallers available in Mail, each of which has independent restriction definitions. Call Answering Through-diallers are used by an incoming caller answered by a mailbox to reach other extensions. User Extension Dialling allows users who are logged into their mailbox to dial out again. If a fraudster should penetrate a mailbox, they have access to the capability intended for the valid user. Voice Menus and applications such as Auto Attendant similarly use Through- diallers to call other destinations. Meridian Mail Release 8 and above has the access and restrictions on Through-diallers blocked, requiring the administrator to redefine these to allow access. It is important to note that systems with Release 6 were not restricted by default and you should review the security parameters to ensure proper restrictions are in place. Mailboxes are protected by passwords but can be taken over by fraudsters if not managed adequately. The mailbox can then be used as a bulletin board for various illicit information. Many users do not change their password which in many cases is the same as the extension number. Lastly, access to system or Mail administration terminals either locally or remotely can be a target. Without safeguards such as passwords, thieves can alter configurations, steal services and degrade the system performance. How to detect fraud ~~~~~~~~~~~~~~~~~~~ By knowing your normal call traffic patterns and looking for unusual variations, you can detect PBX fraud. If fraud is occurring, incoming call patterns you may see include long holding times, surges in use, or high out of hours activity. Outgoing call patterns may be long duration, unusual destinations, or high call volume. The prime call destinations are international and premium rate calls. Meridian's Call Detail Recording (CDR) can be invaluable for monitoring call patterns and usage of authorisation codes. @It can give call records for incoming trunk codes, outgoing trunk calls and internal calls. It identifies the calling and called parties, time and duration of each call. CDR can also be used in conjunction with add-on Call Management systems. Traffic measurement reports can be used to monitor the traffic volume and variations which may indicate unauthorised use. They can be printed on demand or according to a schedule. Meridians Mail's Operational Measurements gives information on Through-dial access and can indicate abnormal usage. How to protect your system ~~~~~~~~~~~~~~~~~~~~~~~~~~ TO LIMIT EXPOSURE TO FRAUD, IMPLEMENT THE SECURITY FEATURES AVAILABLE IN THE PBX AND MAIL. YOU CAN SELECT THE COMBINATION OF FEATURES THAT BEST MEETS YOUR NEEDS WHILE RECOGNISING THE TRADE-OFFS BETWEEN SECURITY AND CONVENIENCE. THE FOLLOWING LIST OUTLINES GENERAL SUGGESTIONS FOR CONTROLLING ACCESS AND CAN BE USED AS AN AIDE MEMOIRE. Monitor Calls * Use CDR, traffic reports and Mail operational measurements, look for suspicious patterns. Meridian Mail * Allow Through-dialling only for users who need it. * Set up Permission/Restriction tables for Through-dialling. * Mailbox owners should change passwords regularly. * Force regular change of passwords (Mail 8 feature). * Increase the minimum number of digits allowed for passwords. * Restrict repeated use of the same password (Mail 8 feature). * Restrict the maximum number of invalid Log In attempts. * Immediately disable unused mailboxes. * Restrict outcalling facility and number. DISA * Consider barring access to external numbers via DISA. * Restrict the numbers which can be dialled. * Use security and authorisation codes. * Change DISA security regularly. * Restrict DISA at night, weekends or on holidays. General PBX features * Restrict C