TeleVantage Hardening and Attack Response

Vertical Televantage offers some options to defend against remote phone abuse. All PBX phone systems will be abused at some point, whether internally or externally. If you suspect an attack is taking place, Vertical Televantage offers some features that can give evidence of the attacker’s strategy, and some tools to lessen the attack profile.

Watch Logs
Batches of off-hour calls should stand out easily -individual calls should be harder to spot in normal traffic. Make sure you have logging enabled for external calls. Internal calls can also be logged, but the volume of traffic may create issues.

Tools-> System Settings-> Call Log and Trunk Log – make sure at a minimum the call history log and the trunk log settings are checked.

Call History – look at suspicious calls, especially ones that have the default # login in the call history – You can also use this to profile your attacker´┐Żs methodology.

Telco Provider logs for toll free – If the call is coming in on a toll free, your Telco provider’s billing information includes the ‘call from’ number blocked or not.

Maintenance Logs – look for Account Automatically Locked in groups or at off hours times. System changes not from a trusted station are to be questioned as well. Anytime a user complains about being locked out, this is the first place you should look. It should give you a timestamp on the lockout at the very least.

Security Settings
Users group – By default, all users are in this group. Adjust the permissions of this group to disallow the following items (provided they are not required for business).
Place external calls when logged on to a trunk
Return external calls when logged on to a trunk
Forward or Route Calls to external numbers

Auto Attendants
Set up a separate number for remote voicemail logins, and do not use # for the menu choice. Remove the # option completely from the Default Auto Attendant and any custom Auto Attendants. Any attempts to log in remotely using these AA’s will result in “that extension does not exist” for the attacker. Also consider removing the dial by name directory from an auto attendant, to avoid a curious attacker from simply walking the directory for information to be used in social engineering attacks.

User Accounts
Do not run as Administrator unless changing system settings.
Tools-> System Settings -> Security -> Minimum settings should be Lockout after 4 attempts (uncheck automatically clear after x minutes)
Hang up trunks after 4 failed login attempts
Minimum password length should be 5 digits
Check both ‘Prevent passwords that contain an account’s extension’ and ‘Prevent passwords from the following list settings. The list should be pre-populated, but feel free to add any combinations to it.
TeleVantage password security is explained in greater detail here.

Call Classifier – Rules in the call classifier can be used to hang up calls based on certain criteria – such as caller ID. If an attacker is calling in from a known location, add this number in and route the access point to Call Classifier before sending it through the system.

All system users should be made aware never to give their password to a caller under any circumstances. A common ruse is to call in and to pretend to be from the phone system provider. Employee knowlege and training is the only way to fight this threat.