Private Branch Exchange (PBX) best practice

Like any internet-connected system, PBX systems can be vulnerable to unauthorized access if not configured correctly. Attackers can exploit weaknesses such as unchanged default passwords, open SIP ports, or poorly managed firewalls.

Once penetrated, fraudsters can reroute calls to high-cost international or premium-rate numbers, leading to significant financial losses both for businesses and individuals.

As the PBX owner, you bear the responsibility for your phone system’s security and administration. While your service provider may implement measures to detect fraud attempts, the financial implications usually fall on the business owner.

Understanding PBX

A Private Branch Exchange (PBX) is a telecommunications solution that facilitates communication both internally and externally within an organization. Essentially, a PBX operates as a private telephone network for a company.

Traditionally, PBX setups were comprised of hardware systems, utilizing physical components such as switches and cables. However, with technological advancements, modern PBX systems have transformed into digital and software solutions, offering an array of advanced features beyond mere call routing. Protecting your PBX system from potential security hazards is essential in today’s digital landscape.

The NCSC recommends implementing the following security controls for all PBX systems.

Access Control and User Authentication

• Educate users on the importance of strong passwords, and offer assistance if necessary.
• Regularly monitor and audit user accounts for any unauthorized or inactive accounts.
• Change default access credentials for the administrative interface and implement multi-factor authentication (MFA).

Call Limitations

• Restrict dialing patterns to prevent unauthorized usage, such as disabling international calls.
• Prevent calls to premium rate numbers and limit out-of-hours calling where possible.
• Control call forwarding capabilities, especially to off-site numbers, to mitigate misuse.

Contractual Agreements

• Carefully review contractual terms to avoid hidden charges or unexpected fees.
• Clarify responsibilities in case of configurations exploited within the PBX system.

Monitoring and Logging

• Utilize monitoring tools to oversee call volumes and identify abnormal activity.
• Secure log files for future forensic analysis in the event of a breach.

Password Management

• Modify default passwords on all PBX components, ensuring they conform to NCSC recommended practices.

Firewall and Intrusion Detection/Prevention

• Use firewalls to manage network traffic and restrict unauthorized access.
• Lock down traffic to known trusted IP addresses, using denial methods to mitigate scanning threats.
• Implement intrusion detection and prevention systems to counteract suspicious activities.

Regular Updates and Patching

• Ensure regular updates to the PBX system to safeguard against vulnerabilities.

Data Encryption

• Employ encryption protocols for data both during transmission and when stored within the PBX system.

Data Backup

• Establish a routine for backing up PBX configurations and data to ensure quick recovery from failures or cyber incidents.

Security Audits and Penetration Testing

• Conduct regular security assessments and penetration tests to uncover vulnerabilities.
• Create a disaster recovery plan for PBX restoration under various crisis scenarios.

Employee Awareness

Consistently train employees on security best practices and the signs of PBX fraud, including:

• Frequent short-duration calls
• High volumes of incoming missed calls
• Unexpected spikes in calls with hang-ups
• Increased use of freephone or high-cost calls
• Long calls that deviate from normal patterns

Additionally, establish an accessible reporting system for employees to raise concerns confidentially.

When selecting cloud services, it’s important to evaluate the provider according to our cloud security guidance. Specifically, for hosted PBX systems, you should consider the following controls:

• Ensure your provider offers automatic updates to enhance system protection against vulnerabilities.
• Confirm encryption for data in transit and storage, employing secure protocols like TLS and SRTP.

The NCSC recommends the following security measures for on-premise PBX systems:

• Isolate the PBX on a dedicated VLAN or subnet to prevent unauthorized access.
• Ensure any system installations are properly configured and that your contract holds the provider accountable for misconfigurations.
• Keep backups securely located off-site to protect against on-premises disasters. Refer to the NCSC guidance on principles for ransomware-resistant cloud backups.