CyberAdviser News Portal

Private Branch Exchange (PBX) best practice

admin010 mins

Notice:

A Private Branch Exchange (PBX) is a crucial telecommunications system that facilitates the management and routing of incoming and outgoing telephone calls within an organization. Following the guidelines set forth in this document can significantly diminish the risk of cyber attackers compromising your PBX system to carry out fraud, launch denial-of-service (DoS) attacks, or exploit telecommunications channels.

This document is intended for PBX system administrators and purchasers, presuming a basic understanding of telecommunications.

Overview

Like any other internet-connected system, PBX systems are vulnerable to potential breaches if not set up correctly. Attackers can identify vulnerabilities using scanners or by exploiting weak points such as unchanged default passwords, open SIP ports, or improperly managed firewalls.

After gaining access, malicious actors can reroute calls to high-rate international or premium numbers, a type of fraud known as ‘dial-through fraud,’ which can result in excessive charges as these numbers can be dialed hundreds or thousands of times.

As the proprietor of the PBX system, you bear the responsibility for its security and management. While service providers often have measures in place to detect hacking attempts and fraud notifications, any resulting financial impact will fall on your business.

Understanding PBX

A Private Branch Exchange (PBX) is a telecommunications system that orchestrates the management and routing of calls within an organization. Essentially, it acts as a private internal telephone network allowing staff to communicate internally and externally.

Traditionally, PBX systems relied on physical hardware, requiring switches and wiring for calls within an organization. With technological advancements, PBX systems have transitioned into digital and software-based models, offering extensive features beyond simple call routing. Safeguarding PBX from potential security threats is indispensable in today’s business landscape.

Categories of PBX

Various types of PBX systems exist, each suited to different requirements and applications.

  1. Traditional PBX

    These hardware-based systems were widely used before the advent of digital and IP technologies. They depend on physical components like switches and wires to manage call routing within an organization. The primary costs associated with installing these systems arise from the required wiring to connect users.

  2. IP PBX

    Also referred to as VoIP PBX, this digital system uses internet protocol (IP) for voice and data transmission. By utilizing the existing data network, IP PBX allows for efficient communication and often includes advanced functionalities such as voicemail-to-email and video conferencing capabilities.

  3. Hosted/cloud PBX

    In hosted or cloud PBX systems, third-party providers manage the hardware and software components off-site. Organizations connect via the internet, thereby avoiding the need for on-premises installations, making this option particularly beneficial for small to medium enterprises seeking advanced functionalities without the expenses associated with physical infrastructure.

  4. Virtual PBX

    As a software-driven PBX solution, it operates on virtualized servers and is part of the category of IP PBX systems, suitable for businesses that prefer to avoid investing in physical hardware. It can function on-site or in the cloud, resembling traditional PBX features.

  5. Hybrid PBX

    These systems integrate aspects of both traditional and IP PBX, making them apt for organizations transitioning to IP communication while still utilizing existing analogue or digital lines.

General Security Measures for PBX

The NCSC recommends implementing the following security measures for all PBX systems:

Access Control and User Authentication

  • Educate users on the significance of strong passwords, and provide assistance if needed.
  • Consistently monitor and review user accounts to disable any unused or unauthorized access.
  • Modify any default administrative access configurations and enact multi-factor authentication (MFA) wherever possible.

Call Restrictions

  • Limit call patterns by restricting the types of numbers that can be dialed, such as disabling international dialing for organizations that do not operate internationally.
  • Prevent calling premium or personal numbers, particularly after hours, to mitigate unauthorized use.
  • Control call forwarding capabilities to reduce potential exploitation.

Contract Review

  • Thoroughly review contract terms to prevent hidden charges or insufficient provisions. Ensure contract clarity regarding responsibility for service issues.

Monitoring and Logging

  • Employ network monitoring tools to analyze call volumes and patterns to identify unusual activities.
  • Secure log file storage for potential forensic investigations.

Password Management

  • Change default passwords for all PBX components and enforce strong password policies in line with NCSC recommendations.

Firewall and Intrusion Detection

  • Utilize firewalls to manage traffic and block unauthorized access to the PBX system.
  • Maintain strict inbound/outbound traffic rules to trusted IP addresses.
  • Incorporate intrusion detection systems to monitor suspicious activities.

Regular Updates and Patches

  • Keep the PBX system updated with the latest security patches to shield against vulnerabilities.

Data Encryption

  • Implement encryption for both data at rest and in transit, utilizing secure communication protocols.

Backup Procedures

  • Schedule regular backups of the PBX configuration and data for disaster recovery purposes.

Security Assessments

  • Conduct regular security audits and penetration testing to identify vulnerabilities.

Disaster Recovery Planning

  • Develop a comprehensive disaster recovery plan to restore PBX functionalities after disruptions.
  • Regularly test recovery strategies in response to potential cyber incidents.

Employee Training and Awareness

Regularly train employees on recognizing and responding to potential security threats including PBX fraud. Train them to observe signs like:

  • Short-duration repeated calls
  • High number of incoming calls that hang up
  • Surge in unexpected incoming calls
  • Increased usage of high-cost numbers

Establish a clear reporting channel for employees to voice concerns confidentially.

Security Strategies for Cloud/Hosted PBX

When selecting cloud services, choose providers aligned with our cloud security guidance. Regarding cloud or hosted PBX systems specifically, consider these additional measures:

  • Ensure that your provider regularly implements automatic system updates.
  • Verify that they utilize encryption for data transmission and at rest, employing protocols like TLS and SRTP.

Security Measures for On-Premise PBX

The NCSC advises implementing the following security measures for on-premises PBX systems:

  • Isolate the PBX by placing it on a separate VLAN or subnet to protect it from other parts of the network.
  • Consider contractual obligations for system configuration to avoid costly consequences from misconfigurations.
  • Store backup configurations securely off-site to prevent loss due to local catastrophes.

Illustrative Image

Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/guidance/private-branch-exchange-best-practice

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News

Back To Top