Download Financial Reporting: The Institutional Setting

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
Document related concepts

Wireless security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Net bias wikipedia , lookup

Distributed firewall wikipedia , lookup

Deep packet inspection wikipedia , lookup

Airborne Networking wikipedia , lookup

Computer security wikipedia , lookup

Network tap wikipedia , lookup

Nonblocking minimal spanning switch wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Telephone exchange wikipedia , lookup

Transcript 
Raval • Fichadia
John Wiley & Sons, Inc. 2007
Telecommunications
Security
Chapter Ten
Prepared by: Raval, Fichadia
Chapter Ten Objectives

Learn the basic concepts of telecommunications
(PSTN, PBX, VoIP) and associated terminology.

Understand the risks that impact telecommunications
and the controls to mitigate them.

Gain the skills to assess the security posture of a
telecommunications infrastructure and make
management recommendations.

Apply security principles and best practices to a
telecommunications infrastructure.
2
The Big Picture
Elements of the
telecommunications
infrastructure.
Some risks that impact the
infrastructure.
3
Telecommunication primer
Telecommunication: telephone-based communication across
different parties using either PSTN or VoIP technologies.

Traditional telephone communication occurs via the Public
Switched Telephone Network (PSTN).

PSTN involves transmitting analog voice signals over
copper wires to a local station where it is digitized and
sent on a dedicated network to its destination end node.

VoIP is newer technology that involves the digitized voice
via small packets over shared network.

Vendors that provide PSTN includes AT&T, Qwest. VoIP
providers include companies like Vonage.
4
Telecommunication primer
Telecommunication: PSTN components include the following:

End nodes are your basic telephones (for people),
modems (for computers), telephony cards (for AVRs).

Phone switches are equipment where a dedicated
channel between various callers and receivers is
established.

Transmission media typically includes copper wire
between end nodes and local phone switch and
digital/fiber connections between various switches.

Signaling system that provides call control (connecting /
disconnecting callers, determining best route etc.)
5
Telecommunication primer
Telecommunication: Need for phone switches

Connecting phones to every other phone is untenable. For
e.g., 10,000 phones need ~50M connections (n*(n-1)/2).

Phone switches solve this problem by acting as a central
hub which connects to all phones. 10,000 phones need
10,000 connections (n).
6
Telecommunication primer
Telecommunication: Function of phone switches

Phone switches act as a broker by opening a dedicated
circuit when a caller request for it.

Number of circuits are determined by Earlang equations.

Different categories of phone switches:

Private Branch Exchange (PBX): is a privately owned switch

Central Office (CO) is a phone company owned switch that
interfaces with end users phones.

Tandem switches: large scale switches that interface to various
COs and other tandem switches.
7
Telecommunication primer
Telecommunication: Hierarchy of phone switches

Phones connect to CO switch via local loop.

CO switch connects to tandem switch via trunk lines.

Tandem switches connect to each other.
8
Telecommunication primer
Telecommunication: Transmission media allow a path for
user-to-network and network-to-network communication.

User-to-network communication, from home phone to CO,
typically occurs over copper wires in an analog format.

Dual-Tone Multiple Frequency (DTMF) is used to signal
CO for a communication channel.
9
Telecommunication primer
Telecommunication: Transmission media allow a path for
user-to-network and network-to-network communication.

Network-to-network communication, from switch to switch,
typically occurs over fiber in a digital format.

Analog signals are digitized via pulse-code modulation
(PCM), combined via time-division multiplexing (TDM) and
sent over PSTN.
10
Telecommunication primer
Telecommunication: Transmission media allow a path for
user-to-network and network-to-network communication.

Over the PSTN tandem switches carry the signal over the
network to the destination CO for delivery to the end node.
11
Telecommunication primer
Telecommunication: Signaling system is needed to build a
route among switches and to provide call control.

Before a call is sent over the PSTN, a dedicated path
(circuit) has to be setup.

Messages to setup a circuit, tear it down, provide busy
tones, etc. need to be passed back and forth (call control).

This signaling is accomplished via an out-of-band network
called common channel signal (CCS) network.

SS7 is the current implementation of CCS network.
12
Telecommunication primer
Telecommunication: Signaling system is needed to build a
route among switches and to provide call control.

SS7 is a packet switched shared network for signaling
(PSTN is a circuit switched dedicated network for
transmission of voice signals).
13
Telecommunication primer
Telecommunication: VoIP components include the following:

End nodes are VoIP-enabled telephones. They could be
like regular phones (hardphones) or be softphones.

Call processors – also known as softswitches – that setup
calls, translate phone numbers into IP addresses, do
signaling, authorize users, etc.

Media processors that broker transmissions between VoIP
and PSTN networks.

Signaling gateways that mediate between signaling on
VoIP networks and signaling on PSTN networks.
14
Telecommunication primer
Telecommunication: VoIP networks currently coexist with
PSTN networks.

Media processors and signaling gateways bridge the gap
between PSTN and VoIP networks.
15
Telecommunication primer
Telecommunication: Advantages of VoIP includes:

Data networks can be reused for voice traffic
(convergence).

Enhanced features and functionality compared to PSTN.

Cheaper calls than PSTN networks. Cost doesn’t vary as
much by time-of-day or distance.

VoIP allows for location independence – calls follow you.

Allows for efficient use of bandwidth – silence doesn’t
consume any bandwidth.

However, quality for VoIP calls still has to catch up with
PSTN calls.
16
Telecommunication primer
Telecommunication: Comparison of VoIP vs PSTN:
PSTN
Circuit switching technology
Dedicated circuits for communication
Fairly proprietary methods/hardware
Well-established and very reliable
More expensive calls
Cost depends on time and distance
Needs separate voice network
Low-moderate security concerns
Standardized features and functions
VoIP
Packet switching technology
Shared bandwidth for communication
Open standards based protocols/hardware
New technology with some reliability concerns
Relatively cheaper calls
Costs not as dependent on time and distance
Can leverage existing data network
Moderate-high security concerns
Enhanced features and functions available
17
Management concerns
Concerns about telecommunications system security
typically include the following:

Maximizing the communication infrastructure availability
for employees and customers.

Ensuring the integrity of communications infrastructure.

Keeping up with existing and upcoming telecom scams,
toll frauds, social engineering attacks and implementing
mitigating controls.

Having an effective backup, recovery, business
resumption and a disaster recovery plan.
18
Risks and controls
Remote Access: Feature of PBX that allows long-distance
calls to remote users.

Also known as Direct Inward System Access (DISA).

Employees on the road call a toll-free number paid by
the company.

The PBX prompts for a passcode and gives a dial tone
to make a long-distance call at company’s expense.
19
Risks and controls
Remote access risks:

Phreakers war-dial/dumpster dive/social engineer to
identify remote access numbers & crack the passcodes
leading to toll-fraud.
Controls:

Disable DISA if not reqd. Else, use strong passcodes.

Don’t make 800 #s readily available.

Disable dial tones on DISA ports to foil war-dialers.

Limit places to which long distance calls can be made.

Analyze the logs to identify toll-fraud.
20
Risks and controls
Maintenance ports: Feature of PBX that allows support
personnel to administer various features remotely.

Also known as Remote Administration.

Support personnel and vendors call into the PBX and
can administer various PBX features.

The PBX prompts for a passcode before allowing
access.
21
Risks and controls
Remote access risks:

Phreakers war-dial/dumpster dive/social engineer to
identify maintenance port numbers & crack the
passcodes leading to toll-fraud, silent monitoring, call
rerouting and deny service.
Controls:

Disable maintenance ports if not reqd. Else, use strong
passcodes or stronger authentication means.

Enable intruder lockouts.

Disable dial tones on DISA ports to foil war-dialers.

Analyze the logs to identify intrusion attempts.
22
Risks and controls
Silent monitoring: Feature of PBX that allows a user to
listen in on other’s conversations.

Businesses often have a need to silently listen, record,
and/or store conversations among users.

Supervisors listen in on conversations to ensure
customer service in a call center/telemarketing type
environment.

Sometimes calls are recorded and/or stored for liability
or compliance reasons (e.g. air traffic controller).
23
Risks and controls
Silent monitoring risks:

Legal ramifications can arise if calls are monitored
without reviewing applicable law. Laws vary by state.

Unauthorized monitoring could occur if administrators
aren’t diligent.
Controls:

Procure legal consultation before enabling the feature.

Inform callers and employees about the monitoring/
recording practice. Obtain consent forms from latter.

Periodically review the business need for users with the
privileges to monitor.
24
Risks and controls
Telecom scams: Several scams usually aimed at toll-fraud,
are prevalent within telecom industry.

Shoulder surfing attack includes attackers filming use of
calling cards by callers.

Pager/beeper/fax-back scam aims at tricking people
calling into expensive toll-numbers.

Operator deceit is a social engineering attempt wherein
callers fool company employees to transfer them the
operator and asking the operator to make a longdistance call on behalf of the employee.

Employees can misuse call-forwarding feature by
forwarding calls to their home numbers and having their
friends call the company toll-free number reach them.
25
Risks and controls
Telecom scam risks:

Toll-fraud.
Controls:

Educate users about these scams and implement
technical controls where possible.

Restrict places to where calls can be made.

Log long-distance activity and analyze logs for abuse.

Limit the call forwarding feature.
26
Risks and controls
Voicemail & conferencing systems: Allows for exchanging
message exchanges & conducting conference calls.

Often sensitive information is exchanged via voicemails
and/or discussed on conference calls.

Security on these systems is often ignored. Passcodes
are almost never changed. Recurring conf calls
typically have the same passcodes.

Sometimes these systems allow for zero-out options
where the caller can reach an operator – leading to an
operator deceit scenario.

“Yes-Yes” scam with mailboxes can lead to third-party
billing abuse.
27
Risks and controls
Voicemail & conferencing systems risks:

Poor passcodes can lead disclose sensitive information.

Toll-fraud.
Controls:

Ensure strong password & password management.

Educate users and operators about scams.

Disable zero-out and third-party billing options.

Delete unused mailboxes.
28
Risks and controls
VoIP: Technology that involves transmission of digitized
voice packets over a shared packet-switched network.

VoIP transmissions are no different that data network
transmissions. Hence it suffers from same security
issues (see Network security chapter).

VoIP devices are less proprietary in nature (than PSTN
devices) and communicate via standard TCP/IP
protocols. Hence it is more prone to attacks.

A compromise of data network impacts both computer
and telephone traffic.

A compromise of user’s computer could easily impact
voice traffic (softphones, web-based voicemail etc.).
29
Risks and controls
VoIP risks:

Sniffing attacks could capture transmissions.

Calls could be hijacked.

DoS attack could disable voice communications.
Controls:

Encrypt all VoIP traffic to mitigate sniff risk.

Use Virtual LANs to logically segregate VoIP traffic from
the rest of the traffic.

Secure operating systems for PCs and VoIP devices.

Secure networks via firewalls and Intrusion Detection
Systems.
30
Assurance considerations
An audit to assess telecommunication security should
include the following:

Evaluate the physical security of telecommunications
equipment.

Assess the security pass-through/zero-out features
available via the PBX, voicemail systems, and
conferencing systems.

Review end user education programs to warn them of
various telecommunication scams and social
engineering attacks.

Ensure that the DISA and maintenance ports are
secured against attacks.
31
Assurance considerations

Review the security all servers that allow for VoIP
communications (operating system audit).

Review the security of the network that carries VoIP
traffic (network security audit).

Ensure that functional plans for backup and recovery,
business resumption, disaster recovery are in place.
32
Recap
33
Related documents
Abstract
Abstract
VoIP Project Overview
VoIP Project Overview
Slide 1
Slide 1
CO-ICT-5104_Edited
CO-ICT-5104_Edited
Voice over IP Signaling: H.323 and Beyond
Voice over IP Signaling: H.323 and Beyond
ACD: Average Call Duration is the average duration of the calls
ACD: Average Call Duration is the average duration of the calls
Job Opportunity: Tier2 Support Technician
Job Opportunity: Tier2 Support Technician
* Indicates confirmed participants Development
* Indicates confirmed participants Development
Modul – 4 Sistem Telepon
Modul – 4 Sistem Telepon
ŁK-24VC-EX-01 - Transbit Sp. z oo
ŁK-24VC-EX-01 - Transbit Sp. z oo