erase) or use customer data.
» Prevent unauthorized persons from gaining access to data media, e.g. backup disks or protocol printouts.
» Ensure that data media that is no longer needed is completely destroyed and that documents are not stored or left in
generally accessible locations.
Misuse and hacking
The PBX is a piece of equipment that allows the interconnection and total control of internal and external connections.
As every PBX has a system "exposed" to the outside world, it is important to take care of security, to avoid possible
invasions of the system by hackers and damage to the company. Intrusion can occur when malicious people invade the PBX
due to failures in the protection and configuration of the resources.
Valid IP access on the internet that can be easily tracked and hacked. The accesses with the highest volume of intrusion
are: remote maintenance port (valid IP) of the PBX; VOIP trunking via the internet used for communication between
branches; terminals with facilities that use the internet and valid IP; among other associated services. Hackers and
clandestine operators use programs that generate repeated calls to all PBX extensions susceptible to intrusion. As soon as
they discover an unprotected extension that completes long-distance calls (DDD or DDI) or a valid IP on the internet, the
attack is made.
Learn how to prevent intrusions and protect your company's PBX:
» Create a security policy and pass it on to all users, emphasizing its importance.
» Use an outdial control mechanism, such as the PBX Account Code.
» Do not allow the DISA configuration to authorize calls without the use of a password and always try to associate the
password with the user's physical extension, making it easier to identify the origin of the calls.
» Restrict remote access to Technical Operations and Maintenance to authorized persons only. Share with them the
responsibility of keeping system passwords confidential.
» Periodically check with the maintainer and/or manufacturer for software updates and security packages.
» Instruct the company's operators/attendants not to complete calls received externally to external numbers.
» Keep a back-up of PBX data updated with the shortest possible time interval and/or whenever there is a change in any
parameter in the equipment.
» Determine destination restrictions by extensions, according to the user's profile (local, mobile, DDD and DDI).
» Restrict the use of trunk-to-trunk calls (these are calls coming from an external trunk, asking for authorization to make a
call on another external trunk).
» Allow collect call collection only for strategic extensions. If possible, block this type of call for voicemail-enabled
extensions, DISA, etc.
» Track the destinations of national and international calls, the average time of these calls and the occurrences of collect
calls, comparing with the historical profile of these calls.
» Restrict the external Follow Me facility to the extensions that really need it.
» Use private networks without internet access to register remote extensions or connect to VOIP.
» Ensure the distance between the telephone network and the internet access network. Separate them physically or on
"VLANs"
