Many of the same controls listed for toll fraud will help reduce the exposure to destructive changes by hackers. Some basic prevention steps include:
-
Force changes of voicemail passwords. Most current voicemail manufacturers maintain a history of changes so that a user cannot change his password to one number and then quickly change it back to the same number he has used for the past ten years.
-
Force passwords to be at least eight digits.
-
Identify unused mailboxes (sometimes used by drug dealers as an untraceable mailbox for transactions).
-
Never allow dial tone to be accessible from voicemail.
-
Implement a class of service program that allows employees or on-premise contractors to have only the features they need. For example, the ability to modify someone else's telephone features is obviously powerful and dangerous if misused — a hacker who gains access to a phone with that level class of service could significantly disrupt operations. Review class of service annually.
Using Security Tools to Offer More Services
Although our discussion of security to this point has been from a defensive perspective, there are a few operational enhancements that come out of a good security system. Some of these include:
-
Use of voice verification to allow DISA. By enrolling employees who normally use calling cards for business (salespeople, traveling professionals, etc.) in a voice print authorization system, calling card costs can be significantly reduced. By use of an 800 number to call in to the PBX and allow DISA for an outgoing call (after verification), a traveler can obtain the same services at a cheaper rate. Although she would pay for the call two ways (into the PBX and out to another location), the cost of calling card calls is usually so high that the organization still reduces costs. In particular, the cost of calling card international calls and intraLATA calls are often well above 800 number rates. Exhibit 1 shows a payback analysis using fictitious but typical calling card and 800 number rates. Savings in calling cards alone can pay for the security device, since the payback shown in less than one year. Of course, the payback calculation shown in Exhibit 1 will vary considerably, depending on the number of calls via calling cards, the percentage of users who would be willing to go through the voice registration process, per-minute costs of long-distance and calling card usage, and cost of the verification equipment itself (e.g., Veritel's Voicecheck technology).
Exhibit 1: Analysis of Potential Savings Using Voice Verification in Place of Calling Cards
Access voicemail in areas of the world without touch-tone telephones. Using voice-activated-only voicemail (with appropriate speaker voice recognition) allows rotary users to go through menus within voicemail.
-
Access special/confidential services. For example, Parlance Corporation has a service called Employee Connector that allows an individual to list multiple phone, pager, cellular, etc. numbers. These numbers can be dialed by saying, for example, "Ms. Doe's vacation home" or "Mr. Smith's New York office." Having this information would be useful for executives and their administrative assistants but might be too sensitive for the general employee population. By front ending this service with a security device, it would be practical to use it. Executives would feel confident that only those with a need to know would have access.
No comments:
Post a Comment