Telecommunications Security Assessment Workplan

1
Telecommunications Security Assessment Workplan

• Matt Kaliyadan
• CS654

2
What is it?

• Technically includes LAN, WAN, Internet and voice
  according to Killmeyer text.
• Practically includes only the voice component-
  POTS (analog), and increasingly digital (VoIP).
• Also includes PBX, Centrex, mobile
  communications.
• Increasing grey area between data, voice, mobile
  definitions.

3
Why do it?

• Important and frequently overlooked.
• Billions lost each year due to exploited and
  unauthorized use of Telephone systems.
• Increasing potential for breeches on voice side
  to carry over to data networks (VoIP hybrids).
• Meet industry standards/government regulations.

4
Assessment Metrics

• Review and chargeback of telephone expense.
• Establish baseline, look for spikes in overall
  activity and on specific lines/extensions.
• Must be consistently done on a regular basis to
  correlate the data accurately.
• Implement carrier level analysis- CDR (call
  detail records).
• Fraud detection services (Sprint GUARD, MCI
  Detect, ATT NetProtect).
• Combine this internal and external data.

5
Assessment Metrics Contd

• Assessment should ensure written policy exists
  for employees to review.
• Built in management features of the PBX should be
  utilized- not setup once, let go.
• Adequate resources?
• Document existing configurations/change
  management.
• Audit of 3rd Party policies (if applicable).

6
Assessment Metrics Contd

• Physical security of MDFs and IDFs/controlled
  access to these locations.
• Environmental protection (controlled
  environment).
• Proper access control to logs/system
  reports/recorded calls.
• PBX password policy (have one and enforce it)
• Remote access control considerations.

7
Security Manager Uses

• Must include Telecommunications as a component of
  a secure system.
• Ensures overall company security policy is being
  enforced on the Telecommunications side.
• Identifies gaps in security coverage, so that
  appropriate changes can be made.

8
Hacker Uses

• Discovery or weak or no Telecommunications Plan
  leaves the door open for fraud, misuse,
  compromise of data security.
• Could help a hacker determine the type of system,
  system specific weaknesses, key equipment
  locations.

9
Where to go for more information

• Killmeyer text Appendix B-5 (Telecommunications
  workplan assessment template).
• Internet- surprisingly, not many examples.
  Googling the topic- 1st 3-4 entries turn up our
  text book.
• Best plan is to draw from existing security
  standards and apply those to Telecom.

10
Summary

• Vital part of overall security plan.
• Should be treated with similar regard as data
  security.
• Establish a baseline.
• Determine a formalized assessment plan and follow
  up schedule and implement. B-5.
• Questions?