Re: [PEN-TEST] PBX Security

[David Alexander <dalexander () TRISKELE CO UK>]

Joe

I can't give you any specifics about that make or model, but here are some
general pointers:

1. Check for any form of listening device near/hooked into the system to
pass on data or phone numbers. I know it seems paranoid, but you are a bank
and want to be thorough I hope.
2. Read through the manuals to find out what maintenance and admin accounts
there are, check the password settings are not the defaults or easily
guessed.
3. Check on automatic call re-routing and mailbox settings. Can people break
into the admin settings and then re-route outgoing calls (phreaking)
4. talk to the admin and to the suppliers - is the system software patching
up to date ?

Hope this helps

David Alexander
Project Manager & Information Security Consultant
Qualified BS7799 Lead Auditor
Triskele Ltd.

Office  01491 833280
Mobile 0780 308 3130


> -----Original Message-----
> From: Joe Traietta [mailto:JTraietta () ASAHIBANKNY COM]
> Sent: 04 October 2000 15:07
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: [PEN-TEST] PBX Security
>
>
> I have been asked to perform a security review on the PBX
> system (NEC NEAX
> 2000 IVS) at my company.  I have virtually no PBX experience, so I was
> hoping somebody could point me to a good resource, or pass along some
> personal experience about reviewing / auditing a PBX system.
>
> Thank you.
>
> Joseph Traietta
> Data Security Officer
> Asahi Bank, New York Branch