Security

This topic describes ways to use system administration tools to minimize the possibility of telecommunications toll fraud on your system. It offers safeguards that make it harder for an unauthorized user to penetrate the Message Networking system.

This topic provides information on the following areas related to system security:

• What is toll fraud
• How toll fraud occurs
• Detecting voice mail fraud
• Firewall protection
• Virus detection
• Avaya's statement of direction

What Is toll fraud?

Toll fraud is the unauthorized use of a company's telecommunications service. It occurs when people misdirect their own telecommunications charges to another person or business.

How toll fraud occurs

There are several ways that unauthorized users might attempt to breach your system, including:

• Unauthorized system use. An intruder accesses your system and uses Message Networking functionality.
• Unauthorized use of AMIS Analog Networking call delivery. An intruder uses your system to send an AMIS message or a fax to a distant number.

Unauthorized system use

To minimize the risk of unauthorized system use, follow the password guidelines, including the password aging feature. Provide additional protection for your system with Avaya's Access Security Gateway (ASG) option.

Administrator passwords

The following aspects of password management affect the security of your system:

• Default administrator password
• Password standards
• Password aging

Default Administrator password

When your system is installed, the sa login comes with a default password. You are required to change this password immediately. Use the procedures in Changing Passwords to make this change.

Password standards

Passwords must comply with certain minimum standards. These standards are described in Guidelines for Passwords.

Password aging

Password aging ensures that administration passwords are changed at reasonable intervals by causing passwords to expire after a set period of time. Use password aging for administrative logins to reduce the danger of unauthorized system access.

When password aging is in place, people who would rather only remember one password are likely to change the password when required and then change back to the familiar password immediately. The Minimum Age Before Changes setting prevents a subscriber from immediately changing back to the previous password.

The following settings allow you to define the limits associated with password aging:

• Password Expiration
• Minimum Age Before Changes
• Expiration Warning

You can change these settings by starting at the Administration main menu and selecting Password Administration. The items and their operation are described in Setting Administrator Password Aging.

Access Security Gateway

The Access Security Gateway (ASG) feature is an optional authentication interface you can use to secure the sa login on the Message Networking system. Whenever a dial-up port user begins a session on the system for purposes of administration or maintenance, the user must enter a valid login ID. If the ASG interface is activated, the system issues a numerical challenge. In order for the user to access the Message Networking administration and maintenance features, the user must enter the correct numerical response. By activating the ASG feature, you can reduce the possibility of unauthorized remote access to the system.

You administer ASG parameters to specify whether access to the system requires ASG authentication. You can assign this protection to all system administration maintenance ports or to a subset of those ports. If the port or login being used is not protected by ASG, the user can enter the system with the standard Message Networking login and password.

The following procedure describes how the ASG interface works:

1. At the beginning of a login session, the user is prompted to enter a login ID.
2. Upon receipt of the login ID, ASG generates a number based upon the system ASG secret key number and presents this 7-digit number as a challenge.
3. The user must have a handheld device, called the ASG Key. The ASG Key must be set with an ASG secret key number that matches that of the user's ASG secret key number in the Message Networking system.
4. The user enters the PIN and challenge number into the ASG Key.
5. The ASG Key generates and displays a unique, 7-digit numerical response that corresponds to the challenge number.
6. The user enters the response number at the response: prompt.
7. If the response supplied by the user corresponds to the numerical response expected by the Message Networking system, the authentication is successful and the user is logged in to the system.
8. If the response does not correspond, the user is not authenticated and is denied access to the system. Also, the failed authentication attempt is recorded in the system history log.

   Note: The system administrator determines how many login attempts are permitted. If the user is not authenticated after that number of attempts, the system displays the message INVALID LOGIN and terminates the session.

To administer ASG on Message Networking, see Administering the Access Security Gateway (ASG).

Unauthorized use of AMIS Analog Networking Call Delivery

This section discusses how to minimize the risk of someone who is already in your system from making unauthorized calls. In this case, the unauthorized usage could be from an employee, or from someone who has breached your system security and gained access.

To minimize the security risk of AMIS Analog Networking, restrict the number ranges that can be used to address messages. Be sure to assign all the appropriate PBX outgoing call restrictions on the voice ports.

Detecting voice mail fraud

The following table shows the monitoring techniques you can use to help determine if your system is being used for fraudulent purposes.
 

Monitoring Techniques �

Monitoring Technique	Switch
Call Detail Recording	All
Traffic Measurements and Performance	All
Automatic Circuit Assurance	All
Busy Verification	All
Call Traffic Report	All

Call Detail Recording

With Call Detail Recording (CDR) activated, you can find out details about the calls made into your voice mail ports. This feature is known as Station Message Detail Recording (SMDR) on some switches.

Review CDR reports for the following indications of possible voice messaging abuse:

• Short holding times on any trunk group where multimedia messaging is the originating remote machine or terminating remote machine
• Calls to international locations not normally used by your business
• Calls to suspicious destinations
• Numerous calls to the same number
• Undefined account codes

Note: For System 85, CDR only records the last extension on the call. Therefore, internal toll abusers transfer unauthorized calls to another extension before they disconnect. This ensures that the CDR does not track the originating station. If the transfer is to your multimedia messaging system, it could give a false indication that your multimedia messaging system is the source of the toll fraud.

For System 75:

1. Use the change systemparameters features to display the FeaturesRelated System Parameters screen.
2. Administer the appropriate format to collect the most information. The format depends on the capabilities of your CDR analyzing and recording device.
3. Use change trunkgroup to display the Trunk Group screen.
4. Enter y in the SMDR/CDR Reports field.

Call Traffic report

This report provides hourly port usage data and counts the number of calls originated by each port. By tracking normal traffic patterns, you can respond quickly if an unusually high volume of calls appears. Such a high volume might indicate unauthorized use, especially if it occurs after business hours or during weekends.

For System 75, traffic data reports are maintained for the last hour and the peak hour. For System 85, traffic data is available via Monitor I which can store the data and analyze it over specified periods.

Trunk Group report

This report tracks call traffic on trunk groups at hourly intervals. Since trunk traffic is fairly predictable, you can easily establish over time what is normal usage for each trunk group. Use this report to watch for abnormal traffic patterns, such as unusually high offhour loading.

SAT and Manager I reporting

Traffic reporting capabilities are built in to and are obtained through the System Administrator Tool (SAT) and Manager I terminals. These programs track and record the usage of hardware and software features. The measurements include peg counts (that is, the number of times ports are accessed) and call duration. Traffic measurements are maintained constantly and are available on demand. However, reports are not archived and should therefore be printed if you want to monitor a history of traffic patterns.

For System 75:

1. To record traffic measurements:
   1. Enter change trunkgroup to display the Trunk Group screen.
   2. In the Measured field, enter both if you have a Basic Call Management System (BCMS) and a Call Management System (CMS), internal if you have only BCMS, or external if you have only CMS.
2. To review the traffic measurements:
   1. Enter list measurements followed by a measurement type (trunkgroups, callrate, callsummary, or outagetrunk) and timeframe (yesterdaypeak, todaypeak, or arrestor).
3. To review performance:
   1. Enter list performance followed by a performance type (summary or trunkgroup) and timeframe (yesterday or today).

ARS Measurement Selection

The ARS Measurement Selection can monitor up to 20 routing patterns for traffic flow and usage.

For System 75:

1. Use change ars measselection to choose the routing patterns you want to track.
2. Use list measurements routepattern followed by the timeframe (yesterday, today, or lasthour) to review the measurements.

Automatic Circuit Assurance

This monitoring technique detects a number of calls with short holding times or a single call with a long holding time. Such calls may indicate hacker activity. Long holding times on trunktotrunk calls can be a warning sign. The Automatic Circuit Assurance (ACA) feature allows you to set time limit thresholds defining what is considered a short holding time and a long holding time. When a violation occurs, a designated station is visually notified.

When an alarm occurs, determine if the call is still active. If toll fraud is suspected (for example, if a long holding time alarm occurs on a trunktotrunk call), you may want to use the busy verification feature.

For System 75:

1. Use change systemparameters features to display the FeaturesRelated System Parameters screen.
2. Enter y in the Automatic Circuit Assurance (ACA) Enabled field.
3. Enter local or primary in the ACA Referral Calls field. If primary is selected, calls can be received from other switches.
4. Use change trunk group to display the Trunk Group screen.
5. Enter y in the ACA Assignment field.
6. Establish short and long holding times. The defaults are 10 seconds (short holding time) and one hour (long holding time).
7. To review, use list measurements aca

System 85:

1. Use P285 W1 F5 and P286 W1 F1 to enable ACA system wide.
2. Use P120 W1 to set ACA call limits and number of calls thresholds.
3. Choose the appropriate option:
• To send the alarms and/or reports to a designated maintenance facility, use P497 W3
• To send the alarms and/or reports to an attendant, use P286 W1 F3

Busy Verification

When toll fraud is suspected, you can interrupt the call on a specified trunk group and monitor the call in progress. Callers will hear a long tone to indicate the call is being monitored.

For System 75:

1. Use change station to display the Station screen for the station that will be assigned the Busy Verification button.
2. In the Feature Button Assignment field, enter verify
3. To activate the feature, press the Verify button and then enter the trunk access code and member number to be monitored.

For System 85:

1. Administer a Busy Verification button on the attendant console.
2. To activate the feature, press the button and enter the trunk access code and the member number.

Traffic reports

The Message Networking system tracks traffic data over various time periods. Reviewing these reports on a regular basis helps to establish traffic trends. If increased activity or unusual usage patterns occur, such as heavy call volume on ports assigned to outcalling, they can be investigated immediately. You can also use the Administrator's Log and Activity Log to monitor usage and investigate possible break-in attempts. For more information on running and using reports, see Reports.

Firewall protection

Because the Message Networking server will be implemented as an email receiver, the customer site must have a firewall between the Message Networking server and the Internet.

To properly secure FTP access into the Message Networking system, access to the FTP port (21) outside of the firewall must be prohibited.

Virus detection

Message Networking does not perform any virus detection. Your company should carefully evaluate the security risks of email and file attachments and make provisions for virus detection software that can sit between the Message Networking server and incoming email. Your PC/LAN administrator should be able to advise on how your LAN is already set up or could be set up to detect and prevent the transmission of software viruses.

At a minimum, you should advise your subscribers that file attachments should be detached (not launched) and scanned for viruses before use.

Avaya's statement of direction

The telecommunications industry is faced with a significant and growing problem of theft of customer services. To aid in combating these crimes, Avaya intends to strengthen relationships with its customers and its support of law enforcement officials in apprehending and successfully prosecuting those responsible.

No telecommunications system can be entirely free from risk of unauthorized use. However, diligent attention to system management and to security can reduce that risk considerably. Often, a trade-off is required between reduced risk and ease of use and flexibility. Customers who use and administer their systems make this tradeoff decision. They know best how to tailor the system to meet their unique needs and are therefore in the best position to protect the system from unauthorized use. Because the customer has ultimate control over the configuration and use of Avaya services and products it purchases, the customer properly bears responsibility for fraudulent uses of those services and products.

To help customers use and manage their systems in light of the tradeoff decisions they make and to ensure the greatest security possible, Avaya commits to the following:

• Avaya products and services will offer the widest range of options available in the industry to help customers secure their communications systems in ways consistent with their telecommunications needs.
• Avaya is committed to develop and offer services that, for a fee, reduce or eliminate customer liability for PBX toll fraud, provided the customer implements prescribed security requirements in its telecommunications systems.
• Avaya's product and service literature, marketing information and contractual documents will address, wherever practical, the security features of our offerings and their limitations, and the responsibility our customers have for preventing fraudulent use of their Avaya products and services.
• Avaya sales and service people will be the best informed in the industry on how to help customers manage their systems securely. In their continuing contacts with customers, they will provide the latest information on how to do that most effectively.
• Avaya will train its sales, installation and maintenance, and technical support people to focus customers on known toll fraud risks; to describe mechanisms that reduce those risks; to discuss tradeoffs between enhanced security and diminished ease of use and flexibility; and to ensure that customers understand their role in the decision making process and their corresponding financial responsibility for fraudulent use of their telecommunications system.
• Avaya will provide education programs for customers and Avaya employees to keep them apprised of emerging technologies, trends, and options in the area of telecommunications fraud.
• As new fraudulent schemes develop, we will promptly initiate ways to impede those schemes, share our learning with our customers, and work with law enforcement officials to identify and prosecute fraudulent users whenever possible.

We are committed to meeting and exceeding our customers' expectations, and to providing services and products that are easy to use and are of high value. This fundamental principle drives our renewed assault on the fraudulent use by third parties of our customers' communications services and products.

Avaya security offerings

Avaya has developed a variety of offerings to assist in maximizing the security of your system. These offerings include:

• Access Security Gateway (ASG)
• Security Audit Service of your installed systems
• Fraud Intervention Service
• Individualized Learning Program: Self-paced text that uses diagrams of system administration screens to help customers design security into their systems. The program also includes a videotape and the Avaya Products Security Handbook.
• A call accounting package that calls you when preset types and thresholds of calls are established
• A remote port security device that makes it difficult for computer hackers to access the remote maintenance ports
• Software that can identify the exact digits passed through the voice mail system

For more information about these services, see the Avaya Products Security Handbook.

Avaya toll fraud crisis intervention

If you suspect you are being victimized by toll fraud or theft of service and need technical support or assistance, call one of the following numbers immediately.

Avaya Corporate Computer & Network Security +1.800.821.8235

Avaya Technical Service Center Toll Fraud Intervention Hotline: +1.800.643.2353

Note: These services are available 24 hours a day, 365 days a year. Consultation charges may apply.

Avaya corporate security

Whether or not immediate support is required, please report all toll fraud incidents perpetrated on Avaya services to Avaya Corporate Security. In addition to recording the incident, Avaya Corporate Security is available for consultation on product issues, investigation support, law enforcement, and education programs.

Top of page