AVOXI's recommended best practices for fraud control and security are as follows:
Step 1: Analyze and Define Which Computer Systems Require Protection
Create a list of all equipment and define the degree and nature of their vulnerabilities.
Establish an economic impact or if the equipment is affected, disconnected, or damaged.
Set priorities on computers with the highest vulnerability and/or impact.
Structure vulnerability reduction plan.
Create emergency and contingency plans.
Check with your PBX/SIP Gateway vendor for possible vulnerabilities or risks.
Document the results of all the above.
Step 2: Establish Policies with Passwords
Consider the minimum length to be at least 16 characters that require the use of special characters, upper and lower case letters and numbers.
Define how often the password must be changed based on the importance of the safeguarded information.
Define policies regarding the blocking or closure of an account (peers) by entering a certain number of times a password is entered incorrectly. AVOXI recommends blocking after 3 failed attempts.
Determine whether the passwords are administered by each end-user or by the information technology (IT) staff or both.
Step 3: Educate All Employees about Computer Responsibilities and Use
Inform the network administrator or IT staff(s) about any irregular behavior such as the reduced speed of the data network or depreciation of call quality.
Follow the policies and guidelines established in the security plan.
Inform employees about Phishing and about the possible injury from disclosing passwords or other personal or business information.
Step 4: Establish Roles for Each IT Employee
Identify which equipment each IT employee can manipulate.
Maintain a logbook with each action taken as it relates to the equipment (upgrades, operating system upgrades, relocation, and other actions that cause significant changes in the original topology.
Maintain secure software that stores user names and passwords of the network’s main equipment.
Establish, at most, a maximum of two administrators with full permissions.
Define the profiles and permissions for each IT staff member independently.
Set how many and which employees are authorized for handling telecommunications equipment (switches, routers, access points, firewalls).
Perform periodic audits of access and changes to the configuration of the equipment.
Step 5: Back Up All Your Configurations
Maintain updated database backups and data restoration procedures—well documented.
Print and store in safe places the current settings for all network computers.
If possible, photograph the equipment and connections and store them in a safe place.
Use the information to restore the network and its components in case of unauthorized or mishandling of equipment.
Step 6: Install Specialized Security Equipment/Software
In large environments, it is advisable to use physical firewalls. In small- to medium-sized businesses, it is possible to use software-based firewalls or to take advantage of the existing router(s) to implement firewall functions.
Implement at least one of the following services:
Proxy servers—where it is considered necessary to implement. You can define bandwidth policies and permits for Internet use or outside the company network.
AAA (Authentication, Authorization, Accounting) Servers—RADIUS can be used (free) or TACACS+ (owner).
SysLog Servers—in companies with a large number of computers to centralize the logs into a single monitoring point.
IPS or IDS Security—devices to detect early alerts from unusual network behavior and possible threads.
Step 7: Use Security Features on Your Computers
Disable all unwanted services or protocols in routers, firewalls and other network computers that are not in use and can become accessible to attack (for example H.323, SIP, CDP, services TCP, UDP, RTP, ICMP, FTP, VNC, TFTP)
Use security protocols such as IPSec VPNs such as PPTP, L2TP.
Use an SSH (Secure Shell) protocol instead of Telnet.
Use NAT to hide the IPs of the company.
Encrypt the links using recognized encryption schemes such as DES, 3DES or AES. And use the keys of at least 128 bits.
Avoid the use of most DHCP (Dynamic Host Configuration Protocol), avoiding the assignment of IP addresses automatically.
Step 8: Ensure Appropriate Setup and Monitoring for Your PABX, PBX or Switchboard
Restrict access to international networks from the unauthorized internal PBX extensions.
Establish an administrator to authorize extensions or users with special permissions (international calls); document and store in a safe place.
Use PINs for telephone services—highly recommended in some cases.
Do not place telephone services in areas without monitoring or within the reach of people outside the company.
Establish a plan of frequently monitoring records such as CDRs, logs, and bills generated by your PBX and your provider to verify and scan for unauthorized calls.
For international calls, maintain current documentation of the common destinations of the company (country, number of remote offices, home offices, and suppliers) and periodically compare the PBX records. In case of major differences, take appropriate action and follow the procedures outlined in the safety plan.
Restrict or remove unused categories, such as DISA (Direct Inward System Access) that can be used by unauthorized users for fraudulent actions or for immoral/unethical usage.
Generate alarms when detecting national or international traffic during nonbusiness days and hours.
When detecting an irregular event or a variant in calling behavior, immediately inform your provider’s Fraud Control Team.