Home
>
Lucent Technologies
>
Communications System
>
Lucent Technologies BCS Products Security Handbook Instructions Manual
Lucent Technologies BCS Products Security Handbook Instructions Manual
Have a look at the manual Lucent Technologies BCS Products Security Handbook Instructions Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-45 Detecting Toll Fraud 3 NOTE: Whenever possible, TAC calls should be disallowed. See ‘‘Disable Direct Access to Trunks’’ on page 3-35. For DEFINITY G2.2: nDo not turn on overlapped sending (default is off in G2.2, on in earlier releases). To turn off overlapped sending, enter PROC103 WORD1 FIELD14. Overlapped sending bypasses digit checking. nTo force waiting for a TCM, the trunk group must be an intermachine trunk group (PROC103 WORD1 FIELD3=1 or 2) and ETN software must be activated. A TCM will not be sent over an access tie trunk group no matter how low the FRL is in F2. However, a low FRL may be used to limit the calling from the tie line, or to force a prompt for an authorization code. nMark each string and route with an FRL permission value using PROC314 WORD1 FIELD8, and PROC318 WORD1 FIELD4. nUse toll checking capabilities as shown: — For WCR, use PROC010 WORD3 FIELD22. — For toll-free tables, use PROC319 and PROC318 WORD1 FIELD6. nIf needed, define more detail in the numbering plan by using PROC314. Use wild card digits and variable string lengths with care. nSend a after troublesome call types ( +, +, etc.). Use PROC321 WORD1 FIELD16. NOTE: Use PROC314 to route and calls to an attendant. Change Override Restrictions on 3-way COR Check For G3V2 and later releases, the Restriction Override feature is used with the 3-way COR check on transfer and/or conference calls. The default is none. Detecting Toll Fraud After you have taken the appropriate security measures, use the monitoring techniques described in this section to routinely review system activity. Here are some signals of possible hacker activity: nEmployees cannot get outside trunks nCustomers have difficulty getting through to your 800 number nUsage is higher than normal nNights and weekends have heavy call volume #0011 000
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-46 Detecting Toll Fraud 3 nAttendants report frequent “no one there” or “sorry, wrong number” calls nBill shows calls were made to strange places NOTE: If you should suspect toll fraud in your system, you may call one of the numbers in the “Toll Fraud Contact List” in Appendix G in the back of this manual. Table 3-4 shows the reports and monitoring techniques that track system activity and help detect unauthorized use: Table 3-4. Reports and Monitoring Techniques Monitoring Technique Switch Page # Administration Security All3-47 Call Detail Recording (CDR) / Station Message Detail Recording (SMDR)All3-48 Traffic Measurements/Performance All3-49 Automatic Circuit Assurance All3-51 BCMS Measurements G1 and G33-52 CMS Measurements All3-52 Security Violations Measurement Report All3-56 Security Violation Notification Feature DEFINITY ECS and DEFINITY G33-53 Recent Change History Report DEFINITY ECS and DEFINITY G1 and G33-61 Service Observing All3-63 Malicious Call Trace System 85 R2V4, DEFINITY G2, G3r, G3V2 and later3-62 List Call Forwarding command DEFINITY G3V4 and later3-64
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-47 Detecting Toll Fraud 3 Administration Security Logins for INADS Port For DEFINITY G3V4 and later, which includes DEFINITY ECS, only Lucent Technologies logins can access the INADS port. If the customer wants INADS access, Lucent Technologies must administer customer login permission. This permission is administered on a login basis. Lucent Technologies is responsible for performing the necessary administration for one customer super-user login. If additional customer logins require access to the system via the INADS port, the customer superuser login may perform the necessary administration to grant those permissions. Forced Password Aging and Administrable Logins DEFINITY G3V3 and later releases, which includes DEFINITY ECS, provide two features for enhanced login/password security. The first, Forced Password Aging, is a feature that the superuser administering the logins may activate. The password for each login can be aged starting with the date the password was created or changed, and continuing for a specified number of days, from 1 to 99. A user is notified at login, seven days before the password expiration date, that his or her password is about to expire. When the password expires, the user is required to enter a new password into the system to complete the login process. Once a non-superuser has changed his/her password, the user must wait 24 hours to change the password again. When a login is added or removed, the Security Measurement reports will not be updated until the next hourly poll, or until a clear measurements security-violations command has been entered. The second feature, Administrable Logins, allows users to define their own logins/passwords and allows superusers to specify a set of commands for each login. The system will allow up to 11 customer logins, each of which can be customized. Each login must be 3 to 6 alphabetic/numeric characters, or a combination of both. A password must be 4 to 11 characters and contain at least one alphabetic and one numeric symbol. Passwords can also contain any of the following symbols: ! & * ? ; ’ ^ ( ) , . : - @ # $ % NOTE: The Monitor Security Violation Login tool is used to show the invalid login used and the date, time, and port that was used. New shipments of the DEFINITY G3V3 and later are shipped from the factory with no customer logins and/or passwords defined. One customer superuser password is administered during installation. The customer must administer additional logins/passwords as needed. The superuser login has full customer permissions and can customize any login he or she creates.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-48 Detecting Toll Fraud 3 On upgrades to the DEFINITY G3V3 or later, which includes DEFINITY ECS, customer logins and passwords are carried forward. Password aging is set to one day, and customers must customize their logins/passwords following upgrades. Login permissions for a specified login can be set by the superuser to block any object that can affect the health of the switch. Up to 40 administration or maintenance objects (commands) can be blocked for a specified login. When an object (administrative or maintenance command) is entered in the blocked object list on the Command Permissions Categories Restricted Object List form, the associated administrative or maintenance actions cannot be performed by the specified login. Commands for the DEFINITY G3V3 or later, which includes DEFINITY ECS, are grouped into three categories: common, administration, and maintenance. Each category has a group of subcategories, and each subcategory has a list of command objects that the commands act on. A superuser can set a user’s permissions to restrict or block access to any command in these categories. NOTE: DEFINITY G3V3 and later releases, which includes DEFINITY ECS, allow for unique logins to be assigned (for example, MARY83, B3V3RLY, etc.). This eliminates the need to use cust, rcust, browser, and bcms. The list login command shows the assigned logins, and the state of the login (for example, VOID, disabled, etc.). For information on administering Forced Password Aging and Administrable Logins for DEFINITY G3V3 and later, including DEFINITY ECS, see Appendix E. Call Detail Recording (CDR) / Station Message Detail Recording (SMDR) This feature creates records of calls that should be checked regularly. A series of short holding times may indicate repeated attempts to decode barrier codes or authorization codes on Remote Access. Call Records can be generated for Remote Access when CDR/SMDR is activated for the Remote Access trunk group. Authorization codes, if required, are recorded by CDR/SMDR; barrier codes are not. When you set the Suppress CDR for Ineffective Call Attempts field to no, calls that fail because the caller does not have adequate calling privileges print a condition code in the report to reflect the failed attempt. (See the CDR description in the DEFINITY ECS Release 5 Feature Description, 555-230-204.) Review the report for these condition codes, which might indicate hacker activity. Two optional products, Lucent Technologies Cost Allocator and Call Accounting System (CAS) Plus, enhance CDR/SMDR by allowing you to create customized reports. These reports can be used to isolate calls that may be suspicious.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-49 Detecting Toll Fraud 3 NOTE: Only the last extension on the call is reported. Unauthorized users who are aware of this procedure originate calls on one extension, then transfer to another extension before terminating the call. Internal toll abusers may transfer unauthorized calls to another extension before they disconnect so that CDR does not track the originating station. If the transfer is to your voice mail system, it could give a false indication that your voice mail system is the source of the toll fraud. Review CDR/SMDR records for the following symptoms of abuse: nShort holding times on one trunk group nPatterns of authorization code usage (same code used simultaneously or high activity) nCalls to international locations not normal for your business nCalls to suspicious destinations nHigh numbers of “ineffective call attempts” indicating attempts at entering invalid barrier codes or authorization codes nNumerous calls to the same number nUndefined account codes For DEFINITY G1 and System 75: nTo display the Features-Related System Parameters screen, use the change system-parameters feature (G1 and System 75 only) or the change-system parameters cdr feature (G3 only). nAdminister the appropriate format to collect the most information. The format depends on the capabilities of your CDR analyzing/recording device. nUse change trunk-group to display the Trunk Group screen. nEnter y in the SMDR/CDR Reports field. For DEFINITY G2: nUse PROC275 WORD1 FIELD14 to turn on CDR for incoming calls. nUse PROC101 WORD1 FIELD8 to specify the trunk groups. Account code entry can be required for CDR (see ‘‘ Require Account Codes’’ on page 3-42 for details). Traffic Measurements and Performance By tracking traffic measurements on the trunk groups, you can watch for unexplained increases in call volume, particularly during off-peak hours. Review the traffic measurements for the following symptoms of abuse: nUnusually high peg counts (number of times accessed) on trunk groups
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-50 Detecting Toll Fraud 3 nA series of short or long holding times that may indicate repeated attempts to enter the system and/or success in doing so nHigh volume on WCR patterns used for + and + calls nBusiest hour for trunk group being inconsistent with business hours nDrastic changes in switch occupancy profile compared to a typical 24-hour period Monitor I For DEFINITY G2 and System 85, the optional Monitor I tracks call volume and alerts you when the number of calls exceeds a predetermined threshold. Monitor I is a UNIX software package that collects measurements data from G2 and System 85 switches, stores the results, and produces various types of analysis reports. With Monitor I, you can set up thresholds for expected normal traffic flow on each of your trunk groups. The application will alert you when the traffic flow exceeds the expected values. The data collected includes quantity and duration of incoming and outgoing calls, processor utilization, and security violation measurements for Remote Access and administration port access. nUse the PROC400 series to turn on this report for the trunk groups. SAT, Manager I, and G3-MT Reporting Traffic reporting capabilities are built-in and are obtained through the System Administrator Tool (SAT), Manager I, and G3-MT terminals. The SAT is available only on System 75. These programs track and record the usage of hardware and software features. The measurements include peg counts (number of times accessed) and call seconds of usage. Traffic measurements are maintained constantly and are available on demand. However, reports are not archived and should therefore be printed to monitor a history of traffic patterns. For DEFINITY ECS, DEFINITY G1, G3, and System 75 R1V3 and later: nTo record traffic measurements: —Enter change trunk-group to display the Trunk Group screen. — In the Measured field, enter both if you have BCMS and CMS, internal if you have only BCMS, or external if you have only CMS. nTo review the traffic measurements, enter list measurements followed by one of the measurement types (trunk-groups, call-rate, call-summary, outage-trunk, or security-violations) and the timeframe (yesterday-peak, today-peak, or last-hour). nTo review performance, enter list performance followed by one of the performance types (summary or trunk-group) and the timeframe (yesterday or today). 0011
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-51 Detecting Toll Fraud 3 ARS Measurement Selection The ARS Measurement Selection feature can monitor up to 20 routing patterns (25 for DEFINITY ECS and DEFINITY G3) for traffic flow and usage. For DEFINITY ECS, DEFINITY G1, G3, and System 75: nEnter change ars meas-selection to choose the routing patterns you want to track. nEnter list measurements route-pattern followed by the timeframe (yesterday, today, or last-hour) to review the measurements. Automatic Circuit Assurance (ACA) This monitoring technique detects a pattern of short holding time calls or a single long holding time call which may indicate hacker activity. Long holding times on Trunk-to-Trunk calls can be a warning sign. The ACA feature allows you to establish time limit thresholds defining what is considered a short holding time and a long holding time. When a violation occurs, a designated station is notified. A display message accompanies the referral call. If the switch is equipped with a speech synthesis board, an audible message accompanies the call. When a notification occurs, determine if the call is still active. If toll fraud is suspected (for example, aca-short or aca-long is displayed on the designated phone), use the busy verification feature (see ‘‘ Busy Verification’’ on page 3-64) to monitor the call in progress. With Remote Access, when hacker activity is present, there is usually a burst of short holding times as the hacker attempts to break the barrier code or authorization code protection, or long holding time calls after the hacker is successful. An ACA alarm on a Remote Access trunk should be considered a potential threat and investigated immediately. If the call is answered by an automated attendant, a hacker may be attempting to gain access to the system facilities using TACs. For DEFINITY ECS, DEFINITY G1, G3, and System 75: nEnter change system-parameters feature to display the Features-Related System Parameters screen. nEnter y in the Automatic Circuit Assurance (ACA) Enabled field. nEnter local, primary, or remote in the ACA Referral Calls field. If primary is selected, calls can be received from other switches. Remote applies if the PBX being administered is a DCS node, perhaps unattended, that wants ACA referral calls to go to an extension or console at another DCS node. nComplete the following fields as well: ACA Referral Destination, ACA Short Holding Time Originating Extension, ACA Long Holding Time Originating Extension, and ACA Remote PBX Identification.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-52 Detecting Toll Fraud 3 nTo review and verify the entries, enter list aca-parameters. nEnter change trunk group to display the Trunk Group screen. nEnter y in the ACA Assignment field. nEstablish short and long holding times. The defaults are 10 seconds (short holding time) and one hour (long holding time). nTo review an audit trail of the ACA referral call activity, enter list measurements aca. For DEFINITY G2 and System 85: nUse PROC285 WORD1 FIELD5 and PROC286 WORD1 FIELD1 to enable ACA system-wide. nUse P120 W1 to set ACA call limits and number of calls thresholds. nChoose the appropriate option: — To send the alarms and/or reports to an attendant, use PROC286 WORD1 FIELD3. BCMS Measurements (DEFINITY ECS and DEFINITY G1 and G3 only) For DEFINITY ECS, DEFINITY G1 and G3, BCMS Measurements report traffic patterns for measured trunk groups. For DEFINITY ECS and DEFINITY G1 and G3: nUse change trunk-group to display the Trunk Group screen. nIn the Measured field, enter internal if you have only BCMS or both if you have BCMS and CMS. nUse change system-parameters feature to display the Features-Related System Parameters screen. nEnter half-hour in the BCMS Measurement Interval field. nTo review the measurements, use list bcms trunk. CMS Measurements This monitoring technique measures traffic patterns and times on calls and compares them to traffic counts and time limit thresholds. An exceptions log is maintained whenever the traffic counts or time limits exceed the preset thresholds. For DEFINITY ECS and DEFINITY G1 and G3: nUse change trunk-group to display the Trunk Group screen.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-53 Detecting Toll Fraud 3 nIn the Measured field, enter external if you have only CMS or both if you have BCMS and CMS. nTo generate reports, use cms reports. For DEFINITY G2: nUse PROC115 WORD1 FIELD5 to specify incoming or two-way measurements by CMS. nSet up time limits and count thresholds on CMS (Trunk Group Exceptions). Exceptions are reported to designated CMS terminals (User Permissions: Trunk Group Access). CMS keeps a log of exceptions (Real-Time Exception Log, Historical Report: Trunk Group Exceptions). Security Violation Notification Feature (DEFINITY ECS and DEFINITY G3 only) For DEFINITY ECS and DEFINITY G3, the Security Violation Notification Feature (SVN) provides the capability to immediately detect a possible breach of the System Management, Remote Access, or Authorization Code features; and to notify a designated destination upon detection. It is intended to detect Generic 3 Management Terminal (G3-MT) or Generic 3 Management Application (G3-MA) login failures through the INADS port, based on customer-administrable thresholds. Once an SVN threshold is reached, (for a System Management login, a Remote Access barrier code, and, for DEFINITY G3V3 and later, an Authorization code), the system initiates a referral call to an assigned referral destination. For systems earlier than DEFINITY G3V3, the referral destination must be an attendant console or station equipped with a display module. For DEFINITY G3V3 and later, the referral destination can be any station, if an announcement has been administered and recorded. Also for G3V3 and later releases, including DEFINITY ECS, the SVN Referral Call with Announcement option provides a recorded message identifying the type of violation accompanying the SVN referral call, such as login violation, remote access violation, or authorization code violation. Using call forwarding, call coverage, or call vector Time of Day routing, SVN calls with announcements can terminate to any point on or off the switch. The Security Violation Notification feature also provides an audit trail about each attempt to access the switch using an invalid login, remote access or (G3V3 and later) authorization code. The SVN time interval selected, in conjunction with the threshold, specifies when a referral call occurs. For example, if the barrier code threshold is set to 10 with a time interval of two minutes, a referral call occurs whenever 10 or more invalid barrier codes are entered within two minutes. The advantage of the SVN feature is that it notifies the user of the problem as it occurs so that there is an opportunity to interrupt unauthorized calls before charges are incurred, as well as a chance to apprehend the violator during the
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-54 Detecting Toll Fraud 3 attempted violation. The monitor security-violations command displays the login activity in real-time on either Remote Access or System Management ports. Information about invalid system management login attempts and remote access attempts (and, for G3V3 or later, including DEFINITY ECS), invalid authorization code attempts) is collected at two levels: nOn an immediate basis, when an invalid login attempt is made, for systems earlier than DEFINITY G3V3, the SVN feature can send a priority call to either an attendant console or a station equipped with a display module. For DEFINITY G3V3 and later, which includes the DEFINITY ECS, the SVN feature can send to any station if an announcement has been administered and recorded. When notified, the security administrator can request the Security Violations Status Report, which shows details of the last 16 security violations of each type for DEFINITY ECS and DEFINITY G3. nOn a historical basis, the number of security violations of each type is collected and reported in the Security Violations Summary Measurement Report. This report shows summary information since the last time the counters were reset. (See ‘‘ Security Violations Measurement Report’’ on page 3-56.) For DEFINITY ECS and DEFINITY G3: nEnter change system-parameters feature to display the Feature-Related System Parameters screen. (For DEFINITY G3V3 and later, including DEFINITY ECS, enter change system-parameters security to display the System-Parameters Security screen.) nTo monitor Remote Access, enter y in the SVN Remote Access Violation Notification Enabled? field. nTo monitor administration ports, on the same screen, enter y in the SVN Login Violation Notification Enabled field. nTo monitor authorization codes (G3V3 and later), enter y in the SVN Authorization Code Violation Notification Enabled field. nEnter any valid unassigned extension number in the Originating Extension field(s). nEnter the extension number of the person who will monitor violations in the Referral Destination field(s). For releases before DEFINITY G3V3, this destination must be a station equipped with a display module or an attendant console. In DEFINITY G3V3 and later, which includes DEFINITY ECS, if an announcement extension is administered, the referral destination does not require a display module. In G3V3 and later, including DEFINITY ECS) a violation occurs based on the number of invalid attempts and is not dependent on a forced disconnect. NOTE: If an announcement extension is administered, but no announcement is recorded, the referral call will not be made.