Home > Lucent Technologies > Communications System > Lucent Technologies BCS Products Security Handbook Instructions Manual

Lucent Technologies BCS Products Security Handbook Instructions Manual

    Download as PDF Print this page Share this page

    Have a look at the manual Lucent Technologies BCS Products Security Handbook Instructions Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-45 Detecting Toll Fraud 
    3
    NOTE:
    Whenever possible, TAC calls should be disallowed. See ‘‘Disable 
    Direct Access to Trunks’’ on page 3-35.
    For DEFINITY G2.2:
    nDo not turn on overlapped sending (default is off in G2.2, on in earlier 
    releases). To turn off overlapped sending, enter PROC103 WORD1 
    FIELD14. Overlapped sending bypasses digit checking.
    nTo force waiting for a TCM, the trunk group must be an intermachine trunk 
    group (PROC103 WORD1 FIELD3=1 or 2) and ETN software must be 
    activated. A TCM will not be sent over an access tie trunk group no matter 
    how low the FRL is in F2. However, a low FRL may be used to limit the 
    calling from the tie line, or to force a prompt for an authorization code.
    nMark each string and route with an FRL permission value using PROC314 
    WORD1 FIELD8, and PROC318 WORD1 FIELD4.
    nUse toll checking capabilities as shown:
    — For WCR, use PROC010 WORD3 FIELD22.
    — For toll-free tables, use PROC319 and PROC318 WORD1 FIELD6.
    nIf needed, define more detail in the numbering plan by using PROC314. 
    Use wild card digits and variable string lengths with care.
    nSend a   after troublesome call types (  +,     +, etc.). Use 
    PROC321 WORD1 FIELD16.
    NOTE:
    Use PROC314 to route  and   calls to an attendant.
    Change Override Restrictions on 3-way 
    COR Check
    For G3V2 and later releases, the Restriction Override feature is used with the 
    3-way COR check on transfer and/or conference calls. The default is none.
    Detecting Toll Fraud
    After you have taken the appropriate security measures, use the monitoring 
    techniques described in this section to routinely review system activity. Here are 
    some signals of possible hacker activity:
    nEmployees cannot get outside trunks
    nCustomers have difficulty getting through to your 800 number
    nUsage is higher than normal
    nNights and weekends have heavy call volume
    #0011
    000 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-46 Detecting Toll Fraud 
    3
    nAttendants report frequent “no one there” or “sorry, wrong number” calls
    nBill shows calls were made to strange places
    NOTE:
    If you should suspect toll fraud in your system, you may call one of the 
    numbers in the “Toll Fraud Contact List” in Appendix G in the back of this 
    manual.
    Table 3-4
     shows the reports and monitoring techniques that track system activity 
    and help detect unauthorized use:
    Table 3-4. Reports and Monitoring Techniques
    Monitoring Technique Switch Page #
    Administration Security All3-47
    Call Detail Recording (CDR) / Station 
    Message Detail Recording (SMDR)All3-48
    Traffic Measurements/Performance All3-49
    Automatic Circuit Assurance All3-51
    BCMS Measurements G1 and G33-52
    CMS Measurements All3-52
    Security Violations Measurement Report All3-56
    Security Violation Notification Feature DEFINITY 
    ECS and 
    DEFINITY G33-53
    Recent Change History Report DEFINITY 
    ECS and 
    DEFINITY 
    G1 and G33-61
    Service Observing All3-63
    Malicious Call Trace System 85 
    R2V4, 
    DEFINITY 
    G2, G3r, 
    G3V2 and 
    later3-62
    List Call Forwarding command DEFINITY 
    G3V4 and 
    later3-64 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-47 Detecting Toll Fraud 
    3
    Administration Security
    Logins for INADS Port
    For DEFINITY G3V4 and later, which includes DEFINITY ECS, only Lucent 
    Technologies logins can access the INADS port. If the customer wants INADS 
    access, Lucent Technologies must administer customer login permission.
    This permission is administered on a login basis. Lucent Technologies is 
    responsible for performing the necessary administration for one customer 
    super-user login. If additional customer logins require access to the system via the 
    INADS port, the customer superuser login may perform the necessary 
    administration to grant those permissions.
    Forced Password Aging and Administrable 
    Logins
    DEFINITY G3V3 and later releases, which includes DEFINITY ECS, provide two 
    features for enhanced login/password security. The first, Forced Password Aging, 
    is a feature that the superuser administering the logins may activate. The 
    password for each login can be aged starting with the date the password was 
    created or changed, and continuing for a specified number of days, from 1 to 99. 
    A user is notified at login, seven days before the password expiration date, that 
    his or her password is about to expire. When the password expires, the user is 
    required to enter a new password into the system to complete the login process. 
    Once a non-superuser has changed his/her password, the user must wait 24 
    hours to change the password again.
    When a login is added or removed, the Security Measurement reports will not be 
    updated until the next hourly poll, or until a clear measurements 
    security-violations command has been entered.
    The second feature, Administrable Logins, allows users to define their own 
    logins/passwords and allows superusers to specify a set of commands for each 
    login. The system will allow up to 11 customer logins, each of which can be 
    customized. Each login must be 3 to 6 alphabetic/numeric characters, or a 
    combination of both. A password must be 4 to 11 characters and contain at least 
    one alphabetic and one numeric symbol. Passwords can also contain any of the 
    following symbols: ! & * ? ; ’ ^ ( ) , . : - @ # $ % 
    NOTE:
    The Monitor Security Violation Login tool is used to show the invalid login 
    used and the date, time, and port that was used.
    New shipments of the DEFINITY G3V3 and later are shipped from the factory with 
    no customer logins and/or passwords defined. One customer superuser password 
    is administered during installation. The customer must administer additional 
    logins/passwords as needed. The superuser login has full customer permissions 
    and can customize any login he or she creates. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-48 Detecting Toll Fraud 
    3
    On upgrades to the DEFINITY G3V3 or later, which includes DEFINITY ECS, 
    customer logins and passwords are carried forward. Password aging is set to one 
    day, and customers must customize their logins/passwords following upgrades.
    Login permissions for a specified login can be set by the superuser to block any 
    object that can affect the health of the switch. Up to 40 administration or 
    maintenance objects (commands) can be blocked for a specified login. When an 
    object (administrative or maintenance command) is entered in the blocked object 
    list on the Command Permissions Categories Restricted Object List form, the 
    associated administrative or maintenance actions cannot be performed by the 
    specified login.
    Commands for the DEFINITY G3V3 or later, which includes DEFINITY ECS, are 
    grouped into three categories: common, administration, and maintenance. Each 
    category has a group of subcategories, and each subcategory has a list of 
    command objects that the commands act on. A superuser can set a user’s 
    permissions to restrict or block access to any command in these categories.
    NOTE:
    DEFINITY G3V3 and later releases, which includes DEFINITY ECS, allow 
    for unique logins to be assigned (for example, MARY83, B3V3RLY, etc.). 
    This eliminates the need to use cust, rcust, browser, and bcms. The list 
    login command shows the assigned logins, and the state of the login (for 
    example, VOID, disabled, etc.).
    For information on administering Forced Password Aging and Administrable 
    Logins for DEFINITY G3V3 and later, including DEFINITY ECS, see Appendix E. 
    Call Detail Recording (CDR) / Station Message 
    Detail Recording (SMDR)
    This feature creates records of calls that should be checked regularly. A series of 
    short holding times may indicate repeated attempts to decode barrier codes or 
    authorization codes on Remote Access. Call Records can be generated for 
    Remote Access when CDR/SMDR is activated for the Remote Access trunk 
    group.
    Authorization codes, if required, are recorded by CDR/SMDR; barrier codes are 
    not. When you set the Suppress CDR for Ineffective Call Attempts field to no, 
    calls that fail because the caller does not have adequate calling privileges print a 
    condition code in the report to reflect the failed attempt. (See the CDR description 
    in the 
    DEFINITY ECS Release 5 Feature Description, 555-230-204.) Review the 
    report for these condition codes, which might indicate hacker activity.
    Two optional products, Lucent Technologies Cost Allocator and Call Accounting 
    System (CAS) Plus, enhance CDR/SMDR by allowing you to create customized 
    reports. These reports can be used to isolate calls that may be suspicious. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-49 Detecting Toll Fraud 
    3
    NOTE:
    Only the last extension on the call is reported. Unauthorized users who are 
    aware of this procedure originate calls on one extension, then transfer to 
    another extension before terminating the call. Internal toll abusers may 
    transfer unauthorized calls to another extension before they disconnect so 
    that CDR does not track the originating station. If the transfer is to your voice 
    mail system, it could give a false indication that your voice mail system is the 
    source of the toll fraud.
    Review CDR/SMDR records for the following symptoms of abuse:
    nShort holding times on one trunk group
    nPatterns of authorization code usage (same code used simultaneously or 
    high activity)
    nCalls to international locations not normal for your business
    nCalls to suspicious destinations
    nHigh numbers of “ineffective call attempts” indicating attempts at entering 
    invalid barrier codes or authorization codes
    nNumerous calls to the same number 
    nUndefined account codes
    For DEFINITY G1 and System 75:
    nTo display the Features-Related System Parameters screen, use the 
    change system-parameters feature (G1 and System 75 only) or the 
    change-system parameters cdr feature (G3 only).
    nAdminister the appropriate format to collect the most information. The 
    format depends on the capabilities of your CDR analyzing/recording 
    device.
    nUse change trunk-group to display the Trunk Group screen.
    nEnter y in the SMDR/CDR Reports field.
    For DEFINITY G2: 
    nUse PROC275 WORD1 FIELD14 to turn on CDR for incoming calls.
    nUse PROC101 WORD1 FIELD8 to specify the trunk groups. Account code 
    entry can be required for CDR (see ‘‘
    Require Account Codes’’ on page 
    3-42 for details).
    Traffic Measurements and Performance
    By tracking traffic measurements on the trunk groups, you can watch for 
    unexplained increases in call volume, particularly during off-peak hours. Review 
    the traffic measurements for the following symptoms of abuse:
    nUnusually high peg counts (number of times accessed) on trunk groups 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-50 Detecting Toll Fraud 
    3
    nA series of short or long holding times that may indicate repeated attempts 
    to enter the system and/or success in doing so
    nHigh volume on WCR patterns used for   + and       + calls
    nBusiest hour for trunk group being inconsistent with business hours
    nDrastic changes in switch occupancy profile compared to a typical 24-hour 
    period
    Monitor I
    For DEFINITY G2 and System 85, the optional Monitor I tracks call volume and 
    alerts you when the number of calls exceeds a predetermined threshold. Monitor I 
    is a UNIX software package that collects measurements data from G2 and 
    System 85 switches, stores the results, and produces various types of analysis 
    reports.
    With Monitor I, you can set up thresholds for expected normal traffic flow on each 
    of your trunk groups. The application will alert you when the traffic flow exceeds 
    the expected values. The data collected includes quantity and duration of 
    incoming and outgoing calls, processor utilization, and security violation 
    measurements for Remote Access and administration port access.
    nUse the PROC400 series to turn on this report for the trunk groups.
    SAT, Manager I, and G3-MT Reporting
    Traffic reporting capabilities are built-in and are obtained through the System 
    Administrator Tool (SAT), Manager I, and G3-MT terminals. The SAT is available 
    only on System 75. These programs track and record the usage of hardware and 
    software features. The measurements include peg counts (number of times 
    accessed) and call seconds of usage. Traffic measurements are maintained 
    constantly and are available on demand. However, reports are not archived and 
    should therefore be printed to monitor a history of traffic patterns.
    For DEFINITY ECS, DEFINITY G1, G3, and System 75 R1V3 and later:
    nTo record traffic measurements:
    —Enter change trunk-group to display the Trunk Group screen.
    — In the Measured field, enter both if you have BCMS and CMS, 
    internal if you have only BCMS, or external if you have only 
    CMS.
    nTo review the traffic measurements, enter list measurements followed by 
    one of the measurement types (trunk-groups, call-rate, call-summary, 
    outage-trunk, or security-violations) and the timeframe 
    (yesterday-peak, today-peak, or last-hour).
    nTo review performance, enter list performance followed by one of the 
    performance types (summary or trunk-group) and the timeframe 
    (yesterday or today).
    0011 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-51 Detecting Toll Fraud 
    3
    ARS Measurement Selection
    The ARS Measurement Selection feature can monitor up to 20 routing patterns 
    (25 for DEFINITY ECS and DEFINITY G3) for traffic flow and usage.
    For DEFINITY ECS, DEFINITY G1, G3, and System 75:
    nEnter change ars meas-selection to choose the routing patterns you want 
    to track.
    nEnter list measurements route-pattern followed by the timeframe 
    (yesterday, today, or last-hour) to review the measurements.
    Automatic Circuit Assurance (ACA)
    This monitoring technique detects a pattern of short holding time calls or a single 
    long holding time call which may indicate hacker activity. Long holding times on 
    Trunk-to-Trunk calls can be a warning sign. The ACA feature allows you to 
    establish time limit thresholds defining what is considered a short holding time and 
    a long holding time. When a violation occurs, a designated station is notified. A 
    display message accompanies the referral call. If the switch is equipped with a 
    speech synthesis board, an audible message accompanies the call.
    When a notification occurs, determine if the call is still active. If toll fraud is 
    suspected (for example, aca-short or aca-long is displayed on the designated 
    phone), use the busy verification feature (see ‘‘
    Busy Verification’’ on page 3-64) to 
    monitor the call in progress.
    With Remote Access, when hacker activity is present, there is usually a burst of 
    short holding times as the hacker attempts to break the barrier code or 
    authorization code protection, or long holding time calls after the hacker is 
    successful. An ACA alarm on a Remote Access trunk should be considered a 
    potential threat and investigated immediately. If the call is answered by an 
    automated attendant, a hacker may be attempting to gain access to the system 
    facilities using TACs.
    For DEFINITY ECS, DEFINITY G1, G3, and System 75:
    nEnter change system-parameters feature to display the 
    Features-Related System Parameters screen.
    nEnter y in the Automatic Circuit Assurance (ACA) Enabled field.
    nEnter local, primary, or remote in the ACA Referral Calls field. If 
    primary is selected, calls can be received from other switches. Remote 
    applies if the PBX being administered is a DCS node, perhaps unattended, 
    that wants ACA referral calls to go to an extension or console at another 
    DCS node.
    nComplete the following fields as well: ACA Referral Destination, ACA Short 
    Holding Time Originating Extension, ACA Long Holding Time Originating 
    Extension, and ACA Remote PBX Identification. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-52 Detecting Toll Fraud 
    3
    nTo review and verify the entries, enter list aca-parameters.
    nEnter change trunk group to display the Trunk Group screen.
    nEnter y in the ACA Assignment field.
    nEstablish short and long holding times. The defaults are 10 seconds (short 
    holding time) and one hour (long holding time).
    nTo review an audit trail of the ACA referral call activity, enter list 
    measurements aca.
    For DEFINITY G2 and System 85:
    nUse PROC285 WORD1 FIELD5 and PROC286 WORD1 FIELD1 to enable 
    ACA system-wide.
    nUse P120 W1 to set ACA call limits and number of calls thresholds.
    nChoose the appropriate option:
    — To send the alarms and/or reports to an attendant, use PROC286 
    WORD1 FIELD3.
    BCMS Measurements (DEFINITY ECS and
    DEFINITY G1 and G3 only)
    For DEFINITY ECS, DEFINITY G1 and G3, BCMS Measurements report traffic 
    patterns for measured trunk groups.
    For DEFINITY ECS and DEFINITY G1 and G3:
    nUse change trunk-group to display the Trunk Group screen.
    nIn the Measured field, enter internal if you have only BCMS or both if you 
    have BCMS and CMS.
    nUse change system-parameters feature to display the Features-Related 
    System Parameters screen.
    nEnter half-hour in the BCMS Measurement Interval field.
    nTo review the measurements, use list bcms trunk.
    CMS Measurements
    This monitoring technique measures traffic patterns and times on calls and 
    compares them to traffic counts and time limit thresholds. An exceptions log is 
    maintained whenever the traffic counts or time limits exceed the preset 
    thresholds.
    For DEFINITY ECS and DEFINITY G1 and G3:
    nUse change trunk-group to display the Trunk Group screen. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-53 Detecting Toll Fraud 
    3
    nIn the Measured field, enter external if you have only CMS or both if you 
    have BCMS and CMS.
    nTo generate reports, use cms reports.
    For DEFINITY G2:
    nUse PROC115 WORD1 FIELD5 to specify incoming or two-way 
    measurements by CMS.
    nSet up time limits and count thresholds on CMS (Trunk Group Exceptions). 
    Exceptions are reported to designated CMS terminals (User Permissions: 
    Trunk Group Access). CMS keeps a log of exceptions (Real-Time 
    Exception Log, Historical Report: Trunk Group Exceptions).
    Security Violation Notification Feature
    (DEFINITY ECS and DEFINITY G3 only)
    For DEFINITY ECS and DEFINITY G3, the Security Violation Notification Feature 
    (SVN) provides the capability to immediately detect a possible breach of the 
    System Management, Remote Access, or Authorization Code features; and to 
    notify a designated destination upon detection. It is intended to detect Generic 3 
    Management Terminal (G3-MT) or Generic 3 Management Application (G3-MA) 
    login failures through the INADS port, based on customer-administrable 
    thresholds. Once an SVN threshold is reached, (for a System Management login, 
    a Remote Access barrier code, and, for DEFINITY G3V3 and later, an 
    Authorization code), the system initiates a referral call to an assigned referral 
    destination. 
    For systems earlier than DEFINITY G3V3, the referral destination must be an 
    attendant console or station equipped with a display module. For DEFINITY G3V3 
    and later, the referral destination can be any station, if an announcement has 
    been administered and recorded. Also for G3V3 and later releases, including 
    DEFINITY ECS, the SVN Referral Call with Announcement option provides a 
    recorded message identifying the type of violation accompanying the SVN referral 
    call, such as login violation, remote access violation, or authorization code 
    violation. Using call forwarding, call coverage, or call vector Time of Day routing, 
    SVN calls with announcements can terminate to any point on or off the switch. 
    The Security Violation Notification feature also provides an audit trail about each 
    attempt to access the switch using an invalid login, remote access or (G3V3 and 
    later) authorization code.
    The SVN time interval selected, in conjunction with the threshold, specifies when 
    a referral call occurs. For example, if the barrier code threshold is set to 10 with a 
    time interval of two minutes, a referral call occurs whenever 10 or more invalid 
    barrier codes are entered within two minutes.
    The advantage of the SVN feature is that it notifies the user of the problem as it 
    occurs so that there is an opportunity to interrupt unauthorized calls before 
    charges are incurred, as well as a chance to apprehend the violator during the  
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-54 Detecting Toll Fraud 
    3
    attempted violation. The monitor security-violations command displays the 
    login activity in real-time on either Remote Access or System Management ports.
    Information about invalid system management login attempts and remote access 
    attempts (and, for G3V3 or later, including DEFINITY ECS), invalid authorization 
    code attempts) is collected at two levels:
    nOn an immediate basis, when an invalid login attempt is made, for systems 
    earlier than DEFINITY G3V3, the SVN feature can send a priority call to 
    either an attendant console or a station equipped with a display module. 
    For DEFINITY G3V3 and later, which includes the DEFINITY ECS, the 
    SVN feature can send to any station if an announcement has been 
    administered and recorded. When notified, the security administrator can 
    request the Security Violations Status Report, which shows details of the 
    last 16 security violations of each type for DEFINITY ECS and DEFINITY 
    G3.
    nOn a historical basis, the number of security violations of each type is 
    collected and reported in the Security Violations Summary Measurement 
    Report. This report shows summary information since the last time the 
    counters were reset. (See ‘‘
    Security Violations Measurement Report’’ on 
    page 3-56.)
    For DEFINITY ECS and DEFINITY G3:
    nEnter change system-parameters feature to display the Feature-Related 
    System Parameters screen. (For DEFINITY G3V3 and later, including 
    DEFINITY ECS, enter change system-parameters security to display the 
    System-Parameters Security screen.)
    nTo monitor Remote Access, enter y in the SVN Remote Access Violation 
    Notification Enabled? field.
    nTo monitor administration ports, on the same screen, enter y in the SVN 
    Login Violation Notification Enabled field.
    nTo monitor authorization codes (G3V3 and later), enter y in the SVN 
    Authorization Code Violation Notification Enabled field.
    nEnter any valid unassigned extension number in the Originating Extension 
    field(s).
    nEnter the extension number of the person who will monitor violations in the 
    Referral Destination field(s). For releases before DEFINITY G3V3, this 
    destination must be a station equipped with a display module or an 
    attendant console. In DEFINITY G3V3 and later, which includes DEFINITY 
    ECS, if an announcement extension is administered, the referral 
    destination does not require a display module. In G3V3 and later, including 
    DEFINITY ECS) a violation occurs based on the number of invalid attempts 
    and is not dependent on a forced disconnect.
    NOTE:
    If an announcement extension is administered, but no announcement 
    is recorded, the referral call will not be made. 
    						
    All Lucent Technologies manuals Comments (0)

    Related Manuals for Lucent Technologies BCS Products Security Handbook Instructions Manual