Lucent Technologies BCS Products Security Handbook

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-45 Detecting Toll Fraud 
3
NOTE:
Whenever possible, TAC calls should be disallowed. See ‘‘Disable 
Direct Access to Trunks’’ on page 3-35.
For DEFINITY G2.2:
nDo not turn on overlapped sending (default is off in G2.2, on in earlier 
releases). To turn off overlapped sending, enter PROC103 WORD1 
FIELD14. Overlapped sending bypasses digit checking.
nTo force waiting for a TCM, the trunk group must be an intermachine trunk 
group (PROC103 WORD1 FIELD3=1 or 2) and ETN software must be 
activated. A TCM will not be sent over an access tie trunk group no matter 
how low the FRL is in F2. However, a low FRL may be used to limit the 
calling from the tie line, or to force a prompt for an authorization code.
nMark each string and route with an FRL permission value using PROC314 
WORD1 FIELD8, and PROC318 WORD1 FIELD4.
nUse toll checking capabilities as shown:
— For WCR, use PROC010 WORD3 FIELD22.
— For toll-free tables, use PROC319 and PROC318 WORD1 FIELD6.
nIf needed, define more detail in the numbering plan by using PROC314. 
Use wild card digits and variable string lengths with care.
nSend a   after troublesome call types (  +,     +, etc.). Use 
PROC321 WORD1 FIELD16.
NOTE:
Use PROC314 to route  and   calls to an attendant.
Change Override Restrictions on 3-way 
COR Check
For G3V2 and later releases, the Restriction Override feature is used with the 
3-way COR check on transfer and/or conference calls. The default is none.
Detecting Toll Fraud
After you have taken the appropriate security measures, use the monitoring 
techniques described in this section to routinely review system activity. Here are 
some signals of possible hacker activity:
nEmployees cannot get outside trunks
nCustomers have difficulty getting through to your 800 number
nUsage is higher than normal
nNights and weekends have heavy call volume
#0011
000 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-46 Detecting Toll Fraud 
3
nAttendants report frequent “no one there” or “sorry, wrong number” calls
nBill shows calls were made to strange places
NOTE:
If you should suspect toll fraud in your system, you may call one of the 
numbers in the “Toll Fraud Contact List” in Appendix G in the back of this 
manual.
Table 3-4
 shows the reports and monitoring techniques that track system activity 
and help detect unauthorized use:
Table 3-4. Reports and Monitoring Techniques
Monitoring Technique Switch Page #
Administration Security All3-47
Call Detail Recording (CDR) / Station 
Message Detail Recording (SMDR)All3-48
Traffic Measurements/Performance All3-49
Automatic Circuit Assurance All3-51
BCMS Measurements G1 and G33-52
CMS Measurements All3-52
Security Violations Measurement Report All3-56
Security Violation Notification Feature DEFINITY 
ECS and 
DEFINITY G33-53
Recent Change History Report DEFINITY 
ECS and 
DEFINITY 
G1 and G33-61
Service Observing All3-63
Malicious Call Trace System 85 
R2V4, 
DEFINITY 
G2, G3r, 
G3V2 and 
later3-62
List Call Forwarding command DEFINITY 
G3V4 and 
later3-64 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-47 Detecting Toll Fraud 
3
Administration Security
Logins for INADS Port
For DEFINITY G3V4 and later, which includes DEFINITY ECS, only Lucent 
Technologies logins can access the INADS port. If the customer wants INADS 
access, Lucent Technologies must administer customer login permission.
This permission is administered on a login basis. Lucent Technologies is 
responsible for performing the necessary administration for one customer 
super-user login. If additional customer logins require access to the system via the 
INADS port, the customer superuser login may perform the necessary 
administration to grant those permissions.
Forced Password Aging and Administrable 
Logins
DEFINITY G3V3 and later releases, which includes DEFINITY ECS, provide two 
features for enhanced login/password security. The first, Forced Password Aging, 
is a feature that the superuser administering the logins may activate. The 
password for each login can be aged starting with the date the password was 
created or changed, and continuing for a specified number of days, from 1 to 99. 
A user is notified at login, seven days before the password expiration date, that 
his or her password is about to expire. When the password expires, the user is 
required to enter a new password into the system to complete the login process. 
Once a non-superuser has changed his/her password, the user must wait 24 
hours to change the password again.
When a login is added or removed, the Security Measurement reports will not be 
updated until the next hourly poll, or until a clear measurements 
security-violations command has been entered.
The second feature, Administrable Logins, allows users to define their own 
logins/passwords and allows superusers to specify a set of commands for each 
login. The system will allow up to 11 customer logins, each of which can be 
customized. Each login must be 3 to 6 alphabetic/numeric characters, or a 
combination of both. A password must be 4 to 11 characters and contain at least 
one alphabetic and one numeric symbol. Passwords can also contain any of the 
following symbols: ! & * ? ; ’ ^ ( ) , . : - @ # $ % 
NOTE:
The Monitor Security Violation Login tool is used to show the invalid login 
used and the date, time, and port that was used.
New shipments of the DEFINITY G3V3 and later are shipped from the factory with 
no customer logins and/or passwords defined. One customer superuser password 
is administered during installation. The customer must administer additional 
logins/passwords as needed. The superuser login has full customer permissions 
and can customize any login he or she creates. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-48 Detecting Toll Fraud 
3
On upgrades to the DEFINITY G3V3 or later, which includes DEFINITY ECS, 
customer logins and passwords are carried forward. Password aging is set to one 
day, and customers must customize their logins/passwords following upgrades.
Login permissions for a specified login can be set by the superuser to block any 
object that can affect the health of the switch. Up to 40 administration or 
maintenance objects (commands) can be blocked for a specified login. When an 
object (administrative or maintenance command) is entered in the blocked object 
list on the Command Permissions Categories Restricted Object List form, the 
associated administrative or maintenance actions cannot be performed by the 
specified login.
Commands for the DEFINITY G3V3 or later, which includes DEFINITY ECS, are 
grouped into three categories: common, administration, and maintenance. Each 
category has a group of subcategories, and each subcategory has a list of 
command objects that the commands act on. A superuser can set a user’s 
permissions to restrict or block access to any command in these categories.
NOTE:
DEFINITY G3V3 and later releases, which includes DEFINITY ECS, allow 
for unique logins to be assigned (for example, MARY83, B3V3RLY, etc.). 
This eliminates the need to use cust, rcust, browser, and bcms. The list 
login command shows the assigned logins, and the state of the login (for 
example, VOID, disabled, etc.).
For information on administering Forced Password Aging and Administrable 
Logins for DEFINITY G3V3 and later, including DEFINITY ECS, see Appendix E. 
Call Detail Recording (CDR) / Station Message 
Detail Recording (SMDR)
This feature creates records of calls that should be checked regularly. A series of 
short holding times may indicate repeated attempts to decode barrier codes or 
authorization codes on Remote Access. Call Records can be generated for 
Remote Access when CDR/SMDR is activated for the Remote Access trunk 
group.
Authorization codes, if required, are recorded by CDR/SMDR; barrier codes are 
not. When you set the Suppress CDR for Ineffective Call Attempts field to no, 
calls that fail because the caller does not have adequate calling privileges print a 
condition code in the report to reflect the failed attempt. (See the CDR description 
in the 
DEFINITY ECS Release 5 Feature Description, 555-230-204.) Review the 
report for these condition codes, which might indicate hacker activity.
Two optional products, Lucent Technologies Cost Allocator and Call Accounting 
System (CAS) Plus, enhance CDR/SMDR by allowing you to create customized 
reports. These reports can be used to isolate calls that may be suspicious. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-49 Detecting Toll Fraud 
3
NOTE:
Only the last extension on the call is reported. Unauthorized users who are 
aware of this procedure originate calls on one extension, then transfer to 
another extension before terminating the call. Internal toll abusers may 
transfer unauthorized calls to another extension before they disconnect so 
that CDR does not track the originating station. If the transfer is to your voice 
mail system, it could give a false indication that your voice mail system is the 
source of the toll fraud.
Review CDR/SMDR records for the following symptoms of abuse:
nShort holding times on one trunk group
nPatterns of authorization code usage (same code used simultaneously or 
high activity)
nCalls to international locations not normal for your business
nCalls to suspicious destinations
nHigh numbers of “ineffective call attempts” indicating attempts at entering 
invalid barrier codes or authorization codes
nNumerous calls to the same number 
nUndefined account codes
For DEFINITY G1 and System 75:
nTo display the Features-Related System Parameters screen, use the 
change system-parameters feature (G1 and System 75 only) or the 
change-system parameters cdr feature (G3 only).
nAdminister the appropriate format to collect the most information. The 
format depends on the capabilities of your CDR analyzing/recording 
device.
nUse change trunk-group to display the Trunk Group screen.
nEnter y in the SMDR/CDR Reports field.
For DEFINITY G2: 
nUse PROC275 WORD1 FIELD14 to turn on CDR for incoming calls.
nUse PROC101 WORD1 FIELD8 to specify the trunk groups. Account code 
entry can be required for CDR (see ‘‘
Require Account Codes’’ on page 
3-42 for details).
Traffic Measurements and Performance
By tracking traffic measurements on the trunk groups, you can watch for 
unexplained increases in call volume, particularly during off-peak hours. Review 
the traffic measurements for the following symptoms of abuse:
nUnusually high peg counts (number of times accessed) on trunk groups 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-50 Detecting Toll Fraud 
3
nA series of short or long holding times that may indicate repeated attempts 
to enter the system and/or success in doing so
nHigh volume on WCR patterns used for   + and       + calls
nBusiest hour for trunk group being inconsistent with business hours
nDrastic changes in switch occupancy profile compared to a typical 24-hour 
period
Monitor I
For DEFINITY G2 and System 85, the optional Monitor I tracks call volume and 
alerts you when the number of calls exceeds a predetermined threshold. Monitor I 
is a UNIX software package that collects measurements data from G2 and 
System 85 switches, stores the results, and produces various types of analysis 
reports.
With Monitor I, you can set up thresholds for expected normal traffic flow on each 
of your trunk groups. The application will alert you when the traffic flow exceeds 
the expected values. The data collected includes quantity and duration of 
incoming and outgoing calls, processor utilization, and security violation 
measurements for Remote Access and administration port access.
nUse the PROC400 series to turn on this report for the trunk groups.
SAT, Manager I, and G3-MT Reporting
Traffic reporting capabilities are built-in and are obtained through the System 
Administrator Tool (SAT), Manager I, and G3-MT terminals. The SAT is available 
only on System 75. These programs track and record the usage of hardware and 
software features. The measurements include peg counts (number of times 
accessed) and call seconds of usage. Traffic measurements are maintained 
constantly and are available on demand. However, reports are not archived and 
should therefore be printed to monitor a history of traffic patterns.
For DEFINITY ECS, DEFINITY G1, G3, and System 75 R1V3 and later:
nTo record traffic measurements:
—Enter change trunk-group to display the Trunk Group screen.
— In the Measured field, enter both if you have BCMS and CMS, 
internal if you have only BCMS, or external if you have only 
CMS.
nTo review the traffic measurements, enter list measurements followed by 
one of the measurement types (trunk-groups, call-rate, call-summary, 
outage-trunk, or security-violations) and the timeframe 
(yesterday-peak, today-peak, or last-hour).
nTo review performance, enter list performance followed by one of the 
performance types (summary or trunk-group) and the timeframe 
(yesterday or today).
0011 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-51 Detecting Toll Fraud 
3
ARS Measurement Selection
The ARS Measurement Selection feature can monitor up to 20 routing patterns 
(25 for DEFINITY ECS and DEFINITY G3) for traffic flow and usage.
For DEFINITY ECS, DEFINITY G1, G3, and System 75:
nEnter change ars meas-selection to choose the routing patterns you want 
to track.
nEnter list measurements route-pattern followed by the timeframe 
(yesterday, today, or last-hour) to review the measurements.
Automatic Circuit Assurance (ACA)
This monitoring technique detects a pattern of short holding time calls or a single 
long holding time call which may indicate hacker activity. Long holding times on 
Trunk-to-Trunk calls can be a warning sign. The ACA feature allows you to 
establish time limit thresholds defining what is considered a short holding time and 
a long holding time. When a violation occurs, a designated station is notified. A 
display message accompanies the referral call. If the switch is equipped with a 
speech synthesis board, an audible message accompanies the call.
When a notification occurs, determine if the call is still active. If toll fraud is 
suspected (for example, aca-short or aca-long is displayed on the designated 
phone), use the busy verification feature (see ‘‘
Busy Verification’’ on page 3-64) to 
monitor the call in progress.
With Remote Access, when hacker activity is present, there is usually a burst of 
short holding times as the hacker attempts to break the barrier code or 
authorization code protection, or long holding time calls after the hacker is 
successful. An ACA alarm on a Remote Access trunk should be considered a 
potential threat and investigated immediately. If the call is answered by an 
automated attendant, a hacker may be attempting to gain access to the system 
facilities using TACs.
For DEFINITY ECS, DEFINITY G1, G3, and System 75:
nEnter change system-parameters feature to display the 
Features-Related System Parameters screen.
nEnter y in the Automatic Circuit Assurance (ACA) Enabled field.
nEnter local, primary, or remote in the ACA Referral Calls field. If 
primary is selected, calls can be received from other switches. Remote 
applies if the PBX being administered is a DCS node, perhaps unattended, 
that wants ACA referral calls to go to an extension or console at another 
DCS node.
nComplete the following fields as well: ACA Referral Destination, ACA Short 
Holding Time Originating Extension, ACA Long Holding Time Originating 
Extension, and ACA Remote PBX Identification. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-52 Detecting Toll Fraud 
3
nTo review and verify the entries, enter list aca-parameters.
nEnter change trunk group to display the Trunk Group screen.
nEnter y in the ACA Assignment field.
nEstablish short and long holding times. The defaults are 10 seconds (short 
holding time) and one hour (long holding time).
nTo review an audit trail of the ACA referral call activity, enter list 
measurements aca.
For DEFINITY G2 and System 85:
nUse PROC285 WORD1 FIELD5 and PROC286 WORD1 FIELD1 to enable 
ACA system-wide.
nUse P120 W1 to set ACA call limits and number of calls thresholds.
nChoose the appropriate option:
— To send the alarms and/or reports to an attendant, use PROC286 
WORD1 FIELD3.
BCMS Measurements (DEFINITY ECS and
DEFINITY G1 and G3 only)
For DEFINITY ECS, DEFINITY G1 and G3, BCMS Measurements report traffic 
patterns for measured trunk groups.
For DEFINITY ECS and DEFINITY G1 and G3:
nUse change trunk-group to display the Trunk Group screen.
nIn the Measured field, enter internal if you have only BCMS or both if you 
have BCMS and CMS.
nUse change system-parameters feature to display the Features-Related 
System Parameters screen.
nEnter half-hour in the BCMS Measurement Interval field.
nTo review the measurements, use list bcms trunk.
CMS Measurements
This monitoring technique measures traffic patterns and times on calls and 
compares them to traffic counts and time limit thresholds. An exceptions log is 
maintained whenever the traffic counts or time limits exceed the preset 
thresholds.
For DEFINITY ECS and DEFINITY G1 and G3:
nUse change trunk-group to display the Trunk Group screen. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-53 Detecting Toll Fraud 
3
nIn the Measured field, enter external if you have only CMS or both if you 
have BCMS and CMS.
nTo generate reports, use cms reports.
For DEFINITY G2:
nUse PROC115 WORD1 FIELD5 to specify incoming or two-way 
measurements by CMS.
nSet up time limits and count thresholds on CMS (Trunk Group Exceptions). 
Exceptions are reported to designated CMS terminals (User Permissions: 
Trunk Group Access). CMS keeps a log of exceptions (Real-Time 
Exception Log, Historical Report: Trunk Group Exceptions).
Security Violation Notification Feature
(DEFINITY ECS and DEFINITY G3 only)
For DEFINITY ECS and DEFINITY G3, the Security Violation Notification Feature 
(SVN) provides the capability to immediately detect a possible breach of the 
System Management, Remote Access, or Authorization Code features; and to 
notify a designated destination upon detection. It is intended to detect Generic 3 
Management Terminal (G3-MT) or Generic 3 Management Application (G3-MA) 
login failures through the INADS port, based on customer-administrable 
thresholds. Once an SVN threshold is reached, (for a System Management login, 
a Remote Access barrier code, and, for DEFINITY G3V3 and later, an 
Authorization code), the system initiates a referral call to an assigned referral 
destination. 
For systems earlier than DEFINITY G3V3, the referral destination must be an 
attendant console or station equipped with a display module. For DEFINITY G3V3 
and later, the referral destination can be any station, if an announcement has 
been administered and recorded. Also for G3V3 and later releases, including 
DEFINITY ECS, the SVN Referral Call with Announcement option provides a 
recorded message identifying the type of violation accompanying the SVN referral 
call, such as login violation, remote access violation, or authorization code 
violation. Using call forwarding, call coverage, or call vector Time of Day routing, 
SVN calls with announcements can terminate to any point on or off the switch. 
The Security Violation Notification feature also provides an audit trail about each 
attempt to access the switch using an invalid login, remote access or (G3V3 and 
later) authorization code.
The SVN time interval selected, in conjunction with the threshold, specifies when 
a referral call occurs. For example, if the barrier code threshold is set to 10 with a 
time interval of two minutes, a referral call occurs whenever 10 or more invalid 
barrier codes are entered within two minutes.
The advantage of the SVN feature is that it notifies the user of the problem as it 
occurs so that there is an opportunity to interrupt unauthorized calls before 
charges are incurred, as well as a chance to apprehend the violator during the  
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-54 Detecting Toll Fraud 
3
attempted violation. The monitor security-violations command displays the 
login activity in real-time on either Remote Access or System Management ports.
Information about invalid system management login attempts and remote access 
attempts (and, for G3V3 or later, including DEFINITY ECS), invalid authorization 
code attempts) is collected at two levels:
nOn an immediate basis, when an invalid login attempt is made, for systems 
earlier than DEFINITY G3V3, the SVN feature can send a priority call to 
either an attendant console or a station equipped with a display module. 
For DEFINITY G3V3 and later, which includes the DEFINITY ECS, the 
SVN feature can send to any station if an announcement has been 
administered and recorded. When notified, the security administrator can 
request the Security Violations Status Report, which shows details of the 
last 16 security violations of each type for DEFINITY ECS and DEFINITY 
G3.
nOn a historical basis, the number of security violations of each type is 
collected and reported in the Security Violations Summary Measurement 
Report. This report shows summary information since the last time the 
counters were reset. (See ‘‘
Security Violations Measurement Report’’ on 
page 3-56.)
For DEFINITY ECS and DEFINITY G3:
nEnter change system-parameters feature to display the Feature-Related 
System Parameters screen. (For DEFINITY G3V3 and later, including 
DEFINITY ECS, enter change system-parameters security to display the 
System-Parameters Security screen.)
nTo monitor Remote Access, enter y in the SVN Remote Access Violation 
Notification Enabled? field.
nTo monitor administration ports, on the same screen, enter y in the SVN 
Login Violation Notification Enabled field.
nTo monitor authorization codes (G3V3 and later), enter y in the SVN 
Authorization Code Violation Notification Enabled field.
nEnter any valid unassigned extension number in the Originating Extension 
field(s).
nEnter the extension number of the person who will monitor violations in the 
Referral Destination field(s). For releases before DEFINITY G3V3, this 
destination must be a station equipped with a display module or an 
attendant console. In DEFINITY G3V3 and later, which includes DEFINITY 
ECS, if an announcement extension is administered, the referral 
destination does not require a display module. In G3V3 and later, including 
DEFINITY ECS) a violation occurs based on the number of invalid attempts 
and is not dependent on a forced disconnect.
NOTE:
If an announcement extension is administered, but no announcement 
is recorded, the referral call will not be made.