NET.4.1 PBX Systems
A telecommunications system, or PBX for short, can internally connect the telephones of an institution and externally connect them to a public telephone network...
Description
Introduction
A telecommunications system—PBX for short—can internally connect the telephones of an institution and externally connect them to a public telephone network. Due to the increasing interconnection of IT and telecommunications, PBX systems can be built both as analog and IP-based systems. Hybrid systems are a combination of a classic telecommunications solution and a VoIP system. A hybrid system can simultaneously operate classic digital and analog telephony as well as VoIP.
In addition to voice telephony, further services can be used depending on the end devices connected. PBX systems can be used to transmit data, texts, graphics, and moving images. The information can be forwarded analog or digitally over wired or wireless transmission media. Depending on the connection and data networks used, various telecommunications systems can be deployed within an institution.
Objective
This building block examines the threats and requirements specific to PBX systems and the corresponding parts of hybrid systems. The objective of the building block is to protect the information transmitted via PBX systems and to protect the system against unauthorized interference and manipulation.
Scope and Modeling
The building block NET.4.1 PBX Systems is to be applied to every PBX system.
This building block addresses threats and requirements specific to a PBX system and the corresponding parts of a hybrid system. Topics that go beyond the PBX system, such as threats and requirements for individual VoIP implementations and externally provided services, are addressed separately in the corresponding building blocks of the IT-Grundschutz Compendium.
The security aspects of VoIP components and voice transmission over VoIP are examined in more detail in building block NET.4.2 VoIP.
PBX systems SHOULD generally be taken into account when the building blocks ORP.4 Identity and Access Management, OPS.1.2.5 Remote Maintenance, CON.3 Data Backup Concept, and OPS.1.1.5 Logging are implemented.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for building block NET.4.1 PBX Systems.
Interception of PBX Systems
If telephone calls or data are transmitted unencrypted via a PBX system, there is fundamentally the risk that attackers can listen in or read information. For example, they could tap the telephone cables directly or eavesdrop on a PBX system acting as an intermediary between the call participants.
With many PBX systems, callers can leave messages for recipients who are not reachable by telephone at the time of the call. Some answering machines—especially those of VoIP systems—send this information as an audio file in an email. The content of this email could be directly intercepted and listened to by attackers.
Furthermore, calls could be listened to by activating blocked features that are, in some cases, not permitted in Germany. An example of this is the “silent monitor” feature. Such activation does require more detailed system knowledge, but is often not a major obstacle due to the many freely available hints on the Internet.
Interception of Rooms via PBX Systems
Rooms can fundamentally also be intercepted via microphones in end devices. Two variants are distinguished:
In the first variant, end devices—if corresponding functions are implemented—can be caused to activate built-in microphones from the public network or via the LAN. A well-known example of this is the “baby watch function” of telephones or answering machines.
In the second variant, the feature “direct addressing” in combination with the “hands-free” option can be misused. The intercom function thus realizable can under certain circumstances also be used to intercept a room.
Toll Fraud
Toll fraud in connection with data or telecommunications services aims to transfer the costs of telephone calls or data transfers to third parties. A PBX system can be manipulated from the outside in various ways. On the one hand, attackers can attempt to misuse existing features for toll fraud. These features include, for example, call forwarding that can be reprogrammed remotely or dial-in options. On the other hand, permissions can be assigned in such a way that incoming “outside lines” occupy outgoing “outside lines.” In this way, callers can be automatically connected back to the “outside line” at the expense of the PBX operator when they dial a certain number.
Furthermore, not only outside attackers but also employees within an institution can engage in toll fraud. They may, for example, attempt to make calls at the expense of the institution or other employees by, for example, using other people’s devices, reading out foreign authorization codes (passwords), or changing personal permissions.
Misuse of Freely Accessible Telephone Connections
Telephones are often operated that are not personally assigned to any user. Some of these telephones—such as those in printer rooms—are only accessible to a limited number of persons. On the other hand, telephones are often found in areas freely accessible to visitors. These include, for example, parking garages or areas in front of access control systems. If these telephones have an electronic telephone directory in which internal telephone numbers are stored, these numbers could inadvertently become publicly known.
Requirements
The following are the specific requirements of building block NET.4.1 PBX Systems. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. They SHOULD be filled insofar as this is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | Specialist Responsibility |
| Additional responsibilities | IT Operations, Supervisors |
Exactly one role SHOULD be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled with priority for this building block.
NET.4.1.A1 Requirements Analysis and Planning for PBX Systems (B) [IT Operations]
Before the procurement or expansion of a PBX system, a requirements analysis MUST be carried out. As part of this analysis, it MUST be specified what functions the PBX system should offer. In addition to the type of PBX system, the number of connections and interfaces required MUST also be defined. Possible expandability and fundamental security functions MUST also be considered in the planning. Furthermore, support and maintenance contracts for the PBX system MUST be taken into account as required. Based on the identified requirements, the deployment of the PBX system MUST then be planned and documented. The requirements identified and the planning MUST be coordinated with the responsible IT staff.
NET.4.1.A2 Selection of Telecommunications Service Providers (B) [IT Operations]
In order to be able to telephone with persons whose telephones are not connected to the institution’s own PBX system, a telecommunications service provider MUST be commissioned. The requirements for the PBX system, the security policy, and contractual and financial aspects MUST be taken into account in this process. All agreed services MUST be clearly recorded in writing.
NET.4.1.A3 DISCONTINUED (B)
This requirement has been discontinued.
NET.4.1.A4 DISCONTINUED (B)
This requirement has been discontinued.
NET.4.1.A5 Logging at PBX Systems (B)
Appropriate data MUST be collected at PBX systems and evaluated as required. The following MUST additionally be logged: all system-technical interventions that include program changes, as well as evaluation runs, data transmissions, and data accesses. All administration work on the PBX system MUST also be logged. The logged information SHOULD be regularly reviewed.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.
NET.4.1.A6 Creation of a Security Policy for PBX Systems (S) [IT Operations]
Based on the institution-wide security policy, a dedicated security policy for the PBX system SHOULD be created. This security policy for the PBX system SHOULD contain fundamental statements on confidentiality, availability, and integrity. It SHOULD be known to all persons involved in the procurement, setup, implementation, and operation of the PBX system and form the basis for their work. The central security-technical requirements for the PBX system and the security level to be achieved SHOULD be included in the institution-wide security policy.
NET.4.1.A7 Appropriate Placement of the PBX System (S)
The PBX system SHOULD be housed in an appropriate room. The interfaces on the PBX system—especially unused interfaces—SHOULD be appropriately protected.
NET.4.1.A8 Restriction and Blocking of Unnecessary or Security-Critical Features (S)
The range of available features SHOULD be restricted to the necessary minimum. Only the required features SHOULD be enabled. Features that are not needed or that are classified as critical due to their misuse potential SHOULD be disabled at the central system as far as possible. Additional protective measures SHOULD be taken for the confidential data stored and retrievable on end devices.
NET.4.1.A9 Training for the Secure Use of PBX Systems (S) [Supervisors]
Users of the PBX system SHOULD be instructed in the correct use of services and devices. All necessary documentation for operating the corresponding end devices SHOULD be made available to users of the PBX system. All anomalies and irregularities of the PBX system SHOULD be reported to the responsible persons.
NET.4.1.A10 Documentation and Revision of the PBX System Configuration (S) [IT Operations]
The PBX system configuration SHOULD be appropriately documented and kept up to date. The PBX system configuration SHOULD be reviewed at regular intervals. The result of the review SHOULD at minimum be presented to the information security officer, the specialist responsibility, and other responsible employees.
NET.4.1.A11 Decommissioning of PBX Systems and Devices (S) [IT Operations]
The decommissioning of PBX systems and connected PBX devices SHOULD be addressed in the security policy. All data stored on PBX systems or end devices SHOULD be securely deleted before decommissioning.
NET.4.1.A12 Data Backup of Configuration Files (S)
The configuration and application data of the PBX system in use SHOULD be backed up upon initial setup and then regularly thereafter—in particular after changes. It SHOULD be regularly checked and documented whether the PBX system backups can actually be used as the basis for a system restore.
A data backup concept for PBX systems SHOULD be created and coordinated with the general concepts for data backup of servers and network components.
NET.4.1.A13 Procurement of PBX Systems (S)
When procuring PBX systems, the results of requirements analysis and planning SHOULD be incorporated. When procuring a PBX system, it SHOULD be taken into account that it SHOULD offer both digital and analog subscriber connections. Furthermore, existing communication systems and components SHOULD be taken into account during procurement.
NET.4.1.A14 Emergency Preparedness for PBX Systems (S)
An emergency plan for the PBX system SHOULD be created. This SHOULD be integrated into the institution’s emergency concept. Emergency exercises regarding PBX systems SHOULD be regularly conducted.
NET.4.1.A15 Emergency Calls in the Event of PBX System Failure (S)
It SHOULD be ensured that emergency calls can be made from the institution even in the event of PBX system failure. Emergency call options SHOULD be accessible from all rooms via sufficiently short routes.
NET.4.1.A16 Securing End Devices in Freely Accessible Rooms (S)
The range of functions of end devices to be placed in freely accessible rooms SHOULD be restricted. If this is not possible, the end device SHOULD be protected against unauthorized access in an appropriate manner.
NET.4.1.A17 Maintenance of PBX Systems (S)
Devices for the maintenance and configuration of the PBX system SHOULD be secured with passwords or PINs.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered when there are high protection needs. The specific determination is made within the framework of an individual risk analysis.
NET.4.1.A18 Enhanced Access Protection (H)
The PBX system SHOULD be housed in a separate and appropriately secured room. Access to the PBX system SHOULD only be possible for a restricted group of persons. External parties SHOULD ONLY receive access to the system under supervision.
NET.4.1.A19 Redundant Connection (H)
The connection of the PBX system SHOULD be designed redundantly. For IP-based PBX systems, an additional PSTN connection SHOULD be available.
Additional Information
Good to Know
The BSI has published “BSI-TL-02013 for organization-internal telecommunications systems with high protection needs” as part of its technical guidelines.