Other Security Hints. AT&T MERLIN LEGEND Release 3.1, MERLIN LEGEND Release 4.0

Customer Support Information n

The maximum length should be used for each barrier code, and should be changed periodically. Barrier codes, like passwords, should consist of a random, hard-to-guess sequence of digits. While MERLIN LEGEND

Release 3.0 permits a barrier code of up to 11 digits, systems prior to

Release 3.0 permit barrier codes of up to only four digits.

If Remote Access is used, an upgrade to MERLIN LEGEND Communications

System Release 3.0 is encouraged to take advantage of the longer barrier code.

Other Security Hints

Make sure that the Automated Attendant Selector Codes do not permit outside line selection.

Following are a number of measures and guidelines that can help you ensure the security of your communications system and voice messaging system.

Multiple layers of security are always recommended to keep your system secure.

Educating Users

Everyone in your company who uses the telephone system is responsible for system security. Users and attendants/operators need to be aware of how to recognize and react to potential hacker activity. Informed people are more likely to cooperate with security measures that often make the system less flexible and more difficult to use.

n

Never program passwords or authorization codes onto Auto Dial buttons.

Display telephones reveal the programmed numbers and internal abusers can use the Auto Dial buttons to originate unauthorized calls.

n

Discourage the practice of writing down barrier codes or passwords. If a barrier code or password needs to be written down, keep it in a secure place and never discard it while it is active.

n

Operators or attendants should tell their system manager if they answer a series of calls where there is silence on the other end or the caller hangs up.

n

Users who are assigned voice mailboxes should frequently change personal passwords and should not choose obvious passwords.

n

The system manager should advise users with special telephone privileges (such as Remote Access, Outcalling, and Remote Call

Forwarding) of the potential risks and responsibilities.

n

Be suspicious of any caller who claims to be with the telephone company and wants to check an outside line. Ask for a callback number, hang up and confirm the caller’s identity.

n

Never distribute the office telephone directory to anyone outside the company; be careful when discarding it (shred the directory).

A–16 System Programming

Customer Support Information n n

Never accept collect telephone calls.

Never discuss your telephone system’s numbering plan with anyone outside the company.

Educating Operators

Operators or attendants need to be especially aware of how to recognize and react to potential hacker activity. To defend against toll fraud, operators should follow the guidelines below: n Establish procedures to counter social engineering . Social engineering is a con game that hackers frequently use to obtain information that may help them gain access to your communications system or voice messaging system.

n When callers ask for assistance in placing outside or long-distance calls, ask for a callback extension.

n Verify the source. Ask callers claiming to be maintenance or service personnel for a callback number. Never transfer to *10 without this verification. Never transfer to extension 900.

n Remove the headset and/or handset when the console is not in use.

Detecting Toll Fraud

To detect toll fraud, users and operators should look for the following: n n n n n n n n

Lost voice mail messages, mailbox lockout, or altered greetings

Inability to log into voice mail

Inability to get an outside line

Foreign language callers

Frequent hang-ups

Touch-tone sounds

Caller or employee complaints that the lines are busy

Increases in internal requests for assistance in making outbound calls

(particularly international calls or requests for dial tone) n n n

Outsiders trying to obtain sensitive information

Callers claiming to be the “phone” company

Sudden increase in wrong numbers

System Programming A–17

Customer Support Information

Establishing a Policy

As a safeguard against toll fraud, follow these guidelines for your MERLIN

LEGEND Communications System and voice messaging system: n Change passwords frequently (at least quarterly). Changing passwords routinely on a specific date (such as the first of the month) helps users to remember to do so.

n n n

Always use the longest-length password allowed.

Establish well-controlled procedures for resetting passwords.

Limit the number of invalid attempts to access a voice mailbox to five or less.

n Monitor access to the MERLIN LEGEND dial-up maintenance port.

Change the access password regularly and issue it only to authorized personnel. Disconnect the maintenance port when not in use. (However, this eliminates AT&T’s 24-hour maintenance surveillance capability and may result in additional maintenance costs.) n Create a communications system management policy concerning employee turnover and include these suggestions:

Delete all unused voice mailboxes in the voice mail system.

If a terminated employee had Remote Access calling privileges and a personal authorization code, remove the authorization code immediately.

If barrier codes and/or authorization codes were shared by the terminated employee, these should be changed immediately.

n Regularly back up your MERLIN LEGEND system files to ensure a timely recovery should it be required. Schedule regular, off-site backups.

n Keep the Remote Maintenance Device turned off when not in use by AT&T or your authorized dealer.

n n

Limit transfers to registered subscribers only.

Use the Security Violations Notification options (Mailbox Lock or Warning

Message) to alert you of any mailbox break-in attempts. Investigate all incidents.

n Review security policies and procedures and keep them up to date.

A–18 System Programming

Customer Support Information

Choosing Passwords

Passwords should be the maximum length allowed by the system.

Passwords should be hard to guess and should not contain: n n n

All the same numbers (for example, 1111, 666666)

Sequential characters (for example 123456)

Numbers that can be associated with you or your business, such as your name, birthday, business name, business address, telephone number, or social security number.

n Words and commonly used names.

Passwords should be changed regularly, at least on a quarterly basis. Recycling old passwords is not recommended. Never program passwords (or authorization codes or barrier codes) onto a speed dial button.

Physical Security

You should always limit access to the system console (or attendant console) and supporting documentation. The following are some recommendations: n

Keep the system console and supporting documentation in an office that is secured with a changeable combination lock. Provide the combination only to those individuals having a real need to enter the office.

n n

Keep telephone wiring closets and equipment rooms locked.

Keep telephone logs and printed reports in locations that only authorized personnel can enter.

n

Design distributed reports so they do not reveal password or trunk access code information.

n

Keep the voice messaging system Remote Maintenance Device turned off.

Limiting Outcalling

When Outcalling is used to contact subscribers who are off-site, use the MERLIN

LEGEND Communications System Allowed Lists and Disallowed Lists or

Automatic Route Selection features to minimize toll fraud.

If the Outcalling feature will not be used, outward restrict all voice messaging system ports. If Outcalling will be used, ports not used for Outcalling should be

Outward Restricted (for Merlin Mail Voice Messaging Systems, port 2 on a twoport system, port 4 on a four-port system, ports 5 and 6 on a six-port system).

Use Outward Restriction, Toll Restrictions, Allowed Lists, Disallowed Lists and

Facility Restrcitions Levels, as appropriate to minimize the possibility of toll fraud.

System Programming A–19