NCSC Sounds Alarm Over Private Branch Exchange Attacks

Written by

The UK’s National Cyber Security Centre (NCSC) has warned smaller organizations that they could be exposed to attacks targeting their private branch exchange (PBX) phone systems.

A PBX is an internet-connected private telephone network used to manage and route incoming and outgoing calls. Most offer support for business-friendly functions like call forwarding, diverting, voicemail and conference calling.

However, incorrectly configured PBX systems could be exposed to remote attackers via their internet connection, the NCSC warned in a new blog post.

This could lead to “dial-through fraud” where cybercriminals route calls to expensive overseas numbers or set up lines that charge a premium rate. It could also enable remote attackers to compromise PBX systems and use them in denial-of-service (DoS) attacks against others, the NCSC claimed.

Read more on NCSC guidance: NCSC Launches Two New Tools for Small Businesses

The NCSC yesterday published new guidance on how to mitigate such risks, whether organizations use managed cloud-based or on-premises PBX.

Organizations should start by ensuring employees use strong passwords and protect administrator accounts with multi-factor authentication (MFA), said Amelia H from the NCSC’s Economy and Society Team.

It also pays to read the small print in contracts, she added.

“Your organisation – as the PBX owner – is responsible for the security and administration of your phone system. You should thoroughly examine any PBX contract (or consult with your legal/financial experts if necessary) before signing, to protect yourself from unintended financial consequences,” Amelia H continued.

“For example, you may decide that you need to limit the types of calls staff make, or restrict the ability to forward calls to an off-premises number. If you’re using a managed service, then attacks as a result of misconfiguration are the responsibility of the provider, something to keep in mind if you’re pressured into taking out insurance to defend against attacks that should be covered by your managed service provider.”

What’s hot on Infosecurity Magazine?