Voice Communication Channels and the CISSP

By Lawrence C. Miller, Peter H. Gregory

The Certified Information Systems Security Professional (CISSP) credential exam requires knowledge of secure design principles and implementation of various communication technologies, including voice. PBX (Private Branch Exchange) switches, POTS (Plain Old Telephone Systems), and VoIP (Voice over Internet Protocol) switches are some of the most overlooked and costly aspects of a corporate telecommunications infrastructure.

Many employees don’t think twice about using a company telephone system for extended personal use, including long-distance calls. Personal use of company-supplied mobile phones and pagers is another area of widespread abuse. Perhaps the simplest and most effective countermeasure against internal abuses is to publish and enforce a corporate telephone-use policy. Regular auditing of telephone records is also effective for deterring and detecting telephone abuses.

Unless security measures are taken, such as strong passwords and security patches, attacks on PBX, POTS, and VoIP devices are more likely to succeed, resulting in toll fraud and other headaches.

A growing problem is that of forged caller IDs. Several methods are available for hiding a caller ID — in some cases, in a way that can be deliberately misleading or used to perpetrate fraud. These methods include

  • Using a calling card: Using a long-distance calling card often masks the true origin of a call.
  • Using caller ID services: A number of commercial services are available that will generate any desired caller ID.
  • Blocking caller ID: Many wireline and wireless telephone services have means that can block caller ID, either on a per-call basis or universally.
  • Reconfiguring your telephone switch: Often, a telephone switch that is connected via a trunk to a telephone network can send Caller ID data that is configured into the telephone switch.
  • Using VoIP: Simple IP smartphone or PC software can often be used to generate false caller ID data from VoIP phones.

The use of caller ID spoofing as part of a scheme to commit fraud is in its infancy and may grow over time.