Security Recommendations

Escaux fully relies on Information Technology to conduct its business activities. Incidents affecting availability of related IT equipment and solutions, or affecting the availability, integrity or confidentiality of the IT managed data, have thus direct effect on its customers. In this context, this document non exhaustively sets forth Security Recommendations that Escaux's Customer should take into account to decrease risk of Fraud, Theft,... of its services.

General recommendations

  • It is recommended that Customer ensures that all employees, consultants, subcontractors, agents and other representatives are informed of those recommendations, so that they are able to comply with them.
  • The Customer will take all reasonable measures to prevent Customer's equipment, and Customer's employees, consultants, subcontractors, agents and other representatives to cause damage, whether physical or logical, to Escaux assets (including hardware, software, data and brand image). This includes data losses, data corruptions and services interruptions due to:
    • Wrong configurations, errors, misconduct, false-operations and voluntary data alterations made by Customer or a Customer's employee, consultant, subcontractor, agent or other representative.
    • Spreading of viruses, Trojans, backdoors, or any other type of malicious code, by Customer or Customer's employees, consultants, subcontractors, agents or other representatives or their equipment (as workstations, servers and networking equipment).

Network Segregation Recommendation

It is recommended that customer implements segregation between the voice and data network. The technical rules to be implemented by the Customer for such purpose can be requested to Escaux. No services on the SOP(s) or any other Escaux equipment should be directly exposed to the public Internet.

Special care should be taken that the network access of a doorphone is not abused by a malicious third party to gain access to the internal network.

Logical Access Recommendation

Recommendations in this chapter apply only when Customer or Customer's employees, consultants, subcontractors, agents and other representatives must access Escaux systems, applications or data.
  • Any information hosted on Escaux systems, unless otherwise explicitly stated, must be considered as confidential.
  • In case the Customer's employees, consultants, subcontractors, agents and other representatives receive a password or a PIN code, they will memorize passwords and PIN codes given by Escaux. All eventual hard copies of these passwords and/or codes must be kept in a secure place (safe). Under no circumstances can these passwords and/or codes be written down visibly on devices.
    • Those passwords, must be strong passwords. The following guidelines increase the strength of a password:
      • having a length of at least 8 characters;
      • including at least 1 lowercase letter, 1 uppercase letter and 1 digit;
      • different of at least 2 characters from any common word, name or brand;
      • different from the login;
    • Those pin codes must be non trivial. See below example of strong pin codes
      • Maximum 2 occurrences of the same digit.
      • different from the login/extension;
      • no logical suite like 1234, 4321, ...
    • Those passwords/pin codes must be changed regularly and immediately if there is any risk that they become no longer secure (e.g. Customer's employees, consultants, subcontractors, agents and other representatives knowing the credential leaving the company,...)
  • The Customer's employees, consultants, subcontractors, agents and other representatives will use the access rights provided to them by Escaux only for purposes of fulfilling their duties .
  • In case the Escaux solution is connected to a Customer application (e.g. LDAP,...), the Customer will provide to Escaux the minimal right needed to avoid any risk of confidentiality, integrity or availability of the Customer application/data. This right will be granted on a need to know need to have basis. Escaux may never be held liable for any service disruption, fraud, theft... caused by the use of this access right.

Physical Access Recommendation

The Customer must put in place a physical security procedure in line with the security best practices to avoid any Customer's employees, consultants, subcontractors, agents and other representatives have access to Escaux's assets.

Fraud management

What is Fraud management

Telecommunication fraud is the theft or the use of telecommunication services to commit other forms of fraud. Victims include consumers, businesses and communication service providers

Although telecommunication frauds encompasses a variety of illegal activities, following are some of the examples:
  • PBX Hacking
  • International Revenue Share Fraud
  • Identity Fraud etc

Motives behind committing Fraud

  • To make money
  • To save money
  • To make free calls
  • To cause trouble
  • To gain 'kudos'

Escaux's policy on Fraud

Policy

If the fraud has arisen due to activities on Customer Premise Equipment where Escaux has no operational responsibility, then it is Escaux policy to invoice the customer for that traffic. Escaux has complied with its contractual responsibility of delivering calls sent to its network by the customer equipment, and incurred costs for that delivery. Therefore it is the customer's responsibility to pay Escaux for the services used.

Statement

Escaux and Escaux's customers can be subject to fraud whereby third parties pass traffic over the network without authorization.

Protection of customer equipment against fraudulent activity is the responsibility of the customer. We strongly urge our customers to take steps to protect their equipment against fraud and to speak with their suppliers about the most appropriate means to do so.

Where suspected fraud is detected, Escaux will endeavor to contact the customer as soon as possible. Escaux has no control of or responsibility for protecting customer equipment against fraud. Escaux will not be liable for any loss resulting from any fraudulent use of customer equipment. This Fraud Monitoring Statement is intended to be a statement of intention by Escaux and is not intended to create any legally binding obligations upon Escaux or Escaux's employees.

Prevent Fraud

Customers are advised of the following actions which they can implement to prevent misuse in future :
  • Remove or de-activate all unnecessary system functionality including remote access ports. If remote access ports are used consider using strong authentication such as Smartcards/Tokens
  • Restrict any destinations that should not normally be dialed e.g. Premium Rate, International or Satellite phone operators
  • Review call logging/ reporting material regularly and analyze for increases in call volumes or suspicious destinations
  • Voicemail and DISA passwords should be changed on a regular basis, avoiding factory defaults and obvious combinations such as 1234 or the extension number
  • If DISA is not used then it should be disabled completely
  • Restrict access to equipment (e.g. comms room, master terminals)
  • Only give the appropriate and minimum level of system access required to carry out a task
  • Ensure all security features (passwords, PINS etc) are changed following installation, upgrade and fault/ maintenance (including resetting password defaults)
  • All internal information such as directories, call logging reports, audit logs should be treated as confidential material and be securely destroyed if no longer required
  • Avoid using tones to prompt for password/PIN entry, (used by 'hacking' programmers"). Develop processes to cover employee entry procedures, passcards, new employee vetting, people leaving, changing jobs (revoking access to systems, mailboxes, buildings etc)
  • System security and configuration settings should be reviewed regularly. Any vulnerabilities or irregularities should be followed up
  • Be vigilant against bogus callers (e.g. posing as a company employees etc) asking to be connected to switchboard operators to obtain an outgoing line

Abuse of Services

All the services running on the Escaux platform have been implemented upon specification of the Customer. When a service is available from an external number, the risk associated to the service increases and must be evaluated by the Customer itself. In case the service is abused, the responsibility lies exclusively with the Customer. Therefore we recommend to the Customer to put in place a mechanism of validation for all new services. The Customer must also evaluate the risk linked to internal abuse as Escaux may never be held liable for abuse of services requested by the Customer. You can find below the existing services available from an external number. See below typical example of services available from external numbers:

  • Set an extension's status to "forward"
    • Impact
      • Financial: A user could set a forward to expensive international or premium destination.
    • Recommended mitigation factor
      • Authentication via a Pin code
      • The pin code must be compliant with the requirement defined in the logical access chapter
      • Optional : After three unsuccessful attempts the service is unavailable (this can be requested by the Customer)
      • Not possible to set the forward to expensive international premium destinations
  • Voice mail
    • Impact
      • Confidentiality
      • Financial
    • Recommended mitigation factor
      • Pin code
        • Authentication via a Pin code
        • The pin code must be compliant with the requirement defined in the logical access chapter
      • Optional : After three unsuccessful attempts the service is unavailable (this can be requested by the Customer)
  • Conference bridge
    • Impact
      • Usage of the service
      • Confidentiality
    • recommended mitigation factor
      • Pin code protection can be changed regularly by Level 1

  • Conference phone bridge
    • Impact
      • Intrusion in an ongoing conference call
      • Confidentiality
    • Recommended mitigation factor
      • Level 1 can change pin code protection regularly
      • Integration with a calendar which manage the conference bridge
  • Any phone
    • Impact
      • Financial
    • Recommended mitigation factor
      • Place all phones in the minimal required context, not containing expensive international and premium destinations.

In order to limit the risk of an abuse or an attack, we recommend to the Customer to limit the external calls to a limited number of destinations and a limited number of people.

Security Incident Management Process

In case of security incident, the normal incident management procedure will be applied. In the context of risk mitigation, Escaux recommends to keep the management connection opened at any time between the SMP and the SOP as mentioned in the SLA document. But Escaux reserves the right, without incurring any liability towards the Customer or any other person if it exercises such right, to temporarily suspend the Customer's logical accesses in case those accesses represents a direct major security risk for the service. In such a case, Escaux will notify the Customer as soon as possible of the suspension and related reasons. The Customer will act together with Escaux to resolve any security issue or complaint about the operated service(s) (like for instance claims for abuse, spamming, harassment, illegal or unethical content).
Copyright © Escaux SA