Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.

Mathias Thurman

As a security manager, I expect my company to be hit by malware infestations, data theft, denial-of-service attacks and attempts at unauthorized access. I deal with them all as they arise, and they do keep things interesting.

But some incidents get attention not just from me, but also from management. Those tend to be incidents that result in the direct loss of either money or extremely sensitive data. Naturally, those are the types of incidents that I most want to prevent, interesting or not. And things quickly go from interesting to frustrating when you get hit with the same type of security event resulting in dollar loss several times in one year.

Last week, a financial analyst who processes payments for the IT department told me she had received an alert from our telecommunications provider that several thousand dollars in charges for phone calls to Costa Rica, Bolivia and Colombia had been racked up in less than a day. Since we don't typically do business in any of those countries or place several thousand dollars' worth of international calls in less than 12 hours, some sort of breach seemed likely.

But how? Just a few months ago, our phone system had been compromised, and my team had spent weeks working with our in-house telco department on finalizing and deploying a secure configuration to our IP telephony gateways. I had complete confidence in our gateways' security. So what had happened?

When I talked to our telco manager about the latest batch of long-distance charges, he had a dawning suspicion of what might have happened. And a little bit of digging proved his suspicion to be correct.

A contractor had been working on a new videoconferencing infrastructure, including a server residing in our DMZ for handling video calls to and from remote locations. People from our company had provided oversight. The architecture review board had held several sessions with the vendor to ensure that it was following a secure policy and configuration. The vendor's compliance had been verified several times during the deployment. Nonetheless, a review of the current configuration of the videoconferencing server (VCS) showed that the consultant had made a configuration change, opening up Port 5060, Session Initiation Protocol and other control ports to the Internet, with no authentication required.

We Will Not Accept the Charges

We had the consultant immediately close off the vulnerability to prevent any new unauthorized calls. Then we began sniffing the network connection to the VCS and looking at its connection state table. And what do you know: We discovered hundreds of connection attempts from servers in places that included Costa Rica, Bolivia and Colombia.

1  2  Next Page