Physical security, social engineering, and general, Preventive measures – Lucent Technologies MERLIN LEGEND 6 User Manual

MERLIN LEGEND Communications System Release 6.0
System Manager’s Guide

555-660-118

Issue 1

February 1998

Customer Support Information

Page A-11

Toll Fraud Prevention

A

Physical Security, Social Engineering, and
General Security Measures

1

Criminals called

hackers may attempt to gain unauthorized access to your

communications system and voice messaging system in order to use the system
features. Hackers often attempt to trick employees into providing them with
access to a network facility (line/trunk) or a network operator. This is referred to as
social engineering. Hackers may pose as telephone company employees and
employees of Lucent Technologies or your authorized dealer. Hackers will go
through a company’s trash to find directories, dialing instructions, and other
information that will enable them to break into the system. The more
knowledgeable they appear to be about the employee names, departments,
telephone numbers, and the internal procedures of your company, the more likely
it is that they will be able to trick an employee into helping them.

Preventive Measures

1

Take the following preventive measures to limit the risk of unauthorized access by
hackers:

■

Provide good physical security for the room containing your
telecommunications equipment and the room with administrative tools,
records, and system manager information. These areas should be locked
when not attended.

■

Provide a secure trash disposal for all sensitive information, including
telephone directories, call accounting records, or anything that may supply
information about your communications system. This trash should be
shredded.

■

Educate employees that hackers may try to trick them into providing them
with dial tone or dialing a number for them. All reports of trouble, requests
for moving extensions, or any other administrative details associated with
the MERLIN LEGEND Communications System should be handled by one
person (the system manager) or within a specified department. Anyone
claiming to be a telephone company representative should be referred to
this person or department.

■

No one outside of Lucent Technologies needs to use the MERLIN
LEGEND Communications System to test facilities (lines/trunks). If a caller
identifies him- or herself as a Lucent Technologies employee, the system
manager should ask for a telephone number where the caller can be
reached. The system manager should be able to recognize the number as
a Lucent Technologies telephone number.

Before connecting the caller to

the administrative port of the MERLIN LEGEND Communications System,
the system manager should feel comfortable that a good reason to do so
exists. In any event, it is not advisable to give anyone access to network
facilities or operators, or to dial a number at the request of the caller.