Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go.

Cybersecurity knowledge All right, let's get started. Hey, I'm Sean Gerber with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Yes, it is another wonderful day that we're going to be chatting about some great stuff related to the CISSP, and so, yes, it's going to be on domain 4.3.1 and we're going to be getting into various aspects around voice security as it relates to ISC Squared's manual. And, again, if you're studying for the CISSP exam, you need to utilize the ISC Squared CISSP information. Well, it's a Certified Information Systems Security Professional Study Guide. Now, that's what all of the content that I provide comes out of that study guide. The ultimate point is just to provide you the details you need to help you pass the CISSP the first time, and that's the goal of the podcast. So I know that's why you are here.

If you are going to check out some various CISSP aspects, go to CISSP Cyber Training and you can get access to all of my content. I have a lot of free stuff out there. It's available to you, but I also have access to you get immediately. If you sign up for my email list, you get 360 email, or I should say CISSP questions that are sent to you over a period of basically a few weeks at a time. You get some more questions to give you some time to study. So if you're looking for free CISSP questions, go to CISSP Cyber Training and you can gain access to 360 free CISSP questions immediately. All you got to do is just give me your email address and life is good. And if you do that, then we also can get you access to other things that are coming your way as far as products, and you'll get access to when things are coming out and so forth. So, again, got to put the plug out there. Go to CISSP Cyber Training.

But before we do, we're going to have one article that I saw in the news today that I thought was really riveting and earth-shaking. Well, probably not earth-shaking, but it was actually kind of interesting. Okay, this is out of Wired Magazine and there's an issue with a Subaru vehicle driving. Now these are all connected to Starlink and because of this, they found some bugs in their web portal that allowed individuals within the company to have access to a lot of considerably sensitive information, as well as having access to do what they need to do with the car. So some of these security flaws were found about a year ago, and these were based in the 2023 Subaru Impreza and what this could do is it would actually be able to unlock the car, honk its horn, start the ignition and track it in its real-time location.

Now, short of just freaking people out and unlocking and honking cars, I mean, obviously, if you want to unlock it, people could go and steal information or steal stuff out of it. Starting the car okay, so what? But I mean all those I say so what? It's all freaky bad right, that's all stuff that we don't want to have happen.

One of the things that I saw that would be very interesting and coming from a red team perspective, is, if I'm looking to track my mark, I'm tracking the individual that may be highly sensitive to me. Having that access of where that vehicle's at and where it's gone and also timestamps around, that would be extremely concerning, and where it's gone and also timestamps around, that would be extremely concerning. So those would be aspects that I think would be important for bad guys and girls to know. Or someone just trying to chase somebody, I mean, that's kind of how that plays out. So they had precise locations and timestamps, revealing information, such as visits to specific addresses and routine destinations. So, if you're trying to figure out where somebody goes, that's a good way to find it.

These vulnerabilities potentially affected around a million or so Subaru vehicles equipped with the Starlink digital feature across the US, canada and Japan, so it's a pretty substantial amount of people that would be potentially affected by this. Now, if you were able to gain access to these systems, you could, and, again, it's not so simple as just hey, I go ahead and I log into the web portal and I have access to it. There's obviously some things that need to be done, and they haven't really gone into all the gory details around that. The bottom line, though, is that they issued a patch in November, and a distributor had addressed the problem with these security flaws that they found. So, again, that's an important part. They did address it. They obviously got it out there before we let everybody know too much about it, but, at the end of the day, this is all down to this, and we talk about this IoT, or cyber capability that's built into vehicles, and, because of this situation, there's all kinds of data that's flowing from the devices we have connected to the internet, and phones, cars, combines you name it a planter in your field they all are sending data to the internet, and so all of these things can be very sensitive depending upon who would potentially gain access to them. So the article talks a little bit about as well. These are very similar vulnerabilities that were discovered both in acura, genesis, honda, hyundai, infiniti, kia and toyota.

So, again, as you can see, it's a pretty big issue, and I come back to the fact that most of these vehicles. When I taught this in the local college here in wichita, kansas, one of the things I brought up to them is that all these vehicles have hundreds, if not millions, of lines, hundreds of thousands, if not millions of lines, hundreds of thousands, if not millions, of lines of code built into them so that they can provide the information needed to one the consumer, and also to the manufacturers around how the product's working and so forth. And all of that data is flowing everywhere and unless you have a good data security model around the protection of it, it's going to just basically proliferate. Now, that being said, you could have a very good, strong data security model around it, and the data still gets out. It's not a perfect science and unfortunately that would be great if it was, but it's not. So one of the key factors and takeaways on all this is that if you are a security professional, you're in a good field. Second thing is always consider any device you have is connected to the internet and therefore you need to understand do you want your data tracked? Do you care? Second is is if there's personal data that is concerning, are you doing what you need to do to minimize or mitigate that risk to you and your family and potentially your company as well? So, bottom line this is again from wired magazine these security flaws that are tied to the subaru. They've addressed them, but you can expect to see more of that in the near future.

Okay, in this training we are going to be getting into domain 4 and implementing secure communication channels. This is again 4.3.1, according to design, and this is going to be specifically focused on voice, specifically focused on voice. So again, as you guys know, the ISC squared, cissp, is a long, full of information training, right, there's all kinds of stuff in there. So, but we're going to focus specifically on the voice part of this aspect of the domain four. And there's within domain four, there's a lot other areas secure communication channels. There is multimedia communication or multimedia security as well. So again, you can go to CISSP Cyber Training and get access to all of that, and all this content is available to you to help you study for the exam. So let's roll right into what we're going to talk about.

Okay, so today we're going to be getting into PSTN, which is your public switch telephone networks, voice over IP, vishing and freaking PBX, fraud and abuse, and then practical considerations and potentially real world implications. Yeah, that didn't say that really well. Implications yes, the big $10 word, my wife says when I talk, I put words together. So, yes, you probably all are listening to me going. Yeah, she ain't wrong. So, again, we're going to get into these aspects Now. Public switch telephone network.

If you are old like me and some of you, I know, have listened to this podcast that, listen to me, are a little bit on this more seasoned side, such as myself you will know what a public switch telephone network is, a PSTN, and PSTNs are still around in the globe or around the globe today. Here in the United States, they are there, but they're small, but they're still around in the globe or around the globe. Today, here in the United States, they are there, but they're small, but they're still around. If you go into other countries, they're much more prevalent. And what is a PSTN?

If you were asking, that's the old physical data or landline that had a phone connected to a line to your wall. You pick it up, you push buttons and then you can talk to somebody. I remember I was so old that and I was talking to my grandparents when they were little about this we had a phone that was in their house. Now they lived on a farm, small little farm in Iowa, and they had a phone that came in their house and in that there was part of a switching network and these folks you'd get on the phone, you'd dial, first of all you'd dial zero and it would actually get you to an operator. Now that would give you somebody at the switchboard that would then connect your call to somebody else's call and that they I remember vaguely a little of that, but mainly it was you would actually dial in the number and then someone in the switching center would move it around. I don't remember how, but I do know that they listened quite frequently to phone calls and conversations. So if you were trying to get all of the gory details or the gossip around the local community, just talk to the person who's listening in on all the phone calls. So yes, that was a very interesting time.

But, as you can see, that has changed dramatically from where we are today. It's gone from the PST ends and moved its way on up to now we have cell phones and we have everything else but the PSTN. It serves as the foundation of traditional communications, again offering voice and limited data services, again that you got a standard copper line and you have limited data on what you can send through it. I remember the old days of having this set up where you would have your computer and a modem would then connect into your PSTN and it would hear the beep boop, beep boop, beep boop and it would do its communication thing. And that has passed on to where we are today, where pretty much many people have fiber inside their houses here in the United States.

I know that's different in some places, but I have DSL line which you guys are probably going oh travesty, different in some places. But I have dsl line which you guys are probably going oh travesty, a dsl down at a little house that we have a verbo um here in a small little lake not too far from us, and the dsl does pretty well, but that again, that's that is pretty interesting and how. This is a very remote location and I still have dsl line with 40 megs of data transfers, so I think it's pretty, pretty cool. So what is it? It's pretty, pretty cool. So what is it? It's basically a circuit switch network that is used for voice communication, right, and it's based on a very old analog technology, which is what first came out from and was brought forward, and this is, I think it's Alexander Bell brought.

This Was it Alexander Bell.

One of those guys one of those old dead guys brought this forward and it helped it with digital signaling. Now, if you go to the Morse code or the tap tap, tap, tap, tap, that was under the same kind of concept as the overall old school way of doing communications. It moved on and they had some key components that you may be asked about, and so this is something you need to understand and the reason you might be going this is old technology. It's not something that people really do deal with a whole lot now. It is like I mentioned earlier. It is in various aspects around the globe. You may run into this in certain places. So having an understanding around what these switching networks are is an important part of the overall role and we talked about with the CISSP. Again, you have to be about an inch deep and a mile wide in your knowledge around technology, and this is one of those little inch deep areas, probably more like about a quarter inch, but you got to have a little bit of basic knowledge around it. So those components are central offices. These serve as your switching centers for connecting calls. Like I mentioned earlier, the lady that's in the room connecting the two lines together would be a central office. Now in today's world that's all automated right. They have a relatively. They have all new systems in there that do that for you. They don't have a lady that is smoking on a bunch of cigars and cigarettes just plugging in lines here and there. Now the switches will route calls between local exchanges and your long-distance carriers and international gateways.

Now I remember the days that if I was going to call a long-distance carrier or call somebody long-distance, I had to put in a special number and I knew that my rates to call long-distance would go up from what it would cost me, and so very rarely would you ever call on long distance unless you absolutely had to. When it came to international, that was even more expensive and we limited those substantially. Folks would just completely limit communicating through internet channels just because of the cost. That being said, in today's world I hop on Zoom, I hop on whatever I want to do and I can talk to somebody, facetiming them on my phone any place around the globe at any point in time. We've had communications with my daughter's family in Uganda and we've chatted with some folks. When I was working with my multinational spoke with people all over the globe at any time of the day, both from a phone standpoint, just listening audio as well as video and all that. So we all see and we understand that the communication barriers of the past have pretty much been destroyed and broken to the point where we still can communicate. And for me to be able to communicate to my daughter's family in a very small village outside of Kampala, uganda, I mean that is amazing to where we have moved, to the fact that I was afraid to even make a long distance phone call because it costs too much and all the stuff that we did talking to for the most part, other than their data rates, is relatively inexpensive, if not free.

So transmission media, this would be copper lines. You'd have local loops that are set up within these lines and then you'd have fiber optics for your backbone connectivity and then again, that wasn't always fiber optics. They built this out in a hub and spoke kind of thought process and they would use fiber optics to connect the main places and then they would spoke out with the overall copper lines out to those areas. You have signaling systems. These are early systems that were done for in-band signaling, and then you have current systems, which is the signaling system, which is the SS7, which is for out-of-band signaling. Now we'll get into some SS7 vulnerabilities that come into that, but bottom line is this is how the communication is done over these copper lines.

Now there's some security concerns, obviously, with SS7 signaling protocols that are there and these vulnerabilities will allow attackers to intercept calls, attract user location, eavesdrop on conversations and et cetera. It still can happen, and when I was working as a red team, I would have my JAG and I would talk around. How do we intercept phone calls? And in today's world everything is done digitally. So you can just assume that there is a local law enforcement not probably local, but a federal law enforcement that is listening to all of your conversations in one form, shape or another. Now they may be sitting off in a digital box somewhere and a robot is listening to them, but at the end of the day those conversations are not private. So that was what we'll get into VoIP at another point in this section.

But when it comes to these types of vulnerabilities, they are wide open. Anybody can listen to these conversations. And so what ended up happening? Like again talking as an old guy, if you were in a room and say I had a phone call coming in, it all comes into one line. But if anybody picked up the receiver on that phone you could hear the conversation that's going on. It wasn't just limited from point A to point B, it was point A to a house, which is actually any node. Any receiver in that house would be point B. So if I'm talking to my girlfriend as a teenager and my mom and dad decide to pick up the phone very quietly, then they could actually listen to my conversation with a girlfriend. That obviously has changed substantially from those days. But eavesdropping was a big risk.

With these types of systems, physical access risk to central offices or communication lines is a security concern as well. So if your country or part of your world depends upon these physical lines, that box becomes a very critical part or critical node in the security of your overall communication infrastructure. So therefore you need to make sure that one and if you didn't notice before, many of these systems, these physical boxes were, I should say, central offices were very nondescript buildings. What does that mean? That you wouldn't know that they were a central office? I have one in my local town and I know it's a central office just because I have friends that work there and they also will park an AT&T vehicle out in the parking lot. But, that being said, you would not know it's a central office to a communication hub here in the local area. Why? Well, because if you do something like run a truck into it and you take it out, you now lose communications for a very large subset of people.

I know that on the East Coast there's a couple key places from where data is going in and out of the United States on the East Coast and these you wouldn't know it. But there's basically a manhole that has all of this traffic going through it in very specific places that if a bad guy or girl decided to do something with it, they could basically shut down communications along parts of the East Coast. So you don't want people to know where these physical locations are at. So therefore, if you talk to somebody and they say, well, hey, we have this physical place just down the street and you're like what it's? Because of that specific reason, there's eavesdropping risk, which we kind of talked about, especially in these older analog systems. And again, anytime it goes analog, it's open for eavesdropping. So be careful what you say. As we said in the military, loose lips, sink ships. So that's one of the aspects where they said that in World War II that people would talk. What happens? Ships sink. So you want to avoid any sort of thing saying things over an analog line. So if you don't know, you might want to double check.

Okay, challenges there's limited adaptability to modern data needs compared to the IP-based systems. Which is voice over IP, and it doesn't give you a whole lot of compatibility. You've got to have this one analog phone. There's potential for total fraud and spoofing attacks as well. That can come from all of this. Okay, so then, what is voice over IP? We talked about it just earlier. What is VoIP? So VoIP is a voice calls that are over Internet-based networks versus the traditional PSTN network, and you'll get this now with Google Voice.

Pretty much all of your communications now, especially what I'm communicating with people over Zoom, is over VoIP, and it's designed to be much more flexible, much more useful and, in many cases in most, most, most, most cases it is much more secure. There is some key components to VoIP. You have your session initiation protocol, which is your SIP, and this maintains and establishes and terminates the sessions that are going on between the two parties. You have your real-time protocol, which manages the real-time delivery of these audio and video packets that are going back and forth, and your codecs. These you'll hear you've heard about codecs and they will compress and decompress audio streams based on an encryption schema. So that's what does all of your audio streams that are going between your various communication paths, your gateways and your gatekeepers, and these will handle communications between VoIP and PSTN networks. So when you convert from VoIP into the standard analog, these gateways will convert that for you.

So again, it's a very flexible system and it's relatively new. I mean I say that it's been around for about 20 years probably. But its adoption from corporations to home it's gone extremely fast compared to the old PSTN networks. So advantages it's very cost effective, it's scalable, it integrates with modern IT systems and it's very useful, like I mentioned, with the part earlier around me talking to Uganda. That's it right. It's amazing. It's like magic. It really is. Now. The world is a much smaller place In the past when I grew up no-transcript in the past versus what it is today. So it's also support for unified communications, including video conferencing and instant messaging, again makes it really cool very quickly.

Now, what are some of the security risks associated with VoIP. So you have eavesdropping, right. There's vulnerability with voice streams if it is unencrypted and there is VoIP communications that are unencrypted. They're getting more and more of, they're getting less and less popular and you're seeing less of them, but it is a possibility. You could run into that Man-in-the in the middle attacks or MITM you guys have seen this I'm sure that acronym in other places. This is where you intercept and manipulate calls or the specific metadata that is tied to this VoIP communication Caller ID. And spoofing. This is again misleading the recipient by forging their caller ID this has I don't see much of it now, but it was a big factor in the past. You could then impersonate somebody else if you're trying to spoof their specific caller ID.

Spit, which is spam over internet telephony yeah, see, that's a big $10 word. I can't say over the telephone, right? Spam over internet telephone, let's just stick with that. These are unsolicited bulk calls. Oh my gosh, I'm so sick of spam. We get it all the bloody time and it's annoying. I don't know if you all see it. It's just crazy. I mean, one of the actually really cool invention was one of the companies that I work with with Coke Industries, when I was with them, they invested in a company that actually helps with the overall. Telling your phone, hey, this is spam. So that's pretty cool. I think it's. I do appreciate that immensely. But I will tell you I'm so sick of spam, so sick of it, and I know I'm ranting a bit there, but you all are feeling my pain. You're feeling my pain.

Infrastructure concerns, again. Exploitation of SIP protocols and their vulnerabilities can occur, as well as denial of service, targeting the specific SIP servers or gateways. Again, if you target those and you hit them with a denial of service and you are pumping so much goo at the servers, then the VoIP issue could be a problem where you can't get communications out. Again, it's an IP based data and it is going in and out of your organization. So if you fill up the hole with a bunch of garbage, then even your voice can't get out. Now, in today's capabilities around scrubbing technologies and other DDoS mitigation capabilities, that is pretty limited, but it still does happen. And if you shut, what can never be more frustrating is that when your VoIP gets shut down, how do you deal with it? So, that being said, you also we talk about disaster recovery and incident response place to mitigate this issue and have backups to deal with your DDoS or DDoS activities, which would be you'd enroll people to cell phones and so forth. So mitigations, again, use encrypted protocols like SRTP, which is secure, rtp, sip authentication and session border controllers, which is SBCs, and then network segmentation for your VoIP traffic.

You may want a specific situation where you have a dedicated circuit specifically for voice traffic. It isn't going over your standard outbound traffic of your company. It actually goes over a dedicated circuit. So I've dealt with that, especially in critical locations where communication is vital. We would have backups. You'd have a circuit specifically for your voice over IP. You would also have sat phones if you needed them as well, as everybody had their cell phones. But in some cases where, depending on the manufacturing facility you were at, you couldn't have cell phones readily accessed, you'd have to have a specific communications channel, walkie talkies or sat phones with you. That would allow you to communicate. That wouldn't be an explosive hazard. So again, you need to really kind of consider that as a security professional, what do you want to do with your organization?

And as we talk about yeah, okay, this is the part that I love about CISSP Cyber Trainings Podcast is we're getting into details that, I'm sorry experienced professionals will give you. This is awesome stuff that you will not get out of a textbook, and so I recommend that as you're studying for the CISSP. That's awesome, that is great and I'm super proud of you, but don't stop learning, because there's so much more that just digs deeper into this, versus just having the CISSP certification. Great, great first step. Got to have it, but think about the future as well.

Okay, so vishing and freaking. So this is like not me running around naked, that's streaking, this is freaking. So freaking is social engineering, obviously to abuse the telecommunication system for malicious purposes. So vishing is voice phishing, and they use this to basically deceive individuals who are to divulge sensitive information such as credentials, personal data and so forth. Had various aspects of dealing with vishing with people, and people will try all kinds of stuff, especially if they think they can get money. It's all about the money, baby. So these methods are spoofed caller IDs to impersonate legitimate organizations obviously banks, governments.

I get it all the time on your phone. I'm with Google Business Center, you owe taxes. Wait, those two don't go together, but you know what I mean. You owe taxes and I'm with Google Business Center. I'm with this, I'm with that, and they're all trying to get you to go. There's a problem, you have to fix it and then you initiate this problem. Oh, I got to fix it and now they got you.

So again, these are automated robocalls and pre-recorded messages. Urgency is the key. You got to do it now, or you are going to jail those kind of things to get you to do immediate action. They target individuals and they target businesses. No one is safe, no one. So you need to teach everybody, including your teenage children, who roll their eyes at you and go oh, my gosh, dad, you really.

I'll give you a real quick, funny story. So my kids, or two of my daughters, are going to be joining the military and so I retired right as a lieutenant colonel, done all kinds of fun stuff. I was enlisted officer, did super secret fan things, flew airplanes, do all that great stuff. And the fun thing about that is is like so I've got like gobs of experience. No, don't have it all by any stretch of the imagination, but I've been doing it a few times.

So when my kids come back to me, this is just, sorry, a little tangent, but this is for you all that may have older children is that they go hey, this guy's got this great idea and this girl's got this great idea, and about the military and these so forth. And I go to them I say, yeah, well, yeah, dad, you're just dad, you don't know what you're talking about. So you know what and you can use that as well as in your security world. And how is that so? Well, remember this statement a prophet in his hometown has no honor. So you, as a security professional in your own town, in your own business, but comes with these awesome ideas and they talk to the right people. They are like I don't know whoever, some big person who knows how to think, I don't know Socrates or somebody like that. They are like those folks because they know something. They're not within the organization, so they are automatically elevated to a higher level. Same thing with my kids. So as a security professional I know it's a little bit of a tangent as a security professional, one thing to think about is you can only go so far. So bringing in expert people to help elevate your goal and what you're trying to accomplish can be extremely valuable to you, and this is why third-party audits are a good thing, or third-party assessments are a good thing because this third party can come in and tell you where you have issues and you can get some things done. So kind of consider that as you're moving forward.

Countermeasures around vishing is color ID verification and education on phishing tactics, teaching your people, implementation of anti-spoofing techniques such as like stir and shaken, and then awareness programs for your employees and end users. Again, educate, educate, educate is the key factor with this. Now with freaking, what is freaking freaking is phone freaking and this is where it's exploiting the telecommunication system to mute, manipulate or abuse them from free calls or unauthorized access. So that's the ultimate point of phone phreaking. Now it isn't as big of a deal now as it used to be in the past and there were some folks that were really good at it and also went to jail for it. But the early methods included tone generation devices such as blue boxes, and to bypass the billing piece and I talked about earlier, you had to go if you want to make an international call, you would type in certain code and it would go to billing these tone generators. But to kind of take a step back in the past, when you would actually push a button, you would hear go beep, boop, boop, boop, boop, and that tone is what sent off a. What told you the number? Well, they would do tone generations to actually bypass that capability and it would look like a local call but it was actually an international call. So there's been a lot of cases around this and, like I said mentioned earlier, folks went to prison because of it.

So the evolution has turned into targeting VoIP systems and mobile networks for fraud, hacking PBX systems for long distance call abuse, if that's still a factor and something that they run into. But again, pbx is still out there and so you're going to want it could be a factor, depending on which company you go work for Countermeasures. This is regular monitoring for call logs and anomalies. Strong authentication, obviously for administrative access to PBX and VoIP systems. Those are some of the key credentials within your company, so you need to make sure that you have them under very strong control. Patching and securing out data telecommunications infrastructure again another important part you need to kind of think about and start getting rid of the old and bringing in the new. Problem is it costs lots of money. It just does PBX fraud and abuse the PBX we kind of mentioned and alluded to it earlier. This is the private branch exchange and these are prime targets for abuse, again due to their complexity and connectivity issues.

So PBX is an internal phone system used by a business. Now, in the past we used to have a system that was down in the bowels of your company and it was all kinds of lines coming into it and it was the main line where all the phone lines would come into and these were kind of there would be a trunk that would come in and that would all go out. You could abuse this by exploiting vulnerabilities in the system and also here's the other thing making unauthorized calls, charging it back to the company, and this is a big deal. Or you could plug in a way to listen to phone calls if you had access to the PBX within your organization. So some of the types of fraud that tied to this was toll fraud, which we mentioned again, international premium rate calls, attackers uploading poorly secured external lines or VoIP gateways. Again, a lot of times the VoIP in the past was also a bolt-on that they made specifically to these PBX lines. That would then kind of convert the analog to digital and if you had access to that you could have access to the VoIP and as well to the PBX systems.

Call forwarding exploits is another issue. Voicemail hacking. Oh, I saw this up until recently where you would have voicemails and some very senior leaders would actually have these certain pins that they would gain access to their voicemails. Well, if that pin was well known, you could actually then call into that number, use the PIN and get access to whatever was on the conversation on the calls. Call forwarding exploits these attackers would configure PBX systems to forward calls to unauthorized numbers and then denial of service, obviously flooding PBX with calls to disrupt communications.

Now, this isn't the kind that you'd be sending packets to it, you're just actually sending phone calls to it. Same concept as sending packets, but now it's just a phone call, which would then deny the service of the pbx system. So again, pbx is analog think of it that way and it can operate. It's very similar to your voip systems. So, indicators of compromise something to consider is unexpected spikes in phone bills or unusual calling patterns, irregular phone calls or call logs. Now, we used to have call logs you could actually pull up. If you have access to that, look at those. That would be something to kind of maybe give you an indication something's going on, especially during non-business hours. You'll notice this is that a lot of the bad things happen during non-business hours. Why? Well, because in many cases the folks that are manipulating it work a job someplace else and so then when they have free time they go and come after your phone systems. So it may happen at non-business hours. Now the best way to do it is to hide it during business hours when nobody's even seeing it, because it just all blends in with all the other noise that's going on within your company. Frequent complaints of legitimate callers unable to reach the organization you know. But now that could potentially be a denial of service on your pbx systems.

Some strategies you can do to get around that access controls again. Strong passwords for pbx. Limited administrative access to trusted ip ranges. Important part call restrictions. Disable international calling if possible. Maybe you don't need to do it. Maybe you're a small business in wichita, kansas and you don't call internationally because you didn't disable that. You don't need to do it. Maybe you're a small business in Wichita, kansas, and you don't call internationally because you didn't disable that. You don't necessarily have to have it. Block high-risk area codes, potentially to areas that you know. Maybe you only communicate with the UK. So then you would block all international area codes outside of the UK because that's the only people you talk to. So it's very similar to everything else we do in security is you limit the blast radius of what you're trying to accomplish, deploy real-time fraud detection tools. You can also harden your PBX system by then migrating away from it or connecting it directly into VoIP systems as well. And then, lastly, which we run into all the time, is disabling unused features or extensions. They get you every time. Extensions that get you every time. So here's some practical considerations when you're dealing with the overall PBX and VoIP system, voice systems and everything else.

Integration into legacy PSTN systems with VoIP does introduce new attack services. You need to be prepared to that and I highly recommend you move away from PSTN into the VoIP systems. The human element is a key factor and social engineering is a big thing for your folks. So you need to make sure that you teach and train your folks on what to expect, develop an incident response plan specifically for your telecommunications abuse scenarios, and that really means you need to understand. Again back to what we've talked about time and time again in this podcast, as well as in the training that I have on CISSP Cyber Training is the fact that you understand the network within your organization and therefore you can put in place an instant response plan designated specifically for you. That would be as if you are using PTS lines and they are then no longer useful because your building blew up and now you have to communicate. How are you going to do that? Also, have plans for engaging law enforcement for any sort of significant fraud cases. They will not come out for the little fraud, but they will come out for the big frog not frog, but fraud that they will come out for. That Regulatory compliance, adherence to laws such as GDPR again for data protection and vishing cases that comes down to is data privacy is a big factor and you better have a plan to deal with it. There are understand telecommunications specific standards, like the FCC, and what are those within your organization that affect you. So, again, that's a lot of information to you, but that's just focused specifically on voice. So it's a huge factor, something for you to consider as you're studying for your CISSP.

Again, studying for the CISSP is a never-ending process. It is the hospital you never get out of. The one great thing about CISSP cyber training and getting your CISSP is the fact that the money that you can get this certification, you are now included in a group of people that can start commanding a higher income and a higher salary. But with that higher income and higher salary comes higher knowledge. You need to know more information to be able to utilize that to help protect companies. It's not just checkmark done. I've got my certification, I'm out of here Now you can do that. But understanding the overall concepts of everything is what's going to make you a very good security professional who can command the kind of money that you may be wishing or desiring and you may not. That's fine too, but it is available to you if you choose. Okay, that is all I have for you today.

Head on over to cisspcybertrainingcom.

Get access to my free questions.

Sign up. You get free stuff. I mean it, it's awesome and you'll get access to 360 free questions immediately Well, not immediately, you'll get them spaced out over a period of about six months, but those will come to you and it's awesome. About every 15 days you're going to get another batch of CISSP questions and they're going to come to you in a way that makes sense, so that you understand what's coming to you. Also, go on out to CISSP Cyber Training. You'll get access If you sign up. As far as purchasing the products, you get all of my CISSP questions, not just the 360. I've got well over a thousand some questions in there now. But you also the best key part around. All this isn't just the questions, it's the content that follows on and answers the questions that we're talking about. It's all of that content is available to you at CISSP Cyber Training Head over there. You got nothing to lose. Go sign up, easy peasy, lemon squeezy. All right, have a wonderful, wonderful day and we will catch you all on the flip side, see ya.