New NCSC Guidance Aimed at Securing PBX Systems From Cyber Threats

The National Cyber Security Centre (NCSC) of the UK issued guidance to protect Private Branch Exchange (PBX) systems against potential cyber threats. The increasing integration of traditional PBX with the internet has made the system vulnerable to cyberattacks.

PBX is an internet-connected private telephone network, used to route and manage incoming and outgoing calls. The system comprises business-friendly support services, like call forwarding, diverting, voicemail, and conference calling.

According to the advisory, if the PBX systems are not configured correctly, they can expose an organization to various types of fraudulent activities and cyberattacks.

Some of the ways in which the PBX system can be weaponized include, committing ‘dial-through fraud’, where cybercriminals route calls to premium overseas numbers or set up scam lines that charge a premium rate. When compromised, the system allows a threat actor to carry out denial-of-service (DoS) attacks against any enterprise, NCSC says.

To help organizations fortify their cyber defenses, the NCSC released new risk mitigation measures in a recently published advisory.

Regardless of the type of PBX system used, whether internally managed or cloud-based, organizations can boost their system security. Employees can be trained to use stronger passwords and protect administrative accounts by setting up multi-factor authentication (MFA).

Additionally, organizations, as PBX owners are advised to thoroughly review the contract with PBX providers, so as to mitigate financial risks arising from cyber threats.

‘’For example, you may decide that you need to limit the types of calls staff make, or restrict the ability to forward calls to an off-premise number. If you’re using a managed service, then attacks as a result of misconfiguration are the responsibility of the provider, something to keep in mind if you’re pressured into taking out insurance to defend against attacks that should be covered by your managed service provider,’’ the advisory outlined.

In conclusion, NCSC advised that in case of any suspected PBX compromise, enterprises should immediately contact their PBX providers and financial institutions. They should also report the incident to relevant authorities like Action Fraud (UK) or local law enforcement agencies.