Ensure default voicemail and maintenance passwords are changed and introduce a policy to prevent easily guessable passwords being used. Make sure that the policy demands regular password changes and take steps to ensure the policy is enforced.

Installing a call logging solution, to provide notification of suspicious activity on your PBX, is a useful measure and one that can often give valuable early warning of an attack. In addition, review existing PBX control functions that might be at risk or which could allow errors to occur.

Be aware that many voice systems now have an IP address and are therefore connected to your data network. You therefore must assess what provisions you have to segment both networks. Security exposures can also result from the way multiple PBX platforms are connected across a corporate network or from interconnectivity with existing applications.


Research and investigate operating system weaknesses, including analytical findings, manufacturer recommendations, prioritisation and mitigation or closure needs - and implement a regular schedule of reviewing server service packs, patches, hot-fixes and anti-virus software.

Finally, formalise and instigate a regular testing plan that includes prioritisation of the elements and components to be assessed, and supplement this by conducting a series of probing exercises to confirm the effectiveness of the security controls used.