Happy New Year!
Many people are coming back from leave this week after a couple of weeks of holiday time, and in fact, they may still be in holiday mode! This can be a time of slightly later starts, slightly earlier finishes and casual attire. They may also be lining up for new security access cards and resetting forgotten passwords. It’s a timely reminder that security should never be taken for granted and that one of the many things that may contribute to a Happy New Year is to review your security policies right now.
Last year we experienced a few fraudulent incidents among our services. All of them could have been avoided by following a very simple set of rules which we would like to share with you.
- Never send passwords over email, even if your email is encrypted the recipient may have an unencrypted email system and the password can be intercepted. Use SMS instead.
- Never send both a username and password over the same communication channel, even by SMS. Just send the password, which will make it much harder to find out what it is for, even if intercepted.
- Turn on two-factor authentication for your SASBOSS login. You can do it through the ‘my profile’ menu. Even if your password is compromised it won’t be exploited as you need a password and a mobile phone to login to SASBOSS.
- Clean up your SASBOSS login list. Make sure that there are no obsolete or duplicate accounts, the contact details are relevant, and that the roles are still reflecting the login roles.
- Make sure your logins belong to the correct Contact Groups in SASBOSS. This will ensure you get relevant notifications on time.
- Turn on SASBOSS Call Charge Monitoring policy to Suspend if exceeded. Turn on our fraud protection. You can limit your financial risk per customer in case if the endpoint is compromised. To find out more refer to chapter 10.8 of the SASBOSS Guide.
- Never expose a SIP phone web interface to the Internet. Make sure your firewalls are configured properly to block access to the phone web interface and there is no port forwarding set for a SIP phone web interface in case your phone is on the private network. There are security scanners that constantly scan the internet for exposed SIP phones which are exploited as soon as they are found.
- Consider blocking international calls for phones located in public places. Usually, there is no need to make international calls from publicly available phones such as a hotel reception phone. Make sure the international calls are blocked for those phones so that they cannot be used for fraudulent activity.
- Use SASBOSS generated passwords. SASBOSS can generate very strong passwords for users to login with. Although you can override them, it is a good idea to keep the complex passwords generated by SASBOSS.
- Make sure your laptop requires a password to unlock the screen. Never leave your device unattended and unlocked. Setup a timeout to lock the screen, enforce a password or pin to unlock the device. It only takes a minute to create an additional super-admin user in SASBOSS if someone gets access to your pre-opened SASBOSS session.
Be safe in the New Year!
Stan Chizhevskiy, Technical Director