Firewalls provide no protection against war dialling, a security issue that most IT managers imagine has been superseded by newer transmission technologies, and so poses no threat to their networks, according to Internet security testing specialist NTA Monitor's latest survey.

Precautions against wardialling, the scanning of telephone lines to find insecure modems that allow a back door route onto a corporate network, are being neglected, reckon NTA Monitor, whose new survey highlights the issue and outlines preventative measures.

The survey found that that, on average, modems are found in 0.75 percent of a corporate organisation's telephone number range, meaning that a company with 10,000 employees will typically contain 75 modems.

"This should cause major concern, as it only takes one insecure modem to permit a hacker to gain access to an organisation's systems," said NTA Monitor's technical director Roy Hills. "Imagine the situation for a company with 5,000 extensions over 20 sites - how can they ever be sure that no rogue modems are attached to any of those lines without testing them?"

Hackers exploiting war dialling automate the polling of a company's switchboard range for insecure modem connections.

"War dialling originally emerged as an issue in the early 1980s when organisations relied on modems to exchange data between systems. We believe it has largely been forgotten about, when in reality it is a technique that hackers are revisiting as a reaction to increased security in corporate networks. They are looking to bypass firewall restrictions and logging or using protocols such as IPX to access systems not directly accessible over IP," added Hills.

The survey conducted by NTA Monitor between August and September 2003 to ascertain awareness of war dialling as an issue amongst IT and security managers (96 percent of whom were UK-based) indicated that the issue had been widely overlooked. Some 22 per cent of those questioned had no knowledge of the issue.

Twenty-four per cent of respondents reported that there were unauthorised modems attached to systems at their sites with as many as 20 rogue modems reported to be present at an individual site. Over a third (34 per cent) said they had found unauthorised modems in the past but 68 per cent of organisations said they had no controls in place to detect modem scanning attempts on their systems.

This means they have no way of knowing if they've been the target of an attack or if they have any insecure modems attached to systems at their site. A "very worrying" 80 percent of organisations surveyed had never had a third-party war dialling test run against their systems.

Recommendations
NTA Monitor has recommended that organisations use a PBX firewall, PBX log or some other such control to track attempts to hack into systems using war dialling. It also advised management to raise awareness of war dialling among staff, both by educating them of the risks of attaching modems to the network and by tying modem security policies into staff contracts. The survey organisation has developed a set of tips for protecting sites from war dialling attacks:

Unauthorised
1. Ensure that the security policy covers modems and that this is tied into staff contracts and disciplinary procedures. 2. Educate staff about war dialling and the associated risks to make them more aware of the problems and be more vigilant in their modem use. 3. Limit direct dial analogue lines where possible. You should have calls routed via extension numbers only. 4. Check telephone bills for any gross anomalies, such as premium rate numbers, excessively high international call rates, overly long call times and out of hours calls, all of which could indicate that your system is being compromised. 5. Get regular third party scans to detect rogue modems and check that authorised modems are correctly configured in line with the policy. 6. Ensure you have tools in place to detect modem scanning attempts on your systems. These include RAS Server/OS Logging and Alerting, PBX Firewall or PBX log auditing and alerting and specialist war dial detection software.

Authorised
7. Review the need to have dial-in servers periodically, as your systems and business evolve. 8. Apply standard account management practice: ensure users only have access rights for the services they need to use, regularly review user accounts for relevance to their role and remove ex-employee accounts. 9. Disable all default accounts. Where it is not possible to change the username, ensure the password is changed. 10. Remove the modem banner. This allows the modem or system to be fingerprinted, enabling an attacker to find and run exploits or default account guesses based on the specific modem or version of software in use. 11. Enforce strong authentication on those modems that are required such as call-back or secureID. 12. Where access privileges and data access are sensitive, consider 'safe-dial' modems. These require the same type of modem at both ends for a connection to be established. A cryptographic handshake is needed to establish a connection, excluding the majority of hacking attempts.