Telecommunications Services Division Security
Security at the Telecommunications Services Division is a very
important and broad reaching topic. Among issues are:
Resources for information
security professionals and business continuity
planners.
Network Security
TSD has its own department for protecting the network against
unauthorized and illegal intrusion. There are daily attempts to
gain access to the network for malicious or criminal purposes. Much
of this activity is known as "hacking". Organizations that have
their own network(s) that connect with the TEX-AN network are
susceptible to the same network security threats and problems to
which DIR is susceptible.
Therefore, we strongly urge that networks with valuable and
important data protect their networks with firewall systems. Next
to not being connected to the network at all, firewalls offer the
best opportunity for organizations to keep hackers out.
Authorization
Codes
There has been considerable abuse of the State's long distance
voice services. Many organizations have authorization codes that
allow selected individuals to make long distance calls that are
charged to the organization and that qualify for state discount
rates. The largest problem is that authorization codes are not
protected, or are unwittingly distributed. This allows unauthorized
individuals to make "free" calls. Or, it allows otherwise
authorized employees to make personal calls using systems intended
for official use only. All TEX-AN 2000 and Capitol Complex
Telephone System (CCTS) facilities and services are For Official
Business Only. Organizations must control use of authorization
codes and control who has access to those codes. Another very good
way of taking care of this problem is to use calling cards.
Protection Against Computer
Viruses
Computer viruses are a plague of the modern times. These
software/code devices are a threat to all TEX-AN users, from large
agencies, to the smallest, 1-person offices alike. It is up to all
users of computers connected to TEX-AN systems to:
- Know generally what viruses are how viruses do damage
- Know how to protect your systems
- Tell if you've been attacked--know the "symptoms"
- How to clean and restore systems after being attacked
- How to report virus attack
- How to keep from infecting other users
Receiving Unsolicited Fax
Advertising
It is against the law for businesses to send unsolicited FAXes
to government offices. If you receive even a few of these unwanted
advertisements, then your FAX facilities are being tied up and are
not available for official business--besides the paper that is
wasted. So, if you receive such FAXes, please first contact the
company that is sending them. If that doesn't work please call
512-463-2070.
Email Issues
Most TEX-AN users who have computers use e-mail. Besides being
one of the most important tools, it is also a source of virus
intrusion, unauthorized solicitation, and abuse.
Viruses From Email
Users must realize that they can send and receive viruses by
e-mail message, whether knowingly or not. It is important for users
to be suspicious of all e-mail from unknown users. Also, users must
use caution with e-mail that contains attachments.
NEVER open attachments that are computer programs.
NEVER open attachments from suspicious or unknown
senders.
Those programs could contain viruses that could destroy your
computer hardware, software, and those of all of your coworkers.
Users often receive and want to share attachments that contain
programs such as pictures and movies. In nearly all cases, users
are liable for the damage they cause by opening suspicious
attachments or by sending unauthorized e-mail.
Unauthorized e-mail Solicitation
Receiving unsolicited advertising e-mail can be annoying and
very time consuming--timewasting. Unsolicited e-mail (which is
often referred to as SPAM) may contain viruses. Like unsolicited
FAXes, SPAM is against the law. If you receive enough that
significant resources are being wasted, report these to your system
administrator and/or to the TEX-AN Network Operations Help
Desk.
Email Abuse
Use of e-mail directly affects TEX-AN Network and other TEX-AN
users. E-mail, usually, is for official use only. Sending or
receiving personal e-mail, like telephone calls, is usually on a
strictly limited basis--usually officially tolerated. However,
TEX-AN users should understand that sending large numbers of e-mail
or e-mail with very large attachments can unnecessary flood the
network. Flooding the network with unnecessary data slows it down
for everyone else to use. Often, the office that is most affected
is the one sending and receiving the offending e-mail. Like abuse
of web browsers, users can inadvertently load the network.
Attaching very large files, like personal pictures, music or movie
clips, may be hurt your fellow TEX-AN users. Even e-mails of
authorized, official business could be unnecessarily large. System
administrators monitor how many e-mails get stored. Even though
TEX-AN Network Administrators are there to protect the network from
wasteful or abusive use of e-mail, its up to individual users to
help each other and everyone.
Passwords
Passwords are another feature common to TEX-AN users statewide.
Passwords are used to login on to computers, access networks,
protect e-mail, safeguard files, access the Internet, and to
authorize and verify use of services and support. The problem with
passwords is #1, forgetting them, and #2, letting unauthorized
persons get them.
Forgetting Passwords
If you forget any of your passwords, time is wasted getting new
ones or restoring old ones. You could lose files and
data--temporarily, or worse, permanently! Forgetting passwords only
happens when you need what it is that the passwords protect. So,
forgetting passwords always seems to happen at the wrong time. But,
passwords are vital. They protect you and the TEX-AN network. Your
organization, by using the TEX-AN network, has a legal obligation
to protect all systems that process to official State
information.
Protecting Passwords
Don't intentionally or unintentionally give away any of your
passwords. For example, you should share your computer and network
passwords with your system administrator. But, you wouldn't share
your business account passwords with that person. Passwords, when
used, should not contain any information that is available
publicly, like your name, address, birthday, social security
number, etc. You should change your password on a regular basis.
The more sensitive and valuable the information, the more attention
should be given making and protecting password.
Remembering & Keeping Passwords
The first, most important rule, is don't make or set passwords
if you don't have to. The fewer passwords you have, the easier it
is to remember. To help you remember, if possible, choose passwords
that mean something to you. If you have multiple passwords or need
protect very sensitive information, the only place to keep a
written copy would be under lock and key--or in a safe.
Definition of Toll
Fraud
This deals with Toll Fraud on State of Texas government
telecommunications networks including TEX-AN and Capitol Complex
Telephone System. Toll Fraud consists of specific criminal acts of
fraud limited in scope as described below. It does not include
simple unauthorized use of telecommunications systems.
The Department of Information Resources (DIR) believes that it
is important to notify our TEX-AN customers of:
- Provisions in the TEX-AN contracts for toll fraud protection
and/or notification,
- Customer responsibilities and options available to secure and
protect voice equipment and long distance access against toll
fraud; and
- Customer liability for any charges that may be incurred as a
result of toll fraud.
As approved at the Telecommunications Planning and Oversight
Council meeting on July 9, 2002. Toll fraud occurs when a hacker
dials into an agency's PBX, key system or other managed telephone
equipment and then probes the system for a weakness that will
provide an outside telephone line. For the purposes of this policy,
the point of demarcation between the long distance network and the
PBX is the customers' equipment; i.e., router, switch, or other
customer premise equipment.
Agency Liability
Liability for toll fraud is solely the responsibility of the
owner/operator of the PBX, key system, or managed telephone
equipment through which the fraud has occurred. As the financial
burden of toll fraud lies with each state agency that owns or
operates their own equipment, the state agency-owner may want to
explore toll fraud protection services that insure against any toll
fraud losses. For example, the current TEXAN long distance
providers offer some toll fraud protection services through their
contracts. If the state agency is a customer of the Capitol Complex
Telephone System (CCTS), and has no other offices in Austin or
anywhere in Texas, then DIR is the owner/operator of the
telecommunications equipment.
Reporting Toll Fraud
Agency customers whose premises equipment has been used as an
instrument for fraudulent use must first contact the Office of the
State Auditor to report the problem, in accordance with Section
321.022, Texas Government Code. Agencies may also decide to follow
legal procedures against the perpetrators or seek relief from the
long distance carrier directly, but the TEX-AN network carriers are
under no obligation, as a matter of regulation, to waive the
payment of a bill that is the result of toll fraud on an agency's
system, or to prevent and /or detect toll fraud when it is
initiated from an agency owned or managed system. Protection
provided by the carriers to customers is either performed directly
as a service through contract or performed indirectly as a matter
of the carriers' self-protection, which also may benefit a
customer.
More information
about Toll Fraud.
Resources for information
security professionals and business continuity planners.
|
