Operation Improvement Inc.

The following information was gleaned from a “Black Hat” security briefing on the web, and I composed these notes to put the vulnerability into the context of our typical call center client. - Ron.

Most companies have dozens, hundreds, or more phone numbers provisioned by the phone company for use with their telephone services. Unfortunately, most companies do not manage these numbers as a corporate asset. There is an important reason to actively manage a short, “defined purpose” (e.g. ’support’, ‘advertising tracking’, etc.) set of numbers, and to publish only the necessary and few numbers  for use by the calling customer.

Scam artists can rent and use the same, inexpensive SIP trunk, Voice over IP, and “Asterisk software-as-PBX” technology that we use to lower phone costs and improve call center metrics. If they can get your customers to think -their- 800 or local telephone ’scam’ number is really -yours-, then this is what happens.

1. The scammer leaves a “please call me back” voicemail or email. (”This is YourBank”. Please call our fraud department at 800-xxx-yyyy). “RoboCall” technology is a potential delivery method to spread the scam quickly to as many people as possible.

2. The caller calls the number and is connected to YourBank Fraud =ROUTED THROUGH= the SCAMMER systems. Every word of a conversation can be recorded, or a scammer IVR can be inserted in front of the bank IVR to ask for credit card and other information.

3.  The caller is unaware they are being monitored, because the number they dialed connected them with an authentic bank call center - who has customer records and can verify their authenticity. Both caller and call center are (by now) familiar with the need and methods to verify identity over the phone.

4. Thanks to “cloud” computing, where all of the components to execute this scam is available as a utility service anywhere in the world, the skimming of information can take place anywhere in the world. A scammer anywhere in the world can remotely set up the necessary systems at any service provider and skim calls without ever leaving their desktop computer!

Like webpage fraud, this kind of scam can run until it is discovered and shut down, but a company’s “telephone identity” is often not managed as carefully as its web domain name. Since Direct dial to individual desks is so common, and since most companies have large inventories of phone numbers that they do not manage - most customer service people cannot answer this question.

“I dialed 800-xxx-yyyy. Is that a valid YourBank number I should have called to reach -your- desk?”

Since most call centers have over-enthusiastically embraced tools to create impossibly complex “skill” and “load balancing” routing, and almost NO tools to predict where individual  calls actually go, it is rare to find -anyone- who can assure management and customers that a short published list of phone numbers AND ONLY THOSE NUMBERS terminate in authorized customer facing call centers.

Finally, companies that actively drive customers to self service by -failing- to prominately publish voice service phone numbers may be -more- vulnerable as the means of entering the voice services process are not prominently displayed.

Summary: Make sure that you inventory EVERY phone number that your company owns. The purpose and termination point of every number should be clearly stated and this information is kept current and accurate.  The list of numbers which may be dialed by customers should be accessible and well known to customer facing employees, and the list of numbers published for dial-in use should be as few as possible.

Although everyone likes to be greeted on the phone by a live voice, one published number that becomes identified with a company’s brand coupled with a simple and well-planned IVR may be in your customer’s best interest.

With all of the changes in office technology, I have been pondering new ways to screen qualified agents for desktop support. As we all know, “techies” speak a language all their own. The genuine article, however, doesn’t need the multiple-choice crutch. They should be able to ace these essay tests WITHOUT google-ing the answer!

I would consider anyone who thoroughly and correctly answered 60% to be qualified, and an 80% score would be an ace. A wizard would get them all. Remember, NO GOOGLE-ING THE ANSWER ONLINE! (Everybody has to look up something, but a qualified support tech doesn’t need to look up everything!)

Good answers to these questions indicate a good well-rounded generalist background, and I would expect that individual to pick up the particulars of this or that technology rather quickly.

Two words of caution:

A. Technical knowledge does not imply design sense or knowledge of your particular business. A “techie” may produce a web site that is technically brilliant,  but lacks aesthetic appeal, or relevance to business needs and processes.

B. This quiz is intended to identify  well-rounded generalists. The quiz for Enterprise (Fortune 500 network gurus is quite a bit tougher!

1. What is a firewall? Why does a small business do with one?What is a gateway?

2. What is port forwarding, or pinholes? Why might a small business need one?

3. What is a subnet? What are the most common private subnet address ranges?

4. Why is it important that related but separate offices have separate subnets?

5. Other than a USB adapter, what is another way of communicating with legacy (old style serial and parallel) devices? What are the advantages over USB?

6. What is Vista user account control? How do you turn it off and leave it off?

7. What is an exchange server? What are its advantages over POP servers?

8. What is an SMTP server?

9. What does the windows CMD program do?

10. What is a Linux-Apache-mySQL-PHP server? What do each of these words mean?

11. What is the difference between javascript and vbscript?

12. What are VNC, RDP, terminal servers, or citrix servers?

13. What is the difference between a “cloud” backup and an image backup?

14. What is a security certificate? Where are they used?

15. What is a VPN tunnel?

16. What is an SSID? What is WPA and WEP?

17. What does IDE or SATA refer to?

18. What is a fixed versus dynamic IP? What are the advantages of each?

19. What is a DNS server? What happens if the DNS server goes down?

20. What is an RJ45? What is an 802.11B and an 802.11G? A crossover cable?

21. What is the difference between virus, spyware, and spam software?

22. What is a modal window? What does ALT-TAB in windows do?

If you find someone who can answer the majority of these questions, they are definitely “in the game.”

Why does computer maintenance take so much time? Why are computers systems down for so long when they fail?

Computer systems inevitably fail, but you can minimize the costs, and reduce workstation down time to hours instead of days if you fully apply these strategic principles in your computer support operation.

There are four main causes of a systems failure: “domino” effects, moving parts, (hard drives), data corruption,  and configuration management issues. Electronics failures occasionally happen, but this is typically the quick failure of defective components, and heat or power issues.

The “Domino” Effect

The “Domino” effect can be seen even in the smallest of businesses, as the trend over the last twenty years has been to load up the main office computer with word and number crunching programs, email, and web browsers, followed by an endless list of other small and operation critical applications. When the system failed, -all- of these systems go out at once, and the repair must often rebuild and test all of these dependent components.

When a personal computer was three or four thousand dollars, this “old school” approach was a necessary evil. However, today, computer systems can be had for around three hundred dollars! Today, it is possible to compartmentalize critical applications on a small and inexpensive dedicated computer, and contain the “domino” effect.

Rule #1: Don’t load up a system with all of your critical applications. Compartmentalize. Isolate systems so that a hardware failure does not take down everything at once.

Moving Parts (Hard Drives)

Google has extensive hard drive reliability data from their huge server farms. Their data suggests that after a couple of years of use, the risk of hard drive increases dramatically. In my own experience, I would attribute about 40% of system failures to the hard drive.

The good news is: these new class of small and inexpensive computers typically have no moving parts! The hard drive has been replaced by flash technology. Computer systems like security gate controllers, industrial process controllers, cash registers, and the computers inside CNC machines originally had no hard drives. Plus, they were “compartmentalized” systems – isolated from any domino effect. These last generation embedded systems would often run for years without failure. Only the occasional electronics failure would shut them down.

Rule #2: Selectively replace hard drives with storage components that have no moving parts. Per thousand gigabytes, hard drive storage is still more affordable, but on small compartmentalized systems fifty to one hundred dollars of non-disk storage is often all that is needed – and the smallest capacity hard drives are more expensive than that.

A hard drive failure can corrupt the data it contains, but about half the data corruption incidents I have seen have other causes.

Data Corruption

Data corruption is typically a side effect of web browsing and email, Software updates, frequent hard reboots of the computer system, and well meaning “geek squad” boo boos.

Once again, the compartmentalization strategy helps. Systems dedicated to tasks like: time clock data collection or logging building access of a key card system, or computer controlled video security systems should NEVER, EVER be used for email and web browsing.

These systems should have software updates TURNED OFF and should only be updated when configuration management demands it.

Reboots of these systems should be infrequent, and I would prescribe turning off any preventative reboot programs that restart the system once a day or week – unless the nature of the system demands it.

RULE #3: No automated software updates, reboots or Internet access from compartmentalized systems that run other business-critical applications.

Configuration Management

Most “geek squads” can replace a hard drive or a printer – but they have no idea about configuration management because they don’t get to see the big picture. Configuration Management means having a plan or template as to how systems are configured. After a failure – systems are put back -exactly- in accordance with the plan.

Configuration Management is such a huge issue, it deserves it own discussion, and I have other articles on this web site that touch on this subject.

RULE #4: Practice good Configuration Management.

Summary

These are all business class support issues. If your home laptop fails, chances are good the neighbor’s kid can reload your word processor and Quickbooks. You can even afford to leave it with him for a couple of days while he sorts it out. Keeping business systems downtime contained to hours instead of days is an entirely different matter.

If you are responsible for desktop maintenance at your organization, these four principles can slash your costs and minimize your system downtime.