Access Controls for the Social Security
Administrations Telephone Switch at the Western Program Service
Center - A-09-96-91001 - 9/24/97
This report presents the results of our review of access controls
for the Social Security Administrations (SSA) telephone switch
(Private Branch Exchange (PBX)) at the Western Program Service Center
(WNPSC) in Richmond, California. The purpose was to determine the
adequacy of access controls for ensuring that the telephone system
is properly used. SSAs Administrative Instructions Manual System
instructs local offices to establish administrative controls and
regional offices to review long-distance calling practices to prevent
employee misuse. However, at WNPSC there is no ongoing monitoring
of employee long-distance telephone use nor are the security software
capabilities of PBX fully implemented. Instances of improperly placed
international calls were noted by SSA staff during the audit field
work. Also, the PBX password is neither changed frequently nor expanded
to additional characters, increasing the risk of unauthorized remote
access and calls made through PBX by outside individuals.
There are three primary reasons why PBX is vulnerable to telephone
misuse. First, telephone call detail reports have not been designated
by SSA as a system of records under the Privacy Act of 1974, preventing
the Agency from linking individual employees with telephone calls.
As a result, management cannot use telephone exception reports to
monitor long-distance telephone practices of employees. Second, there
is no staff permanently assigned the responsibility for monitoring
employee long-distance telephone use. Third, there is an absence
of procedural guidance to ensure that PBX security capabilities are
fully utilized. We recommend, in part, that SSA: establish a system
of records under the Privacy Act that authorizes SSA to collect call
detail report data by individual employees;assign staff responsibility
for monitoring employees long-distance telephone practices;
and fully utilize PBX security capabilities to include call blocking,
exception reporting, frequent changing of passwords, and use of the
maximum number of digits possible for the password. We also recommend
that SSA assess the need to initiate access controls at other PBX
Except for the establishment of a system of records under the Privacy
Act, SSA agreed with the recommendations.
At WNPSC, all telephone instruments are interconnected and linked
with the public network by means of telephone switching equipment
called a PBX. In 1986, SSA purchased a PBX from Northern Telecom
along with a software security package and maintenance agreement.
The PBX equipment provides access to services on a nationwide network
operated for the Government under the FTS 2000 contract. Basic network
services include domestic and international long-distance telephone
calling. SSA reported that, as of July 1993, there were about 1,500
SSA offices that operated their telephones through SSA-owned telephone
SSAs Administrative Instructions Manual System provides overall
guidance on procedures to control employee telephone usage. Generally,
field offices are to ensure that calls are appropriately placed and
regional offices are charged with reviewing and analyzing long-distance
calling practices. The application of PBX software security is provided
for in the purchase agreements with commercial vendors, with technical
guidance from SSAs Office of Telecommunications.
Regulations were issued by the Office of Management and Budget (OMB)
on April 20, 1987, establishing procedures for Federal
agencies to implement call detail programs in compliance with the
Privacy Act. The purpose of these programs is to provide agencies
with the means of monitoring employee telephone practices to ensure
that long-distance services are properly used. The Privacy Act requires
that the records only be used for authorized purposes and are protected
from improper access. SSA developed a plan in July 1993 which provided
for the use of call detail reports to verify the accuracy of long-distance
telephone charges to the Agency. However, the Agency deferred action
for establishing a system of records under the Privacy Act which
would authorize it to link telephone calls with individual employees.
The regulations for managing call detail programs provide a model
disclosure statement which agencies can use to establish a system
of records under the Privacy Act. The statement must include such
information as the routine use of and provisions for accessing, safeguarding,
retaining, and disposing of the records. Such a system of records
is needed whenever records are used to link telephone calls with
individual employees, a necessary procedure if an agency is to identify
potential misuse of long-distance service by employees.
Our audit was conducted in accordance with generally accepted government
auditing standards. Our objective was to assess the adequacy of access
controls to ensure that telephone lines at WNPSC are properly used.
To accomplish our objective, we:
1. held discussions with SSA Headquarters
and WNPSC staff; 2. made a physical inspection of the PBX
site; and 3. reviewed technical and vendor publications related
equipment and articles on telephone fraud.
The audit was conducted
at WNPSC in Richmond, California, and at the regional office
in San Francisco, California, from July to November 1996.
RESULTS OF AUDIT
SSA needs to improve access controls for its telephone system at
WNPSC both as a means of ensuring that employees properly use Government
telephones and preventing improper telephone access by third parties.
There was neither ongoing monitoring of long-distance telephone practices
nor was the Agency making full use of available security software
for PBX. Reviews of telephone bills at WNPSC by SSA staff disclosed
instances of long-distance telephone misuse by employees. Also, software
security measures could be improved both for preventing and identifying
improper employee practices and for preventing improper remote access
by outside individuals.
Monitoring Telephone Usage
SSA was not reviewing telephone usage at WNPSC when we started this
audit. Subsequently, SSA staff started manually reviewing selected
invoices and found several irregularities that required further examination
to determine if employee abuse of the telephone system had occurred.
For example, international calls were made to two foreign countries.
There were 21 calls to the Philippines totaling $744.05 from August
9 to September 13, 1996, and 24 calls to Mexico totaling
$107.98 from July 1 to August 27, 1996. These calls were improper
because international calls are not part of normal business conducted
from those telephone lines. Another example involved an employee
who charged SSA for membership in a telephone service called "Psychic
Encounters." These types of telephone misuse can be minimized
by making use of a PBX software control feature called "call
Call blocking allows SSA to customize each users telephone
access to match job needs. An example is to block a user from calling
internationally if the individual has no job-related duties requiring
international telephone calls. After detecting the above incidents,
SSA staff increased the use of call blocking for all "900" number,
collect, and calling card calls. At the time of our field work, call
blocking of international calls was pending because international
business is done on some telephone lines.
Exception reports are a software feature which provide an effective
and efficient means for SSA to monitor employee long-distance telephone
practices. An exception report lists telephone calls meeting specific
criteria, such as length of calls, international calls, and "900" calls.
Such reports can be automated to identify trends which indicate potentially
improper telephone practices by individual employees. However, the
Privacy Act requires that SSA establish call detail reports as a
system of records in order to use information linking telephone calls
with individual employees.
Protection against Unauthorized Electronic Access to PBX
At the time of our field work, the PBX password had not been changed
in about 5 years. The password is used by authorized SSA employees
for making changes to the PBX configuration, such as adding or removing
individual telephone instruments or service features like voice mail,
long-distance access, and call blocking. The password can also be
used by the vendor to access PBX while physically outside WNPSC for
performing maintenance and repair from a remote location.
The Communications Fraud Control Association (CFCA), a clearinghouse
for information on the fraudulent use of telephone services, recommends
that passwords be changed frequently. Unauthorized access by SSA
employees could lead to such improper changes to the system as the
removal of call blocking features or the addition of unauthorized
long-distance access lines. Furthermore, an outside individual who
successfully accesses PBX from a remote location by dialing into
the remote maintenance modem can use PBX for making calls anywhere
in the world.
Although no instances of unauthorized remote access were identified
at WNPSC, CFCA literature has examples of compromised PBXs that were
used to incur significant improper costs for long-distance telephone
calls. Philadelphia Newspapers, Incorporated, lost $150,000 in 1
month; a Midwestern chemical company lost $700,000 in 3 weeks; and
an Ohio manufacturer lost $300,000 over a weekend.
PBX software used at WNPSC allowed SSA to use a maximum number of
four digits for the password. Northern Telecoms security manual
states that a hacker can crack a four-digit password within 7 seconds.
Longer strings of password digits should be used and the password
changed frequently to increase the difficulty of compromising the
password and having someone gain improper access to the PBX.
SSA needs to improve controls over the long-distance telephone practices
of employees and access to its PBX at WNPSC. In addition, the lack
of established control procedures indicates that similar control
weaknesses may exist at other SSA offices. We recommend that SSA:
establish call detail reports as a system of records under the
Privacy Act and OMB regulations;
assign staff responsibility for ongoing long-distance telephone
use call blocking to prevent and exception reports to identify
improper telephone calls;
change PBX passwords frequently and request software revisions
to increase the maximum number of password digits used;
improve procedural guidance to ensure that SSA components fully
utilize available PBX security software; and
assess the risk of telephone misuse at other PBX locations and,
if necessary, initiate appropriate access controls.
SSA agreed with our conclusion that controls over the use of SSA
telephone systems need to be improved. Corrective actions to implement
our recommendations have been initiated at WNPSC. Also, SSA plans
to assess the need for improved controls for its offices nationwide
and develop guidance to ensure that PBX security software is fully
utilized and other needed controls are in place.
SSA, however, did not agree with the recommendation to establish
a system of records under the Privacy Act for call detail reports.
The Agency stated that current controls either in place or being
implemented will substantially reduce incidents of telephone abuse.
SSA further stated that the Office of the Inspector General (OIG)
report provided no evidence that implementing the recommended system
of records would be cost-effective. SSAs written comments in
their entirety are included at Appendix A.
The corrective actions taken at WNPSC should reduce the risk of
unauthorized access and use of PBX. SSA also agreed to assess the
need for and implement, as required, improved controls for its telephone
systems nationwide. Without establishing call detail reports as a
system of records under the Privacy Act, however, SSA lacks the authority
to monitor and, when necessary, take actions against individual employees
who place improper personal calls on the Agencys telephone
We acknowledge that there are administrative costs related to implementing
the protections required under the Privacy Act for a system of records.
Also, we have no basis for estimating the benefits related to such
a system because there is no SSA data on the costs associated with
improper telephone use. Nonetheless, the benefit of establishing
such a system should include the deterrent value resulting from SSAs
capability and authority to detect improper telephone practices and
to pursue administrative and criminal actions against individual
employees who misuse the telephone system. The U.S. Department of
Agriculture, another large and decentralized Federal agency, established
a system of records for call detail records, stating as one objective, ".
. . deterring or detecting possible misuses of long distance services.
. ." (Departmental Regulation 3040-2, dated August 31, 1995).