Home Page
Case Study: Risk Assessment of an Enterprise Call Accounting Solution
Part 1: Background of the Analyzed System
Abstract
This paper describes a customer case study of a threat analysis for a next generation call accounting solution. Campton College, a private medical school, needed to replace an aging call accounting system, which frequently lost call records and lacked the capability to provide unified campus-wide telephony billing features. Campton wanted to create an integrated Web based call accounting system that would service student dorms and administrative departments. The institution contracted with TACS, a call accounting solution provider, to replace the old software and provide a modern, Web-based solution that would be cheaper to own and easier to use. Faced with a steep bill for information security, Campton contracted with Software Associates in order to find a way to reduce liability at the lowest possible cost. By using the PTA risk assessment tool, Software Associates was able to demonstrate to Campton how to reduce risk from 250% to 50% at less than half the original InfoSec budget proposed by the vendor.The TACS managed call accounting service in a nutshell
TACS offers small to mid-sized clients
a managed service for call accounting that includes basic billing functionality
and is capable of collecting and processing call detail records from variety
of sources. The user interface is Web-based and caters to four different
types of users: PBX technicians, administrators, phone users and organization
managers.
Technicians - TACS technicians are responsible for installing the
CDR (call detail records) buffer devices connected to the PBXs for accumulating
the calls. A technician defines the parameters of the protocols used by
the buffer, data collection schedule, format of call records and performs
initial testing of data collection in order to validate that the calls are
collected and parsed successfully by TACS data back-end data processing
systems.
Administrators - Customer administrators handle ongoing management
of the telephone switch resources and subscribers as follows:
- Allocate phone-extensions and other telephony resources, such as cellular phones etc.
- Set the pricing programs that calculates and attaches a price tag to each call
- Define phone users and system users
- Associate users with telephony resources and pricing programs
- Manage system access permissions
Subscribers (phone users) - Subscribers
can view and print the detailed listings of their private calls and their
monthly bills.
Managers - User department Managers can produce reports that summarize
calls traffic and the usage of telephony resources in the organization.
They also monitor the billing and payments of phone users.
System Architecture
The TACS system ASP architecture is based
on Microsoft Windows Server 2003 that runs several .Net applications responsible
for the call accounting processing, and a suite of web applications that
interact with users via browsers (IE 5.5 and higher). The system’s database
is managed by a stand alone MS SQL 2000 machine connected to the application
server via LAN.
Database
The TACS MS SQL Server 2000 stores all types of system data, including call
records, pricing programs, users, organizational structure and system configuration.
The CDR tables can handle several million records per month and are indexed
by a multiple fields to support rich reporting.
The SQL Server scheduler mechanism is used to schedule and dispatch the
data collection activities.
Processing
The processing of CDRs has 3 stages:
- Data Collection – collecting the calls from the CDR buffers. The output
is blocks of raw CDR data.
- Parsing and reformatting - the output is structured call records in a
uniform format invariant to origin of the calls.
- Load to database - call record are associated with the corresponding end
point device, subscriber id and telecom provider and then inserted to the
database.
The implementation is based on a several Windows services that use worker
components to implement the required functionality. For example, the data
collection service operates several different ‘collector’ components to
collect the call records from different data sources via the appropriate
protocols. Campton College operates 3 PBXs from different vendors: Avaya,
Siemens and a small Cisco VoIP switch. The operating parameters of the components
are kept in the database.
The data is transferred between the 3 processing stages via MSMQ private
queues that serve as non-volatile buffers for data in process.
The service processes and some of the worker components were developed using
.NET technology. Other worker components are legacy Win32 components wrapped
with .NET Interop layer.
Web applications
The Web Applications are implemented in ASP.NET combined with Microsoft
reporting engine. Some of the applications are capable of directly viewing
and editing data tables in the database via ASP.NET server side controls.
In the TACS system, all Web applications share the same infrastructure for
user login and secure access to the database.
Pricing, database maintenance and data exchange
The pricing, database maintenance and data exchange tasks are implemented with a Windows service that uses worker components to perform the actual tasks, similar to the call records processing architecture. The tasks are executed in a periodical manner according to the system’s schedule.
Download the Threat Analysis
of the Enterprise Call Accounting Solution
The PTA threat analysis
and risk assessment project of the Enterprise Call Accounting and
Billing Solution
is packed in a WinZip archive
CallAccountingCaseStudy.zip.
The archive contains the sample threat model database (a file with thm extension)
and a few document files relevant to the project (doc and pdf). After downloading
the archive, please extract the files to a dedicated folder according to
your convenience and than invoke PTA* and open the thm database using the
File / Open PTA Project dialog.
*Note: to view the sample threat model you should have
the
PTA
Risk Assessment Tool installed on your computer.
***
Next (part 2): Conducting
the Security Risk Assessment
Home Page