Protecting corporate and enterprise networks against an increasing insider threat. Reflux - Cha0s Inc. MVS Dev. --- 7/01 -------------------------------------- Introduction This is my first paper in a very long time, hopefully it will be as accurate as possible and will highlight some of the areas of risk in today's corporate network environment. The aim of this text is to provide a basic understanding of how important it is to maintain security within the corporate network, and to offer some theory and technique that the Hacker (The insider) may use or may be using to penetrate vital systems within YOUR organization.. ----------------------------- [ Table of Contents ] ----------------------------- 1 The eye of the storm 2 An Insider Threat 3 Determining what is @ Stake 4 Strategy and precaution for High Security Netwoks 5 High-Tech deception and Industrial Espionage /. The eye of the storm. More and more companies are feeling the effects of hackers, and according to recent FBI studies, 60 - 80% of all corporate hacking is done by employees of the victim. Insiders of the company itself, those who have physical access to the network. When designing network security, many systems administrators Only see it necessary to secure their networks from the outside, by means of Firewall or Proxy Server. This type of protection does offer a good amount of security from outside attacks, but doesn't offer any protection from hackers openly hacking from the inside of the network. //. An insider threat It is disturbing how many companies systems are vulnerable to Known security flaws, those of which have been known about for sometimes years and could be easily patched, Companies have lost millions of dollars in revenue because they Were hacked and their data was destroyed, systems left wide open just waiting for a hacker to compromise. The first thing a Hacker is going to do is target the Network Servers looking for vulnerabilities in protocols such as DNS, FTP, SMTP etc. looking For misconfigurations and often unpatched holes, for example Lotus Domino SMTP will allow Users to relay mail blindly without proper authorization, allowing Employee's to forge company email if not configured properly, Small bugs like this can be exploited and used to cause havoc, downtime and lost profits. Many companies are lacking in their ability to keep their Network Operating systems up to date, installing the latest service Packs and hotfix's is critical. This is a huge problem for many companies. A good example of a wide scale problem recently hitting is the "Code Red" Virus, it now has taken down over 250,000 IIS4/5 Web servers, via a simple but known buffer overflow that a patch has been available to correct for over a month. critical. Potential systems that are likely to be probed are systems in departments Such as Human Resources, Payroll, Accounting, etc.. where it may be possible to obtain financial information, employee data or other valuable information. ///. Determining what is @ Stake The best way to protect the security of your network is to analyze it with the Mindset of a Hacker. The first thing I suggest is breaking your company network Into private segments by means of VPN, or other encrypted network protocol, separating the departments from one another to prevent data intended for one department from being routed to another. The layout and separation of the network is a big concern because any employee on the company Network can run a packet sniffer and obtain insecure information From the Payroll Department, Accounting, or Human Resources and this is a major threat to company and employee security. Separating the network through basic bridging and switching is not good enough. Hackers will use advanced tactics to gather information, such as arp cache poisoning to obtain information from remote areas of the network. When designing a corporate network topology, take into consideration what roles that the part of the network will play, Will this department be dealing with critical business or financial data? Different departments might require different levels of security, if you have a Department that collects and processes nothing but credit card information, separate them on a secure encrypted segment, away from the department that handles Customer Service. This will prevent private data from being stolen by not so Trustworthy employee's. ////. Strategy and Precaution for High Security networks. If the COMPLETE security of your environment is essential, your best bet would be to segment out your network with quality switches, making sure all necessary security features are set and then setup a secure PPTP VPN. This will ensure a private encrypted workgroup that will be free from most types of sniffing attacks. Packet Sniffing is a major concern, its being done and probably on your own company network. Defeating packet sniffing by insiders can be a difficult task, there are a few programs available, "AntiSniff" by l0pht for example is a good sniffer detector that will sweep the network In search of interfaces that are running in (Promiscuous) mode, but this tool and many of which only work properly on flat, non-switched networks. If you are an IT Admin, use caution when telnetting into network servers, always assume that somebody is watching you. If your network is Unix oriented use SSH to ensure an encrypted terminal session. If you need to gain access to a router to make some configuration changes, attach a console and make changes at the router. Telnetting across the network will expose your passwords in plain text. In High Security network environments, you may consider the installation of an Intrusion Detection system. An Intrusion detection system will allow you to centerally monitor the network, pinpointing and logging all unusual activity, even offering webbased administration and forwarding of logs to secure remote loghosts for increased security. Operating System security is a large part of the puzzle, but improper configuration of network hardware can leave you open to many potentially lethal problems. Enabling the security features of your network hardware is highly recomended. Many higher quality switches offer a feature called MAC Binding, which will bind IP MAC info and prevent change once set. This will prevent cache poisoning that could cause frames from one segment to be leaked and sniffed by an insider on another. /////. High-Tech deception and Industrial Espionage Industrial espionage is becoming more and more real, this next chapter will express some of the possibilities that an insider may use to damage company operations, customer relations or company personnel by means of Theft, Data manipulation, impersonation or deception. Here is one Scenario, you work with your good buddy Billy, Billy narked You off for playing Counterstrike while on the clock!@(&, bad... It's the weekend and the supervisor on duty receives an email from the CEO (of course this email is a Forgery you have manually sent from the company's misconfigured SMTP server) Explaining how monitors at the corporate office have detected your good buddy viewing kiddy porn and has violated company policy. Billy will need to be terminated immediately and Escorted out of the building. Since it's the weekend and the CEO may not be at the office, the chance Is that you are going to have your good buddy fired on the spot. And Walked out of the building... oops. This is a reality I call corporate espionage.. and this is just a small Idea of how someone can alter the perception of corporate Management, via deception and social engineering for Personal and possibly financial gain. Here is another scenario, You are scanning your company domain open windows Fileshares on the network. You come across several that have the C: shared but Locked with a password. moron. You, the insider, then use your Netbios brute Force tekneeks to break the password to the fileshare and gain Full access to the lusers workstation, after browsing around the files, You notice that the system you just broke into belongs to a company Supervisor and contains reporting data that includes time-clock data, Crystal reports Employee statistical data or other critical work-flow Data. Clickety Click, you just worked 30 hours of overtime and are now The best employee in the company. :) //////. Conclustion This messy, unorganized, misspelled piece of chopped up text is just a personal rambling, an effort to point out what needs to be done to keep corporate networks Secure from an internal standpoint, if you have any comments or suggestions about this paper please contact me. I can be contacted at: Reflux@cha0s.com 2001. Cha0s Inc.