Originally published in the SDBJ March 30, 2002
**
Sadly, our country had to experience the events of September 11, 2001 (9/11) in order to take seriously all the threats to our country’s security. Our former complacency may have been rooted in the vast oceans separating us from nations associated with terrorism, as well as the fact that no other attack of this magnitude had been executed successfully in the U.S. before 9/11. Whatever the reason, the perception that we are immune to attack has been replaced by pragmatic action to prevent the next attack.
We have begun the process of fencing in our water reservoirs, installing the National Guard in our airports, and increasing restrictions on foreign visitors. Money spent on these activities is perceived as an investment in current and future security rather than an unnecessary waste of resources. Indeed, what is spent on bolstering our country’s security is perceived as a means to protect our way of life.
Must similar catastrophic events take place before organizations take network security just as seriously? Perhaps. One only needs a few minutes researching the Internet to identify attacks (“hacks”) on organizations that have compromised company and customer data. Despite this evidence, most small to mid-size organizations still perceive money spent on network security as a cost, rather than a means to protect company data, competitive advantage, and customer privacy over the long term.
Those involved with computer systems are aware of the risk and understand what needs to be done to protect informational assets. These people include IT Administrators, MIS Directors, CIOs and other “Network Guys” who build, maintain, and support an organization’s systems. Short of an event like 9/11, what can be done to get an organization’s decision makers to invest in network security?
No amount of 9/11 events can change a decision maker’s mindset when it comes to implementing strong network security in order to protect information assets. An organization’s decision maker perceives security as either an expense or investment. Indeed, the reasons why decision makers perceive security differently warrant further analysis outside the scope of this article.
To clairfy, the three major actors in network security are as follows:
Network Guys – those who build, maintain and support systems
Insiders (good or bad) – those with authorized access to systems who may or may not be able to penetrate systems
Outsiders (good or bad) – those without authorized access to systems who penetrate systems
Organizations can turn to Outsiders for independent assistance in identifying the network security risks at their organization. These Outsiders include boutique security firms, “white-hat” hackers, systems auditors, and rogue contractors. These Outsiders exploit commonly known vulnerabilities, exposing the organization’s network security weaknesses to the IT Administrator. These exposures form components of a business case for strong network security in organizations. The appeal of using an outsider to exploit weaknesses lies in their ability to recommend solutions with little influence from a software or hardware vendor.
The result is like witnessing a disaster inside an organization without dealing with the associated disastrous consequences. After careful review of the business case, many decision makers view spending money on network security as an investment with a positive Return On Investment (“ROI”), instead of as an expense.
Given this, what can be done?
5-Minute Case Study
If you are reading this in your office, you probably have a network jack somewhere near your computer. This network jack connects you to your organization’s information resources. Imagine how many unmonitored network jacks exist in your company. Is this a risk? Yes.
Footprinting/Scanning
Our team of “Outsiders” was recently engaged to help an IT Administrator build a business case for strong network security. We began by connecting a laptop PC to a network jack. Once connected, we obtained a network address (IP address) from the organization’s server and reviewed the network subnet information assigned to our computer. The subnet information was then used to guide a port scanner in scanning the entire subnet for computers.
Enumeration
The nature of the network’s broadcast protocols allowed us to quickly identify every computer on the subnet. The scan identified open ports, user accounts, file and printer shares, network interfaces, and security alerts. While company networks facilitate the sharing of files and services, the nature of this sharing presents a risk.
Gaining Access
We then selected the computer with the most user accounts. Using native operating system tools, we established a [null] session with this computer and proceeded to use another freely available tool to extract the userIDs and their associated network access permissions. Knowledge of userIDs alone does not make a computer vulnerable. However, most organizations fail to force their employees to change their passwords periodically or select strong passwords. Even today, many users select passwords that are easy to remember (i.e., user’s name, user’s girlfriend’s name, user’s pet’s name), and, therefore, easy for someone else to guess.
We then sorted the userIDs according to privilege and focused on userIDs with administrative privileges. Of the five userIDs with administrative privileges, one userID had a password equal to the userID. From this discovery, we mapped a logical drive to the computer and proceeded to locate the computer’s “sam” file stored in a commonly known location. [The sam file contains the computer’s userIDs and passwords in encrypted form.] Using another tool from the Internet (l0phtcrack), we decrypted 78 percent of the passwords in 30 minutes.
This exercise provided us with administrative access to the computer, which happened to be the organization’s primary user account server. This was accomplished within 5 minutes of plugging into the network. Admittedly, the security guards at the front entrance provide some protection against someone walking in and doing this without your permission; however, this does not address those with daily physical access (i.e., people with badges) to network jacks. These people include disgruntled employees, curious employees, contractors, consultants, and auditors who have plugged their PCs into your network.
So What?
So, what is wrong with someone else knowing your password? Indeed, password sharing has been prevalent since the birth of mainframes. Today, however, most organizations store sensitive financial, payroll, operations, inventory, customer, and marketing data in computers running operating systems that are not securely configured or monitored for security violations and fraudulent activity. Unfortunately, the user’s network password is often the only protection an organization has over the applications where sensitive transactions take place. Most small to mid-size organizations continue to perceive computer security as an expense, rather than an investment with a sizable ROI.
Due to insufficient resources, most organizations lack strong internal controls to thwart exploitation of simple, commonly known vulnerabilities. Large organizations usually dedicate entire departments to the enforcement of network security. Some of these organizations come equipped with Security Officers who focus their time on safeguarding the organization’s information assets. Far too often, however, small to mid-size organizations fail to dedicate resources to security and suffer painful consequences, including the destruction of data.
In the case study above, we were in a position to execute violent acts against the organization’s network in less than 30 minutes with no prior knowledge of the organization’s network. These acts could have included compromising sensitive data, deleting and/or modifying audit logs, and creating “back doors” for future access. Our ability to exploit an organization’s primary account server quickly allowed the IT Administrator to demonstrate to the organization’s CFO that strong network security should be implemented immediately.
How?
Many IT Administrators lose sleep over what could happen if determined individuals with regular access to the network were to compromise information resources. IT Administrators understand the multitude of vulnerabilities discovered daily.
Our “Outsiders” use native operating system and freely available Internet tools to quickly identify vulnerabilities in company networks. Vulnerability identification can be used to:
Build the business case for implementing strong network security
Reduce the risk of visitors, disgruntled or curious employees, competitors, or contractors compromising sensitive data
Raise security awareness within the organization
Protect company and customer data from commonly known network vulnerabilities
Why?
The door may be wide open for determined Insiders desiring to obtain sensitive company data. Commonly known vulnerabilities, combined with default computer configurations, are what make it easy for Insiders to violate company security. Most companies do not have the resources to securely configure computers, leaving them exposed to the abuse of people inside an organization who are curious, who are acting in malice, or who are committed to espionage.
When was the last time you assessed the security of your network?
No comments:
Post a Comment