[iwar] [fc:The.Enemy.Inside.the.Gates:.Preventing.and.Detecting.Insider.Attacks]

From: Fred Cohen (fc@all.net)
Date: 2002-02-16 07:57:16


Return-Path: <sentto-279987-4487-1013875033-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Sat, 16 Feb 2002 07:58:08 -0800 (PST)
Received: (qmail 9360 invoked by uid 510); 16 Feb 2002 15:57:25 -0000
Received: from n3.groups.yahoo.com (216.115.96.53) by all.net with SMTP; 16 Feb 2002 15:57:25 -0000
X-eGroups-Return: sentto-279987-4487-1013875033-fc=all.net@returns.groups.yahoo.com
Received: from [216.115.97.162] by n3.groups.yahoo.com with NNFMP; 16 Feb 2002 15:57:14 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_2); 16 Feb 2002 15:57:13 -0000
Received: (qmail 59879 invoked from network); 16 Feb 2002 15:57:13 -0000
Received: from unknown (216.115.97.172) by m8.grp.snv.yahoo.com with QMQP; 16 Feb 2002 15:57:13 -0000
Received: from unknown (HELO red.all.net) (12.232.72.152) by mta2.grp.snv.yahoo.com with SMTP; 16 Feb 2002 15:57:12 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g1GFvGp21176 for iwar@onelist.com; Sat, 16 Feb 2002 07:57:16 -0800
Message-Id: <200202161557.g1GFvGp21176@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Sat, 16 Feb 2002 07:57:16 -0800 (PST)
Subject: [iwar] [fc:The.Enemy.Inside.the.Gates:.Preventing.and.Detecting.Insider.Attacks]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit

The Enemy Inside the Gates: Preventing and Detecting Insider Attacks

By Nathan Einwechter, Security Focus, 2/15/02
<a href="http://www.net-security.org/cgi-bin/news.cgi?url=http://www.securityfocus.com/infocus/1546">http://www.net-security.org/cgi-bin/news.cgi?url=http://www.securityfocus.com/infocus/1546>

Introduction

It’s nine in the evening in your office building. Most people have gone
home long ago, many of the office lights are off, and the janitors are
quietly making their rounds. From a single, solitary cubicle comes the
familiar blue glow of a computer screen along with the rhythmic
tippy-tap of a keyboard. This could be the sound of a dedicated employee
working late into the night. But it’s not. Quite the opposite, it is a
trusted worker stealing valuable propriety information off the company’s
network.

This scenario is becoming more and more common. In today’s information
security climate, most of the resources are focused on firewalls and
other methods of perimeter protection. The security strategy is aimed at
keeping attackers from ever entering a specific network. But what
happens when the attacker is already on the network? What happens when
the enemy is already inside the gates?

Inside Attacks

An insider attack, sometimes referred to as an inside job, is defined as
a crime perpetrated by, or with the help of, a person working for or
trusted by the victim. An insider (the person assisting with, or
committing the crime) can be further defined as an officer of a
corporation or others who have access to private information about the
corporation's operations. Insider attacks are becoming more common and
more damaging. According to the annual CPI/FBI survey, 59% of companies
surveyed said they have had one or more attacks reported internally.
Almost 8% of those companies reported 60 or more internal incidents.
(The survey is available for request at:
<a href="http://www.gocsi.com/forms/fbi/pdf.html">http://www.gocsi.com/forms/fbi/pdf.html>.)

Insider attacks are particularly insidious and difficult to protect
against. Not only do the attackers have immediate access to the network,
but they require such access in order to serve their function.
Furthermore, as they already have user accounts and corporate e-mail
addresses, they likely have access to company data. As such, they
probably know which data is of particular value to the organization.

Preventing Insider Attacks

The nature of the inside attack makes them difficult to prevent: how
does the organization provide individuals with the access to the
information that is required to adequately do their job, while
protecting the crucial information resources of the company? Allowing
employees sufficient access to required data and programs, and only
those required resources, is the single biggest problem in protecting
against insider attacks. The second major concern with insider attacks
is that they are often facilitated by accident: the attacker stumbles
onto otherwise unauthorized information due to incorrect
permissions/account rights, and unnecessary access to database systems.
The prevention of insider attacks includes proper allocation of account
rights, the use of internal firewalls, proper user training, and
physical security measures.

Account Rights

The first issue is that of account rights. Improper or inappropriate
account rights are often the first step in unauthorized data access.
Preventing this sounds simple, but is quite difficult. It involves
accurately assessing which users really need access to which resources.
Setting account rights is somewhat of an art. It is much like walking a
tight rope. Give a person too much access, and they may gain access to
data and other resources that are not required for their job. Make
access rights too restrictive and he or she may be unable to do their
job.

Because they misunderstand an employee’s job requirements, security
personnel often set that employee’s access rights improperly. To avoid
this, a few simple steps are suggested. The first of these steps is to
sit down with each department head within the organization. These
meetings can be used to determine exactly how much access the
department’s employees require. Once the rights required have been
determined, they must be implemented. The structure and allocation of
account privileges should be formalized, possibly in the organization’s
security policy. A memo should be sent out notifying employees of their
access privileges and the procedures by which these privileges should be
changed. They should receive a form by which they can formally request
changes in access rights. This form should simply request the employee’s
name, department, the access requested, and an explanation of why the
access is needed. This allows for flexibility within the system as a
whole, while maintaining a degree of centralized control over access
rights.

Minimal Direct Access to Database(s)

Although this should be covered in the general access rights, a point
should be made in regard to databases. The large database systems found
within most corporations today contain much sensitive information, from
payroll to client account lists and so on. These database systems are
often easy targets for insider attackers. They are also a particularly
dangerous point of attack for organizations: if an attacker obtains
confidential client information, the organization may be confronted with
liability issues as well as the potential for a nasty public relations
imbroglio.

Due largely to this factor, security administrators should strongly
restrict the amount of database access that is given to users. Database
access should be restricted to the maximum required for the employee to
do his or her job effectively. Many corporations have large numbers of
staff involved with the entry of information into databases. The data
entry software, and the way it enters or revises information within the
database should be closely examined. When examining this software, and
the way it works, test it to make sure that it will only allow the user
to do exactly what you want them to be doing, and nothing else. It
should not have the ability to read or write to any other tables,
columns, or fields other than those specifically required to complete
the job the staff member is required to do.

Internal Firewalls

Firewalls are generally considered to be a perimeter defence and, as
such, are deployed on the perimeter of networks. When dealing with
insider attacks, however, these same firewalls can be deployed within
the internal network to protect more sensitive computers, servers, and
network segments from attacks from within the network. The basic idea of
using an internal firewall is to allow only those who need to access the
data protected behind the firewall in, and keep out those who don’t
require it. Further, the firewall should be setup to allow only specific
types of access in to the protected computers. For example, if
accounting only needs Web access to the server, the security
administrator shouldn’t allow anyone in the accounting IP space to use
anything but port 80 across the firewall. This simply provides an extra
layer of internal security for important servers and other machines that
don’t need to be accessed by everyone. Even if the server does need to
be accessed by everyone, the types of traffic allowed to it can be
restricted.

Another use of the firewall is to log any attempted attacks. This can
then be used to identify any employees who may be trying to attack that
specific server, or network segment. This will be discussed in greater
detail in the detection section below.

Training

Employee training is another major key to preventing insider attacks. It
should go without saying that employees should be taught about basic
security practices, such as password and physical security procedures,
as well as how to identify any social engineering attempts, which may or
may not come from inside attackers. They should also be trained how to
correctly respond to these attempts. (For more on social engineering
attacks, please see the SecurityFocus series Social Engineering
Fundamentals.)

Employees can help to prevent insider attacks. Physical access to
workstations is a particularly important component of this.
Organizations should train employees to lock or logout of their
workstation any time they leave it, for any amount of time. This will
prevent a fellow employee with less access rights from strolling up to
the computer and using the owner’s access to obtain data otherwise
restricted to that user. The second of these basic security practices is
that of a secure password. Teach the employees to pick passwords that
are not easily guessed. Make it policy for users not to use their name,
pets name, spouses name, birth date, or anything else easily guessed.
Suggest that they use passwords with numbers, letters, and other
characters. (For more information on security password practices, please
see the SecurityFocus article The Simplest Security: A Guide to Better
Password Practices.)

As explained earlier, employees should be able to identify possible
social engineering attempts, as well as know how to deal with these
situations as they arise. As a basic policy, users should be trained
that no passwords be given out to anyone, for any reason. Tell employees
that under no circumstances should anyone require a users password, or
account date. Inform employees to notify IT staff immediately of any
requests by anyone for their password, or any other technical
information about the network. This is just a single common method of
social engineering, and how to protect against it.

Physical Security

Physical security is often overlooked, but becomes extremely important
in the prevention of insider attacks. This is mainly due to the ease of
physical access an employee has to other workstations, and machines.
After all, they do work in the building.

Just like the other preventative measures, there are a few techniques
that are used to increase physical security within a company. As was
stated in the previous section, be sure that all employees lock, or
logout of their workstations before leaving them unattended for any
period of time. Not only should their workstations be locked, or logged
out, but so should offices when they’re not being occupied.
Unfortunately this is not a always an option when the employee is in a
cubicle. However, under no circumstances should an employee be unable to
lock the workstation or log out. These two practices must be followed no
matter how long or short the leave from the computer may be. Short trips
to the bathroom, to grab a drink, or to chat in the staff lounge are
included in that. One minute is all an insider needs to jump onto a
workstation, and use that users privilege to gain unauthorized access to
data.

The second method of physical security deals with securing the server
rooms. The server room(s) should be locked and monitored. Under ideal
circumstances a key card system, along with a personal pin should be
employed. This allows the monitoring of who accesses the room, when, and
for how long, which ties in to detection below.

The last aspect of physical security to be touched on here is that of
the networking cables themselves. Someone working in the building,
either on the same floor, or above/below the floor can easily tap into
an Ethernet line and sniff the network. This is an issue that many
security specialists have been struggling with for quite some time now.
There are a few techniques that can minimize the possibility of a user
tapping into the system with a network sniffer. The first is the use of
encryption across the network. By encrypting all sensitive traffic, any
data the person tapping the line can view will be gibberish, or
non-sensitive information. The problem with this solution, however, is
that the use of encryption increases the amount of bandwidth required.
Another solution, more recently developed, is that of the promiscuous
mode detection software. Software such as AntiSniff can detect any
systems on a network that are operating in promiscuous mode. The
presence of such a system is usually a sign of a packet sniffer being
utilized to view traffic going across the network.

Detecting Insider Attacks

While the preceding prevention methods should preclude insider attacks,
there is no guarantee that such attacks will not still occur. As such,
security administrators must also be able to monitor their networks in
order to detect successful intrusions. Much like the prevention process,
the detection process consists of numerous components, such as: the use
of an internal IDS, a firewall logging system, and physical access
logging.

Internal IDS/Firewall

The first tool for detecting insider attacks is an internal intrusion
detection system (IDS). The Internal IDS works in much the same way as a
perimeter IDS system does: by detecting, logging, and reporting attacks
against systems.

An internal IDS system can consist of host- or network-based IDS
systems, depending on the organization’s requirements and network setup.
At a minimum, the internal IDS system should be able to detect attacks
against major servers and data holds. Ideally, however, the IDS will be
able to detect attacks against any system across the network as a whole.
The use of an internal Distributed Intrusion Detection System is being
explored more and more by corporations to detect insider attacks, as
well as trace the origin of the attacks within the company. The
Distributed Intrusion Detection Systems should, ideally, gather
information from more than just the standard IDS systems deployed
earlier. It should, instead, retrieve attack information from firewalls,
routers, switches, and any other attack logging devices, as well as the
standard IDS systems. By retrieving attack information from multiple
pieces of software and hardware, the attack analyst is able to better
understand any attempted internal attacks and identify their source.

File/Network Integrity Checking

A second tool that can be used to detect insider attacks is a file and
network integrity-checking piece of software. This software is designed
to constantly check multiple servers or computers for any changes in the
base file installation. This includes any the installation of backdoor
programs in standard programs (such as ps and ls in Linux/Unix operating
systems). By monitoring these files for changes, the security
administrator can determine if someone has successfully breached the
system. The most well-known and recommended piece of software to
accomplish this is called Tripwire for Servers, by TripWire.

Another product offered by TripWire. is called TripWire for Routers and
Switches. This piece of software monitors changes in router and switch
configurations, and alerts the administrator to any changes. It also
gives the administrator the ability to have the system automatically
“fix” a router to ensure as little down time as possible is incurred.
This provides protection against insiders modifying router
configurations to re-route information through controlled boxes, and
thus being able to view all network traffic.

Physical Access Detection

Since employees are permitted to be in the building, and around other
workstations etc., internal physical detection methods must be put in
place. The electronic detection methods may as well not exist if
physical security is not in place. Physical access detection can consist
of many things, including a camera system to monitor the activities of
employees in areas that contain sensitive servers, or even a key card
system. The key card system is the ideal one. By utilizing a key card
system, linked to a central security monitoring system, the security
personnel can keep track of who, goes where, and for how long they’re
there. It can also allow an extra amount of security, and convenience,
above using a simple lock and key for each door. The door to an office
can lock automatically upon an employee leaving the room, and the
employee simply has to swipe his/her card, and enter their pin to get
back in. It also allows for access control over who goes into what areas

etc.

Conclusion

Insider attacks can come from a number of avenues, whether it is social
engineering between employees, incorrect access rights, or simple
physical access methods. All of these concerns, however, can be
addressed using a few simple techniques to prevent the chance of
attacks, as well as to detect any attempted attacks. It is only through
the marriage of all of these techniques that a successful defence
against insider attacks is truly possible. One single technique, in and
of itself, may assist in the overall goal, but cannot fully accomplish
the task. These are also only a few of the many techniques available to
combat the problem of insider attacks. The only way to continue to keep
a network secure from attackers inside, and out is to continue reading
up, and learning on the various defence methods, and techniques
available out there, as well as keeping up to date on the security
issues that effect your network the most.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Sponsored by VeriSign - The Value of Trust
Secure all your Web servers now - with a proven 5-part
strategy. The FREE Server Security Guide shows you how.
http://us.click.yahoo.com/uCuuSA/VdiDAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST