Return-Path: <sentto-279987-4487-1013875033-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Sat, 16 Feb 2002 07:58:08 -0800 (PST) Received: (qmail 9360 invoked by uid 510); 16 Feb 2002 15:57:25 -0000 Received: from n3.groups.yahoo.com (216.115.96.53) by all.net with SMTP; 16 Feb 2002 15:57:25 -0000 X-eGroups-Return: sentto-279987-4487-1013875033-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.162] by n3.groups.yahoo.com with NNFMP; 16 Feb 2002 15:57:14 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_2); 16 Feb 2002 15:57:13 -0000 Received: (qmail 59879 invoked from network); 16 Feb 2002 15:57:13 -0000 Received: from unknown (216.115.97.172) by m8.grp.snv.yahoo.com with QMQP; 16 Feb 2002 15:57:13 -0000 Received: from unknown (HELO red.all.net) (12.232.72.152) by mta2.grp.snv.yahoo.com with SMTP; 16 Feb 2002 15:57:12 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g1GFvGp21176 for iwar@onelist.com; Sat, 16 Feb 2002 07:57:16 -0800 Message-Id: <200202161557.g1GFvGp21176@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Sat, 16 Feb 2002 07:57:16 -0800 (PST) Subject: [iwar] [fc:The.Enemy.Inside.the.Gates:.Preventing.and.Detecting.Insider.Attacks] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit The Enemy Inside the Gates: Preventing and Detecting Insider Attacks By Nathan Einwechter, Security Focus, 2/15/02 <a href="http://www.net-security.org/cgi-bin/news.cgi?url=http://www.securityfocus.com/infocus/1546">http://www.net-security.org/cgi-bin/news.cgi?url=http://www.securityfocus.com/infocus/1546> Introduction It’s nine in the evening in your office building. Most people have gone home long ago, many of the office lights are off, and the janitors are quietly making their rounds. From a single, solitary cubicle comes the familiar blue glow of a computer screen along with the rhythmic tippy-tap of a keyboard. This could be the sound of a dedicated employee working late into the night. But it’s not. Quite the opposite, it is a trusted worker stealing valuable propriety information off the company’s network. This scenario is becoming more and more common. In today’s information security climate, most of the resources are focused on firewalls and other methods of perimeter protection. The security strategy is aimed at keeping attackers from ever entering a specific network. But what happens when the attacker is already on the network? What happens when the enemy is already inside the gates? Inside Attacks An insider attack, sometimes referred to as an inside job, is defined as a crime perpetrated by, or with the help of, a person working for or trusted by the victim. An insider (the person assisting with, or committing the crime) can be further defined as an officer of a corporation or others who have access to private information about the corporation's operations. Insider attacks are becoming more common and more damaging. According to the annual CPI/FBI survey, 59% of companies surveyed said they have had one or more attacks reported internally. Almost 8% of those companies reported 60 or more internal incidents. (The survey is available for request at: <a href="http://www.gocsi.com/forms/fbi/pdf.html">http://www.gocsi.com/forms/fbi/pdf.html>.) Insider attacks are particularly insidious and difficult to protect against. Not only do the attackers have immediate access to the network, but they require such access in order to serve their function. Furthermore, as they already have user accounts and corporate e-mail addresses, they likely have access to company data. As such, they probably know which data is of particular value to the organization. Preventing Insider Attacks The nature of the inside attack makes them difficult to prevent: how does the organization provide individuals with the access to the information that is required to adequately do their job, while protecting the crucial information resources of the company? Allowing employees sufficient access to required data and programs, and only those required resources, is the single biggest problem in protecting against insider attacks. The second major concern with insider attacks is that they are often facilitated by accident: the attacker stumbles onto otherwise unauthorized information due to incorrect permissions/account rights, and unnecessary access to database systems. The prevention of insider attacks includes proper allocation of account rights, the use of internal firewalls, proper user training, and physical security measures. Account Rights The first issue is that of account rights. Improper or inappropriate account rights are often the first step in unauthorized data access. Preventing this sounds simple, but is quite difficult. It involves accurately assessing which users really need access to which resources. Setting account rights is somewhat of an art. It is much like walking a tight rope. Give a person too much access, and they may gain access to data and other resources that are not required for their job. Make access rights too restrictive and he or she may be unable to do their job. Because they misunderstand an employee’s job requirements, security personnel often set that employee’s access rights improperly. To avoid this, a few simple steps are suggested. The first of these steps is to sit down with each department head within the organization. These meetings can be used to determine exactly how much access the department’s employees require. Once the rights required have been determined, they must be implemented. The structure and allocation of account privileges should be formalized, possibly in the organization’s security policy. A memo should be sent out notifying employees of their access privileges and the procedures by which these privileges should be changed. They should receive a form by which they can formally request changes in access rights. This form should simply request the employee’s name, department, the access requested, and an explanation of why the access is needed. This allows for flexibility within the system as a whole, while maintaining a degree of centralized control over access rights. Minimal Direct Access to Database(s) Although this should be covered in the general access rights, a point should be made in regard to databases. The large database systems found within most corporations today contain much sensitive information, from payroll to client account lists and so on. These database systems are often easy targets for insider attackers. They are also a particularly dangerous point of attack for organizations: if an attacker obtains confidential client information, the organization may be confronted with liability issues as well as the potential for a nasty public relations imbroglio. Due largely to this factor, security administrators should strongly restrict the amount of database access that is given to users. Database access should be restricted to the maximum required for the employee to do his or her job effectively. Many corporations have large numbers of staff involved with the entry of information into databases. The data entry software, and the way it enters or revises information within the database should be closely examined. When examining this software, and the way it works, test it to make sure that it will only allow the user to do exactly what you want them to be doing, and nothing else. It should not have the ability to read or write to any other tables, columns, or fields other than those specifically required to complete the job the staff member is required to do. Internal Firewalls Firewalls are generally considered to be a perimeter defence and, as such, are deployed on the perimeter of networks. When dealing with insider attacks, however, these same firewalls can be deployed within the internal network to protect more sensitive computers, servers, and network segments from attacks from within the network. The basic idea of using an internal firewall is to allow only those who need to access the data protected behind the firewall in, and keep out those who don’t require it. Further, the firewall should be setup to allow only specific types of access in to the protected computers. For example, if accounting only needs Web access to the server, the security administrator shouldn’t allow anyone in the accounting IP space to use anything but port 80 across the firewall. This simply provides an extra layer of internal security for important servers and other machines that don’t need to be accessed by everyone. Even if the server does need to be accessed by everyone, the types of traffic allowed to it can be restricted. Another use of the firewall is to log any attempted attacks. This can then be used to identify any employees who may be trying to attack that specific server, or network segment. This will be discussed in greater detail in the detection section below. Training Employee training is another major key to preventing insider attacks. It should go without saying that employees should be taught about basic security practices, such as password and physical security procedures, as well as how to identify any social engineering attempts, which may or may not come from inside attackers. They should also be trained how to correctly respond to these attempts. (For more on social engineering attacks, please see the SecurityFocus series Social Engineering Fundamentals.) Employees can help to prevent insider attacks. Physical access to workstations is a particularly important component of this. Organizations should train employees to lock or logout of their workstation any time they leave it, for any amount of time. This will prevent a fellow employee with less access rights from strolling up to the computer and using the owner’s access to obtain data otherwise restricted to that user. The second of these basic security practices is that of a secure password. Teach the employees to pick passwords that are not easily guessed. Make it policy for users not to use their name, pets name, spouses name, birth date, or anything else easily guessed. Suggest that they use passwords with numbers, letters, and other characters. (For more information on security password practices, please see the SecurityFocus article The Simplest Security: A Guide to Better Password Practices.) As explained earlier, employees should be able to identify possible social engineering attempts, as well as know how to deal with these situations as they arise. As a basic policy, users should be trained that no passwords be given out to anyone, for any reason. Tell employees that under no circumstances should anyone require a users password, or account date. Inform employees to notify IT staff immediately of any requests by anyone for their password, or any other technical information about the network. This is just a single common method of social engineering, and how to protect against it. Physical Security Physical security is often overlooked, but becomes extremely important in the prevention of insider attacks. This is mainly due to the ease of physical access an employee has to other workstations, and machines. After all, they do work in the building. Just like the other preventative measures, there are a few techniques that are used to increase physical security within a company. As was stated in the previous section, be sure that all employees lock, or logout of their workstations before leaving them unattended for any period of time. Not only should their workstations be locked, or logged out, but so should offices when they’re not being occupied. Unfortunately this is not a always an option when the employee is in a cubicle. However, under no circumstances should an employee be unable to lock the workstation or log out. These two practices must be followed no matter how long or short the leave from the computer may be. Short trips to the bathroom, to grab a drink, or to chat in the staff lounge are included in that. One minute is all an insider needs to jump onto a workstation, and use that users privilege to gain unauthorized access to data. The second method of physical security deals with securing the server rooms. The server room(s) should be locked and monitored. Under ideal circumstances a key card system, along with a personal pin should be employed. This allows the monitoring of who accesses the room, when, and for how long, which ties in to detection below. The last aspect of physical security to be touched on here is that of the networking cables themselves. Someone working in the building, either on the same floor, or above/below the floor can easily tap into an Ethernet line and sniff the network. This is an issue that many security specialists have been struggling with for quite some time now. There are a few techniques that can minimize the possibility of a user tapping into the system with a network sniffer. The first is the use of encryption across the network. By encrypting all sensitive traffic, any data the person tapping the line can view will be gibberish, or non-sensitive information. The problem with this solution, however, is that the use of encryption increases the amount of bandwidth required. Another solution, more recently developed, is that of the promiscuous mode detection software. Software such as AntiSniff can detect any systems on a network that are operating in promiscuous mode. The presence of such a system is usually a sign of a packet sniffer being utilized to view traffic going across the network. Detecting Insider Attacks While the preceding prevention methods should preclude insider attacks, there is no guarantee that such attacks will not still occur. As such, security administrators must also be able to monitor their networks in order to detect successful intrusions. Much like the prevention process, the detection process consists of numerous components, such as: the use of an internal IDS, a firewall logging system, and physical access logging. Internal IDS/Firewall The first tool for detecting insider attacks is an internal intrusion detection system (IDS). The Internal IDS works in much the same way as a perimeter IDS system does: by detecting, logging, and reporting attacks against systems. An internal IDS system can consist of host- or network-based IDS systems, depending on the organization’s requirements and network setup. At a minimum, the internal IDS system should be able to detect attacks against major servers and data holds. Ideally, however, the IDS will be able to detect attacks against any system across the network as a whole. The use of an internal Distributed Intrusion Detection System is being explored more and more by corporations to detect insider attacks, as well as trace the origin of the attacks within the company. The Distributed Intrusion Detection Systems should, ideally, gather information from more than just the standard IDS systems deployed earlier. It should, instead, retrieve attack information from firewalls, routers, switches, and any other attack logging devices, as well as the standard IDS systems. By retrieving attack information from multiple pieces of software and hardware, the attack analyst is able to better understand any attempted internal attacks and identify their source. File/Network Integrity Checking A second tool that can be used to detect insider attacks is a file and network integrity-checking piece of software. This software is designed to constantly check multiple servers or computers for any changes in the base file installation. This includes any the installation of backdoor programs in standard programs (such as ps and ls in Linux/Unix operating systems). By monitoring these files for changes, the security administrator can determine if someone has successfully breached the system. The most well-known and recommended piece of software to accomplish this is called Tripwire for Servers, by TripWire. Another product offered by TripWire. is called TripWire for Routers and Switches. This piece of software monitors changes in router and switch configurations, and alerts the administrator to any changes. It also gives the administrator the ability to have the system automatically “fix” a router to ensure as little down time as possible is incurred. This provides protection against insiders modifying router configurations to re-route information through controlled boxes, and thus being able to view all network traffic. Physical Access Detection Since employees are permitted to be in the building, and around other workstations etc., internal physical detection methods must be put in place. The electronic detection methods may as well not exist if physical security is not in place. Physical access detection can consist of many things, including a camera system to monitor the activities of employees in areas that contain sensitive servers, or even a key card system. The key card system is the ideal one. By utilizing a key card system, linked to a central security monitoring system, the security personnel can keep track of who, goes where, and for how long they’re there. It can also allow an extra amount of security, and convenience, above using a simple lock and key for each door. The door to an office can lock automatically upon an employee leaving the room, and the employee simply has to swipe his/her card, and enter their pin to get back in. It also allows for access control over who goes into what areas etc. Conclusion Insider attacks can come from a number of avenues, whether it is social engineering between employees, incorrect access rights, or simple physical access methods. All of these concerns, however, can be addressed using a few simple techniques to prevent the chance of attacks, as well as to detect any attempted attacks. It is only through the marriage of all of these techniques that a successful defence against insider attacks is truly possible. One single technique, in and of itself, may assist in the overall goal, but cannot fully accomplish the task. These are also only a few of the many techniques available to combat the problem of insider attacks. The only way to continue to keep a network secure from attackers inside, and out is to continue reading up, and learning on the various defence methods, and techniques available out there, as well as keeping up to date on the security issues that effect your network the most. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Sponsored by VeriSign - The Value of Trust Secure all your Web servers now - with a proven 5-part strategy. The FREE Server Security Guide shows you how. http://us.click.yahoo.com/uCuuSA/VdiDAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST