• Business Program Manager - Large...
• Application Support Officer
• Project Manager - Telco
• Marketing Manager
• Sales Manager Australia -...

Inside job

David Margulius, Information Age

14/10/2003 12:11:54

A University of Texas student steals 55,000 Social Security numbers from the school's administrative databases. A UBS Pain Webber system administrator activates a logic bomb in the company's network, causing $US3 million in damage. A disgruntled Australian IT employee commandeers his company's sewage management software to dump millions of litres of raw sewage into local parks and rivers.

These real-life examples from the past three years show how devastating damage from malicious insider cyberattacks can be. And the threat is growing. Although companies are reluctant to report having been attacked from the inside, 64 per cent of enterprises that responded to a 2002 survey conducted by the Computer Security Institute and the FBI reported experiencing at least one internal incident, up from 59 per cent in 2001. From malicious DoS (denial of service) attacks to the theft of HR, financial or medical records, there are many ways insiders can cause financial and physical damage and create legal liabilities for their employers.

"Insider attacks are where most of the money's lost, where most of the vulnerabilities are," says Frank Huerta, vice president of intrusion-detection product delivery at Symantec. Huerta also notes that many of the increasing number of workers who have been laid off during the past two years have retained passwords to sensitive systems. Increased connectivity among enterprises has also given insiders greater access to the internal networks of partners, customers, and vendors.

"It's almost becoming a myth that there is an internal network," says Christopher William Klaus, CTO of Internet Security Systems. As e-business proliferates, "your firewalls become more and more porous”, he adds.

In addition to keeping passwords after termination of their employment, malicious insiders often gain access to internal systems while on the payroll through social-engineering -- essentially sweet-talking IT personnel for passwords to restricted systems. "If you can get the passwords, you've got the keys to the kingdom," Symantec's Huerta says.

Insiders can also attack without passwords, ISS' Klaus says. For example, an insider can hack credit card data directly through a database using a tool such as Nmap, which scans the network to find default accounts. "You can go on the Internet and download scripts and exploits to break in," Klaus explains. "Anybody on the inside of your company can download this stuff."

To guard against insider attacks, experts generally recommend a layered approach, meaning that enterprises should use multiple technologies in tandem and should combine these technologies with tough security policies. Here's a rundown of some of the key technologies and policies enterprises can use to guard against inside attacks.

Identity management

One key layer of protective technology is identity management: software that efficiently tracks, provisions, and de-provisions accounts and passwords across the enterprise. Many vulnerabilities stem from companies giving users, especially contractors, broader access than they really need to do their jobs -- access to the whole sales database versus a single region, for example -- or forgetting to de-provision accounts when a user is terminated.

"We typically find that about 40 per cent of the valid users in the enterprise are people who no longer work there," says Jeff Drake, director of security strategy at IBM/Tivoli. "Companies are very good at getting you out of the payroll system when you leave, but they're very poor at removing accesses to apps that you were granted."

Identity management systems -- from companies such as IBM Tivoli, Netegrity, Oblix, Novell and Sun Microsystems-- aim to solve this problem by providing a single mechanism for managing and provisioning account access and for linking that access to HR and payroll. These systems typically provide audit, logging, and policy enforcement to help prevent contractors from getting root access to sensitive systems.

Intrusion detection and security-event management

To identify insiders who may be exploring internal systems as a prelude to an attack, IDS (intrusion detection system) software provides passive scanning of network activity. These host- or network-based systems listen on the wire for suspect traffic and then use pattern recognition and various algorithms to find what looks like illegitimate activity. When such activity is detected, IDS software alerts security personnel or automatically shuts off access to the resource being probed.

Many vendors, including ISS, Symantec, Cisco and a host of smaller companies, offer IDS systems. Some, such as Symantec, also offer so-called "honey pot" or decoy systems, designed to catch malicious attackers by luring them into a painstakingly prepared replica of the system they may be trying to penetrate (for example, finance or payroll) but with false data -- essentially catching them in the act.

In the past, IDS systems triggered too many false alarms, which often caused IT personnel to simply shut them off. To address this problem, many vendors are developing so called security-event management platforms -- software that takes data inputs from a multitude of security devices on the network and correlates them in real time or after the fact to identify potential threats. According to Deepak Taneja, CTO of Netegrity, the systems work similar to the credit-card companies' antifraud algorithms by looking for atypical behaviour.

"Say Jennifer gets hold of my password and tries to access that application (by dialling) in from home on a VPN," Taneja says. "But that's not how I always do it -- from my desktop during business hours." This information might then be passed to the provisioning system to shut down the account Jennifer has hijacked. "Just knowing that those systems are in place is a good deterrent," Taneja adds.

Many of the security event management vendors -- including most major IDS vendors as well as smaller companies such as Guardent, Network Intelligence, Arcsight and E-security -- incorporate vulnerability information about specific systems to prioritise protection for those systems that are the most vulnerable to attacks. "If the dead bolt is locked," ISS' Klaus says, "it doesn't matter if they wiggled a key in the door”.

Firewalls and VPNs

Hackers have been known to deride vulnerable enterprises as "crunchy on the outside, chewy on the inside”, meaning that once they get past the firewall they can do anything they want. Partly in response to insider threats, enterprises are beefing up their internal use of firewalls and VPNs to provide more protection to key systems and data.

"Make your network as crunchy as possible; don't just have a hard line across your perimeter," advises Sweta Duseja, product marketing manager at Check Point. She sees enterprises deploying peer-to-peer VPNs even on their internal network and taking a more "concentric" approach to deploying firewalls. This can mean putting firewalls into gateways at key points in the network and directly in front of key applications.

Insider security policies

No amount of layered technology will stop insider attacks if an enterprise doesn't have good security policies and procedures in place. "You can put in as many firewalls and VPNs as you like," Duseja says. "The issue is still: have you configured your security rules and policies?" She cites access to Web-based protocols such as Microsoft's CIFS (Common Internet File System) as a major policy issue. "They are one of the most vulnerable protocols that hacker employees get hold of and know how to use."

Joel McFarland, manager of security appliances at Cisco, thinks enterprises are generally too trusting of employees and wishes they would put more teeth in their policies to deter inside attacks.

"More often than not, customers are willing to passively police their internal threats," McFarland says, adding that enterprises will refuse to revoke privileges or shut off systems even when a threat has been detected, for fear of causing disruption to legitimate activity. He would like to see this change. "It's the collaboration between your IDS and identity service that allows you to police and enforce insider threat mitigation," he explains.

On an even more basic level, there are many straightforward policies that can help guard against insider attacks, according to Symantec's Huerta (see also top tips box). Have you had your IT employees' and contractors' backgrounds checked? Has your internal security plan been reviewed by a reputable third party? Are you limiting access to just those who need it? If an employee is caught looking at unauthorised material after hours, what are the consequences? "Are they just meandering around the network because they can?" Huerta asks. "You have to have policies."

Tales from the security trenches

Companies share their best practices for avoiding internal threats

"I'd tell you, but then I'd have to kill you." Enterprises are notorious for refusing to talk about security measures they're taking. But IT executives at two companies were willing to shed light on some of the ways they guard against internal threats. Here are some of their insights into best practices to control internal threats.

British Telecommunications PLC

Twelve years ago, a reporter from one of Britain's national newspapers took a temp job at British Telecom, obtained a password for a secure account, and used it to steal -- then threatened to publish -- some of the company's most closely guarded information. "We have telephone numbers for people like the queen and the prime minister," explains Alec Cartwright, a lead designer at BT Exact, British Telecom's internal IT organisation.

In the wake of that incident, the company developed internal procedures to protect against future inside threats, and has implemented those procedures using a range of technologies including IDS and firewalls. Today one key focus is protecting the company's 1200 Web-based applications, and making sure BT's 120,000 employees have access to them only on a need-to-know basis.

To that end, British Telecom uses Netegrity's SiteMinder as a central administration point "to tightly control what (users) can do, or what they attempt to do”, says Cartwright, who heads the SiteMinder implementation team. The software is linked to the company's PeopleSoft HR system, he explains, "so as people leave the company, their access to systems is revoked”. The system also enforces password requirements and facilitates resets on a regular basis. It serves as an authentication system for internally developed applications, and it provides audit trails to show who is trying to access restricted information.

Cartwright says the system has caught insiders who attempted to log on to other employees' accounts using invalid passwords, cycling through as many as 100 accounts one by one until they get locked out of each account. "It's looking for patterns like that, and they do happen," he explains. "People will cycle round a set of accounts... it's really quite a sophisticated attack."

How do you draw the line between legitimate employee tinkering in the line of duty and dangerous insider snooping? In an environment such as Palm, thick with developers trying to flex their coding muscles, the best defence is a good offence, explains Palm's Director of Global IT Services Matt Archibald.

"Employees like to fiddle around with tools that will scan the network," Archibald says. "Some of it is just people playing around, other times it could be a contractor who's doing work and they don't want to go through the right processes to gain access to a system, so they break into it."

To keep ahead of such situations, Archibald utilises a grab bag of tools, including Symantec's Manhunt IDS product -- "I'm a huge proponent of Manhunt," he says -- and penetration scanner utilities such as Network Associates’ Cybercop Scanner and public domain tools Nessus and Nmap. "It's not just putting up defensive measures, its being as offensive as you can be," Archibald says.

Specifically, he recommends constantly analysing the network and performing unscheduled network penetration studies, using different tools each time. "Never tell anybody when you're going to do them," Archibald says, otherwise people "who want to have holes in their systems will turn off the open holes for the duration of the study”.

Archibald also recommends testing for vulnerabilities in OS and application configurations by doing deltas against the previous configuration or a policy baseline. Check for directory permissions, Archibald advises, plus changes to default security policies, or changes to how accounts are set and how files are shared. "Are there any back doors set, or is there anything in the configuration itself that allows an authorised user to gain access to privileged information, or change configuration settings on the system?"