• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 715
  • Last Modified:

Prevents hacking from internal users

I need your opinions in this particular scenario
In my corporate there are several and adequate controls to prevent an intruder from Accessing the Corporate LAN. But as per recent security audit review, there is question about what  if an internal user turned to be a hacker. Now every security Administrator may be facing the same issue. I think we can discuss and brainstorm this through the thread. I need to disscuss these
1. What all a user can do with L2 Secuirty - like intercepting packets in switch
2. How can he make use of the vulnerabilities in the  user applications like Adobe, Word and server side exploits ( throgh open ports in client machines)
3. How can user  attack Server  Applications like AD, Exchange etc
4. If there is is file system encryption like MS EFS, can the hacker able to steal data

  • 4
  • 3
  • 2
  • +2
4 Solutions
Does your network have VLANs set up for different user groups/devices?  If not then that would definitely help out a lot.  Just set it up to where all of your users and NAS/SAN are on specific VLANs that are appropriate for them.  Then they won't be able to access the other devices because they will be completely cut off from them.
anishpeterAuthor Commented:
I have the mentioned VLANS and Access List/Firewall rules all in place. Eventhough inside attacks is possible. More thoughts?
Level of trust provides the level of access.
Your question suggest that a person has the level of access so it is not really hacking.
Application compromises will grant user access to system level administrative access limiting the person to the system they are on.
Web based compromised, sql compromise could grant domain level admin rights if the credentials with which sql runs is administrative.
The suggestion of vlan,firewall deal with limiting the scope/vector of attack.  
In an inside type issue, you have to catch the person in the act.
Auditing of file access/resources might be what is needed but is not a preventative mechanism.  It is a look back info if something occurs.
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

anishpeterAuthor Commented:
Hi Arnold,
Thanks for the response
I completely agree the action of a trusted user is not hacking but a threat. But it is happening
I ahve to address this,
first of all can you answer the other 2 issues
1.What all a user can do with L2 Secuirty - like intercepting packets in switch
4. If there is is file system encryption like MS EFS, can the hacker able to steal data
QlemoBatchelor and DeveloperCommented:
ad 1)
To intercept packets on a switch, you need admin access to the switch, and set up a monitoring port which replicates traffic of a specific other port.
Besides that, only ARP table attacks (flooding the switch's MAC tables, so it falls back to broadcasting all traffic) might occur, and the switch firmware should not allow that, as it is a well-known threat. Contemporary switches will go into silent mode then, switching off all ports for some time - or at least emptying their tables, which will only allow a few packets to be broadcasted (for e.g. two seconds).

ad 2)
Exploits running on a client are an issue. If you open a prepared Excel sheet, anything can happen. I don't get you question here, as malware can try to do anything if you allow it to run in a trusted network. Of course all client software needs to be patched to the most recent (security) stage, and that applies in particular to very popular client applications like Word, Excel, PowerPoint, PDF, and Web Browsers - anything that can have active content.

ad 4)
Just copying the files will not help the thief. They will need to gain access to the corresponding user profile, and extract the certificate used for EFS. Or have admin privs on the corresponding machine, which opens all dams anyway ...
As to one, access to router/switch management port would/should be restricted to admin systems.
A user who gains admin rights on a domain can do different things to gain access to efs data using by setting up a script which will run by the user copying the data as well as clearing the encryption.
Auditing settings would/could provide some realtime notifications if configured.
Eventlog to snmptrap (evntwin)
An analogy would be that you allow a person to enter your house, and then you are looking for a way to prevent access to a cabinet in the bathroom.
Your strongest protection is at the front door.

You could use vlans such that a user has to be sufficiently trusted to have access to higher level resources.  The issue deals with the size of your firm and whether these costs must be covered as a requirement by the nature f the firm. I.e. medical, legal, financial requirements.
If this is a small firm and you are suspecting that an employee might be stealing customers' data, it might not be feasible/cost effective to implement vlans, etc. in the environment.
anishpeterAuthor Commented:
Thanks Arnold and Qlemo.  
You are right. Protection is at front door.  I have it also. I have almost 25 user vlans and 2 layer of firewalls. Here problem is that the mischievies users is inside the house.  and can reach the peers in his same vlan and can access mail, AD and ERP servers in designated ports.
Now I am confused about what is inside threat now. If a user has linux VM, meterpreter to exploit client side vulnerability of another system, what will I call it? is this i have to really worry?  which layer i will  address this issue - Network level or system or applicaions. pl comment
QlemoBatchelor and DeveloperCommented:
You will "address this issue" at every possible layer - all kind of attacks are feasible. Obviously capturing ethernet traffic with encrypted content (SSL, internal IPSec connections, other encrypted communication) is useless without further investigation and hacking on a higher level. Reading email passwords for SMTP/POP3 is easy that way.

Still, capturing traffic at L2 (network) isn't easy, as the switch will only forward broadcast traffic to every port. In every other case only source and target devices see the traffic. If the attacker manages to "mirror" traffic to a server, however, they can get at something useful for them. Of course you would not allow them to e.g. install network capturing software on a server ...
What level of access to their local resources to these users have?
Are they able to install applications/drivers?
Maintaining updates on the system will limit the attack vector.
i.e. usera is your "explorer" on workstationA. userB is running on workstationB.
Does each system employ a software firewall blocking access? (sacrificing resources for software firewall)
auditing on each workstation for access network/etc/ will generate events from workstationB that access is being attempted by userA or anonymous from workstationA.

windows 2008 and newer have eventlog publishing/subscribing/forwarding features.
This way events on local system will be pushed to a central system that you can then monitor. Splunk (splunk.,com) is a tool you can use. using eventlog to SNMPTRAP with a preconfigured set of events that are sent to a server (linux) that has snmptrapd which processes the received events and generates email, sms, etc. alerts.
Using a monitoring system that looks for unexpected events i.e. workstationB reports that access is being attempted from workstationA.
That would be not be normal.
Events from firewalls, routers, switches that access attempts are being made from specific locations that are failing and are unauthorized.
Attempt to install any application including user based (chrome, etc.) will trigger an alert.

The short of it, if a user has elevated rights on the local system, group of systems, or network.  Their "exploration" could go further than someone who has no  such rights.
Are users able to bring in external storage to connect to the system? USB, CD/DVD?
This might be how a user can use software from the external storage to run commands.
DarinTCHSenior CyberSecurity EngineerCommented:
control your systems also

lock down users to operating system X
unless they can show a vaild need
then if they have to use linux
control where they can go

use the FW - setup zones - limit the 'pool' that the user plays in

sounds like you might know where the weaknesses already are...
lock em down

scan their machines for apps that are not approved
try NEXPOSE or other vulberabilty scanners or a Enterprise AV

they will find ' hacker' software

I support thousands of users
Windows plays togehter in nice small 'pools" vLans --whatever

other systems Linux, Unix, MAC are controlled much more tightly

then monitor everything and tell everyone you are monitoring

finally you may need to make an example out of 1 or 2 to shake others to their senses
anishpeterAuthor Commented:
Very healthy discussions
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now