We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Course Of The Month
9 days, 7 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Prevents hacking from internal users
Posted on 2012-12-28
Hello
I need your opinions in this particular scenario
In my corporate there are several and adequate controls to prevent an intruder from Accessing the Corporate LAN. But as per recent security audit review, there is question about what if an internal user turned to be a hacker. Now every security Administrator may be facing the same issue. I think we can discuss and brainstorm this through the thread. I need to disscuss these
1. What all a user can do with L2 Secuirty - like intercepting packets in switch
2. How can he make use of the vulnerabilities in the user applications like Adobe, Word and server side exploits ( throgh open ports in client machines)
3. How can user attack Server Applications like AD, Exchange etc
4. If there is is file system encryption like MS EFS, can the hacker able to steal data
Thanks,
Anish
I need your opinions in this particular scenario
In my corporate there are several and adequate controls to prevent an intruder from Accessing the Corporate LAN. But as per recent security audit review, there is question about what if an internal user turned to be a hacker. Now every security Administrator may be facing the same issue. I think we can discuss and brainstorm this through the thread. I need to disscuss these
1. What all a user can do with L2 Secuirty - like intercepting packets in switch
2. How can he make use of the vulnerabilities in the user applications like Adobe, Word and server side exploits ( throgh open ports in client machines)
3. How can user attack Server Applications like AD, Exchange etc
4. If there is is file system encryption like MS EFS, can the hacker able to steal data
Thanks,
Anish
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
4
-
3
2- +2
12 Comments
Does your network have VLANs set up for different user groups/devices? If not then that would definitely help out a lot. Just set it up to where all of your users and NAS/SAN are on specific VLANs that are appropriate for them. Then they won't be able to access the other devices because they will be completely cut off from them.
I have the mentioned VLANS and Access List/Firewall rules all in place. Eventhough inside attacks is possible. More thoughts?
Active today
Level of trust provides the level of access.
Your question suggest that a person has the level of access so it is not really hacking.
Application compromises will grant user access to system level administrative access limiting the person to the system they are on.
Web based compromised, sql compromise could grant domain level admin rights if the credentials with which sql runs is administrative.
The suggestion of vlan,firewall deal with limiting the scope/vector of attack.
In an inside type issue, you have to catch the person in the act.
Auditing of file access/resources might be what is needed but is not a preventative mechanism. It is a look back info if something occurs.
Your question suggest that a person has the level of access so it is not really hacking.
Application compromises will grant user access to system level administrative access limiting the person to the system they are on.
Web based compromised, sql compromise could grant domain level admin rights if the credentials with which sql runs is administrative.
The suggestion of vlan,firewall deal with limiting the scope/vector of attack.
In an inside type issue, you have to catch the person in the act.
Auditing of file access/resources might be what is needed but is not a preventative mechanism. It is a look back info if something occurs.
Hi Arnold,
Thanks for the response
I completely agree the action of a trusted user is not hacking but a threat. But it is happening
I ahve to address this,
first of all can you answer the other 2 issues
1.What all a user can do with L2 Secuirty - like intercepting packets in switch
4. If there is is file system encryption like MS EFS, can the hacker able to steal data
Thanks for the response
I completely agree the action of a trusted user is not hacking but a threat. But it is happening
I ahve to address this,
first of all can you answer the other 2 issues
1.What all a user can do with L2 Secuirty - like intercepting packets in switch
4. If there is is file system encryption like MS EFS, can the hacker able to steal data
Active today
ad 1)
To intercept packets on a switch, you need admin access to the switch, and set up a monitoring port which replicates traffic of a specific other port.
Besides that, only ARP table attacks (flooding the switch's MAC tables, so it falls back to broadcasting all traffic) might occur, and the switch firmware should not allow that, as it is a well-known threat. Contemporary switches will go into silent mode then, switching off all ports for some time - or at least emptying their tables, which will only allow a few packets to be broadcasted (for e.g. two seconds).
ad 2)
Exploits running on a client are an issue. If you open a prepared Excel sheet, anything can happen. I don't get you question here, as malware can try to do anything if you allow it to run in a trusted network. Of course all client software needs to be patched to the most recent (security) stage, and that applies in particular to very popular client applications like Word, Excel, PowerPoint, PDF, and Web Browsers - anything that can have active content.
ad 4)
Just copying the files will not help the thief. They will need to gain access to the corresponding user profile, and extract the certificate used for EFS. Or have admin privs on the corresponding machine, which opens all dams anyway ...
To intercept packets on a switch, you need admin access to the switch, and set up a monitoring port which replicates traffic of a specific other port.
Besides that, only ARP table attacks (flooding the switch's MAC tables, so it falls back to broadcasting all traffic) might occur, and the switch firmware should not allow that, as it is a well-known threat. Contemporary switches will go into silent mode then, switching off all ports for some time - or at least emptying their tables, which will only allow a few packets to be broadcasted (for e.g. two seconds).
ad 2)
Exploits running on a client are an issue. If you open a prepared Excel sheet, anything can happen. I don't get you question here, as malware can try to do anything if you allow it to run in a trusted network. Of course all client software needs to be patched to the most recent (security) stage, and that applies in particular to very popular client applications like Word, Excel, PowerPoint, PDF, and Web Browsers - anything that can have active content.
ad 4)
Just copying the files will not help the thief. They will need to gain access to the corresponding user profile, and extract the certificate used for EFS. Or have admin privs on the corresponding machine, which opens all dams anyway ...
Active today
As to one, access to router/switch management port would/should be restricted to admin systems.
A user who gains admin rights on a domain can do different things to gain access to efs data using by setting up a script which will run by the user copying the data as well as clearing the encryption.
Auditing settings would/could provide some realtime notifications if configured.
Eventlog to snmptrap (evntwin)
An analogy would be that you allow a person to enter your house, and then you are looking for a way to prevent access to a cabinet in the bathroom.
Your strongest protection is at the front door.
You could use vlans such that a user has to be sufficiently trusted to have access to higher level resources. The issue deals with the size of your firm and whether these costs must be covered as a requirement by the nature f the firm. I.e. medical, legal, financial requirements.
If this is a small firm and you are suspecting that an employee might be stealing customers' data, it might not be feasible/cost effective to implement vlans, etc. in the environment.
A user who gains admin rights on a domain can do different things to gain access to efs data using by setting up a script which will run by the user copying the data as well as clearing the encryption.
Auditing settings would/could provide some realtime notifications if configured.
Eventlog to snmptrap (evntwin)
An analogy would be that you allow a person to enter your house, and then you are looking for a way to prevent access to a cabinet in the bathroom.
Your strongest protection is at the front door.
You could use vlans such that a user has to be sufficiently trusted to have access to higher level resources. The issue deals with the size of your firm and whether these costs must be covered as a requirement by the nature f the firm. I.e. medical, legal, financial requirements.
If this is a small firm and you are suspecting that an employee might be stealing customers' data, it might not be feasible/cost effective to implement vlans, etc. in the environment.
Thanks Arnold and Qlemo.
You are right. Protection is at front door. I have it also. I have almost 25 user vlans and 2 layer of firewalls. Here problem is that the mischievies users is inside the house. and can reach the peers in his same vlan and can access mail, AD and ERP servers in designated ports.
Now I am confused about what is inside threat now. If a user has linux VM, meterpreter to exploit client side vulnerability of another system, what will I call it? is this i have to really worry? which layer i will address this issue - Network level or system or applicaions. pl comment
You are right. Protection is at front door. I have it also. I have almost 25 user vlans and 2 layer of firewalls. Here problem is that the mischievies users is inside the house. and can reach the peers in his same vlan and can access mail, AD and ERP servers in designated ports.
Now I am confused about what is inside threat now. If a user has linux VM, meterpreter to exploit client side vulnerability of another system, what will I call it? is this i have to really worry? which layer i will address this issue - Network level or system or applicaions. pl comment
Active today
You will "address this issue" at every possible layer - all kind of attacks are feasible. Obviously capturing ethernet traffic with encrypted content (SSL, internal IPSec connections, other encrypted communication) is useless without further investigation and hacking on a higher level. Reading email passwords for SMTP/POP3 is easy that way.
Still, capturing traffic at L2 (network) isn't easy, as the switch will only forward broadcast traffic to every port. In every other case only source and target devices see the traffic. If the attacker manages to "mirror" traffic to a server, however, they can get at something useful for them. Of course you would not allow them to e.g. install network capturing software on a server ...
Still, capturing traffic at L2 (network) isn't easy, as the switch will only forward broadcast traffic to every port. In every other case only source and target devices see the traffic. If the attacker manages to "mirror" traffic to a server, however, they can get at something useful for them. Of course you would not allow them to e.g. install network capturing software on a server ...
Active today
What level of access to their local resources to these users have?
Are they able to install applications/drivers?
Maintaining updates on the system will limit the attack vector.
i.e. usera is your "explorer" on workstationA. userB is running on workstationB.
Does each system employ a software firewall blocking access? (sacrificing resources for software firewall)
auditing on each workstation for access network/etc/ will generate events from workstationB that access is being attempted by userA or anonymous from workstationA.
windows 2008 and newer have eventlog publishing/subscribing/for
http://technet.microsoft.com/en-us/library/cc748890.aspx
This way events on local system will be pushed to a central system that you can then monitor. Splunk (splunk.,com) is a tool you can use. using eventlog to SNMPTRAP with a preconfigured set of events that are sent to a server (linux) that has snmptrapd which processes the received events and generates email, sms, etc. alerts.
Using a monitoring system that looks for unexpected events i.e. workstationB reports that access is being attempted from workstationA.
That would be not be normal.
Events from firewalls, routers, switches that access attempts are being made from specific locations that are failing and are unauthorized.
Attempt to install any application including user based (chrome, etc.) will trigger an alert.
The short of it, if a user has elevated rights on the local system, group of systems, or network. Their "exploration" could go further than someone who has no such rights.
Are users able to bring in external storage to connect to the system? USB, CD/DVD?
This might be how a user can use software from the external storage to run commands.
Are they able to install applications/drivers?
Maintaining updates on the system will limit the attack vector.
i.e. usera is your "explorer" on workstationA. userB is running on workstationB.
Does each system employ a software firewall blocking access? (sacrificing resources for software firewall)
auditing on each workstation for access network/etc/ will generate events from workstationB that access is being attempted by userA or anonymous from workstationA.
windows 2008 and newer have eventlog publishing/subscribing/for
http://technet.microsoft.com/en-us/library/cc748890.aspx
This way events on local system will be pushed to a central system that you can then monitor. Splunk (splunk.,com) is a tool you can use. using eventlog to SNMPTRAP with a preconfigured set of events that are sent to a server (linux) that has snmptrapd which processes the received events and generates email, sms, etc. alerts.
Using a monitoring system that looks for unexpected events i.e. workstationB reports that access is being attempted from workstationA.
That would be not be normal.
Events from firewalls, routers, switches that access attempts are being made from specific locations that are failing and are unauthorized.
Attempt to install any application including user based (chrome, etc.) will trigger an alert.
The short of it, if a user has elevated rights on the local system, group of systems, or network. Their "exploration" could go further than someone who has no such rights.
Are users able to bring in external storage to connect to the system? USB, CD/DVD?
This might be how a user can use software from the external storage to run commands.
control your systems also
lock down users to operating system X
unless they can show a vaild need
then if they have to use linux
control where they can go
use the FW - setup zones - limit the 'pool' that the user plays in
sounds like you might know where the weaknesses already are...
lock em down
scan their machines for apps that are not approved
try NEXPOSE or other vulberabilty scanners or a Enterprise AV
they will find ' hacker' software
I support thousands of users
Windows plays togehter in nice small 'pools" vLans --whatever
other systems Linux, Unix, MAC are controlled much more tightly
then monitor everything and tell everyone you are monitoring
finally you may need to make an example out of 1 or 2 to shake others to their senses
lock down users to operating system X
unless they can show a vaild need
then if they have to use linux
control where they can go
use the FW - setup zones - limit the 'pool' that the user plays in
sounds like you might know where the weaknesses already are...
lock em down
scan their machines for apps that are not approved
try NEXPOSE or other vulberabilty scanners or a Enterprise AV
they will find ' hacker' software
I support thousands of users
Windows plays togehter in nice small 'pools" vLans --whatever
other systems Linux, Unix, MAC are controlled much more tightly
then monitor everything and tell everyone you are monitoring
finally you may need to make an example out of 1 or 2 to shake others to their senses
Featured Post
Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
Here's a look at newsworthy articles and community happenings during the last month.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers.
According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month9 days, 7 hours left to enroll
623 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.