Solved

Prevents hacking from internal users

Posted on 2012-12-28
12
687 Views
Last Modified: 2013-11-29
Hello
I need your opinions in this particular scenario
In my corporate there are several and adequate controls to prevent an intruder from Accessing the Corporate LAN. But as per recent security audit review, there is question about what  if an internal user turned to be a hacker. Now every security Administrator may be facing the same issue. I think we can discuss and brainstorm this through the thread. I need to disscuss these
1. What all a user can do with L2 Secuirty - like intercepting packets in switch
2. How can he make use of the vulnerabilities in the  user applications like Adobe, Word and server side exploits ( throgh open ports in client machines)
3. How can user  attack Server  Applications like AD, Exchange etc
4. If there is is file system encryption like MS EFS, can the hacker able to steal data

Thanks,
Anish
0
Comment
Question by:anishpeter
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 1

Expert Comment

by:jdwheeler1981
ID: 38729178
Does your network have VLANs set up for different user groups/devices?  If not then that would definitely help out a lot.  Just set it up to where all of your users and NAS/SAN are on specific VLANs that are appropriate for them.  Then they won't be able to access the other devices because they will be completely cut off from them.
0
 
LVL 1

Author Comment

by:anishpeter
ID: 38729330
I have the mentioned VLANS and Access List/Firewall rules all in place. Eventhough inside attacks is possible. More thoughts?
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 367 total points
ID: 38729397
Level of trust provides the level of access.
Your question suggest that a person has the level of access so it is not really hacking.
Application compromises will grant user access to system level administrative access limiting the person to the system they are on.
Web based compromised, sql compromise could grant domain level admin rights if the credentials with which sql runs is administrative.
The suggestion of vlan,firewall deal with limiting the scope/vector of attack.  
In an inside type issue, you have to catch the person in the act.
Auditing of file access/resources might be what is needed but is not a preventative mechanism.  It is a look back info if something occurs.
0
 
LVL 1

Author Comment

by:anishpeter
ID: 38730626
Hi Arnold,
Thanks for the response
I completely agree the action of a trusted user is not hacking but a threat. But it is happening
I ahve to address this,
first of all can you answer the other 2 issues
1.What all a user can do with L2 Secuirty - like intercepting packets in switch
4. If there is is file system encryption like MS EFS, can the hacker able to steal data
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 133 total points
ID: 38730650
ad 1)
To intercept packets on a switch, you need admin access to the switch, and set up a monitoring port which replicates traffic of a specific other port.
Besides that, only ARP table attacks (flooding the switch's MAC tables, so it falls back to broadcasting all traffic) might occur, and the switch firmware should not allow that, as it is a well-known threat. Contemporary switches will go into silent mode then, switching off all ports for some time - or at least emptying their tables, which will only allow a few packets to be broadcasted (for e.g. two seconds).

ad 2)
Exploits running on a client are an issue. If you open a prepared Excel sheet, anything can happen. I don't get you question here, as malware can try to do anything if you allow it to run in a trusted network. Of course all client software needs to be patched to the most recent (security) stage, and that applies in particular to very popular client applications like Word, Excel, PowerPoint, PDF, and Web Browsers - anything that can have active content.

ad 4)
Just copying the files will not help the thief. They will need to gain access to the corresponding user profile, and extract the certificate used for EFS. Or have admin privs on the corresponding machine, which opens all dams anyway ...
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 76

Assisted Solution

by:arnold
arnold earned 367 total points
ID: 38730935
As to one, access to router/switch management port would/should be restricted to admin systems.
A user who gains admin rights on a domain can do different things to gain access to efs data using by setting up a script which will run by the user copying the data as well as clearing the encryption.
Auditing settings would/could provide some realtime notifications if configured.
Eventlog to snmptrap (evntwin)
An analogy would be that you allow a person to enter your house, and then you are looking for a way to prevent access to a cabinet in the bathroom.
Your strongest protection is at the front door.

You could use vlans such that a user has to be sufficiently trusted to have access to higher level resources.  The issue deals with the size of your firm and whether these costs must be covered as a requirement by the nature f the firm. I.e. medical, legal, financial requirements.
If this is a small firm and you are suspecting that an employee might be stealing customers' data, it might not be feasible/cost effective to implement vlans, etc. in the environment.
0
 
LVL 1

Author Comment

by:anishpeter
ID: 38731145
Thanks Arnold and Qlemo.  
You are right. Protection is at front door.  I have it also. I have almost 25 user vlans and 2 layer of firewalls. Here problem is that the mischievies users is inside the house.  and can reach the peers in his same vlan and can access mail, AD and ERP servers in designated ports.
Now I am confused about what is inside threat now. If a user has linux VM, meterpreter to exploit client side vulnerability of another system, what will I call it? is this i have to really worry?  which layer i will  address this issue - Network level or system or applicaions. pl comment
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 38731434
You will "address this issue" at every possible layer - all kind of attacks are feasible. Obviously capturing ethernet traffic with encrypted content (SSL, internal IPSec connections, other encrypted communication) is useless without further investigation and hacking on a higher level. Reading email passwords for SMTP/POP3 is easy that way.

Still, capturing traffic at L2 (network) isn't easy, as the switch will only forward broadcast traffic to every port. In every other case only source and target devices see the traffic. If the attacker manages to "mirror" traffic to a server, however, they can get at something useful for them. Of course you would not allow them to e.g. install network capturing software on a server ...
0
 
LVL 76

Accepted Solution

by:
arnold earned 367 total points
ID: 38731459
What level of access to their local resources to these users have?
Are they able to install applications/drivers?
Maintaining updates on the system will limit the attack vector.
i.e. usera is your "explorer" on workstationA. userB is running on workstationB.
Does each system employ a software firewall blocking access? (sacrificing resources for software firewall)
auditing on each workstation for access network/etc/ will generate events from workstationB that access is being attempted by userA or anonymous from workstationA.

windows 2008 and newer have eventlog publishing/subscribing/forwarding features.
http://technet.microsoft.com/en-us/library/cc748890.aspx
This way events on local system will be pushed to a central system that you can then monitor. Splunk (splunk.,com) is a tool you can use. using eventlog to SNMPTRAP with a preconfigured set of events that are sent to a server (linux) that has snmptrapd which processes the received events and generates email, sms, etc. alerts.
Using a monitoring system that looks for unexpected events i.e. workstationB reports that access is being attempted from workstationA.
That would be not be normal.
Events from firewalls, routers, switches that access attempts are being made from specific locations that are failing and are unauthorized.
Attempt to install any application including user based (chrome, etc.) will trigger an alert.

The short of it, if a user has elevated rights on the local system, group of systems, or network.  Their "exploration" could go further than someone who has no  such rights.
Are users able to bring in external storage to connect to the system? USB, CD/DVD?
This might be how a user can use software from the external storage to run commands.
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 38733910
control your systems also

lock down users to operating system X
unless they can show a vaild need
then if they have to use linux
control where they can go

use the FW - setup zones - limit the 'pool' that the user plays in

sounds like you might know where the weaknesses already are...
lock em down

scan their machines for apps that are not approved
try NEXPOSE or other vulberabilty scanners or a Enterprise AV

they will find ' hacker' software

I support thousands of users
Windows plays togehter in nice small 'pools" vLans --whatever

other systems Linux, Unix, MAC are controlled much more tightly

then monitor everything and tell everyone you are monitoring

finally you may need to make an example out of 1 or 2 to shake others to their senses
0
 
LVL 1

Author Closing Comment

by:anishpeter
ID: 38735743
Very healthy discussions
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now