Go Premium for a chance to win a PS4. Enter to Win


Prevents hacking from internal users

Posted on 2012-12-28
Medium Priority
Last Modified: 2013-11-29
I need your opinions in this particular scenario
In my corporate there are several and adequate controls to prevent an intruder from Accessing the Corporate LAN. But as per recent security audit review, there is question about what  if an internal user turned to be a hacker. Now every security Administrator may be facing the same issue. I think we can discuss and brainstorm this through the thread. I need to disscuss these
1. What all a user can do with L2 Secuirty - like intercepting packets in switch
2. How can he make use of the vulnerabilities in the  user applications like Adobe, Word and server side exploits ( throgh open ports in client machines)
3. How can user  attack Server  Applications like AD, Exchange etc
4. If there is is file system encryption like MS EFS, can the hacker able to steal data

Question by:anishpeter
  • 4
  • 3
  • 2
  • +2

Expert Comment

ID: 38729178
Does your network have VLANs set up for different user groups/devices?  If not then that would definitely help out a lot.  Just set it up to where all of your users and NAS/SAN are on specific VLANs that are appropriate for them.  Then they won't be able to access the other devices because they will be completely cut off from them.

Author Comment

ID: 38729330
I have the mentioned VLANS and Access List/Firewall rules all in place. Eventhough inside attacks is possible. More thoughts?
LVL 80

Assisted Solution

arnold earned 1468 total points
ID: 38729397
Level of trust provides the level of access.
Your question suggest that a person has the level of access so it is not really hacking.
Application compromises will grant user access to system level administrative access limiting the person to the system they are on.
Web based compromised, sql compromise could grant domain level admin rights if the credentials with which sql runs is administrative.
The suggestion of vlan,firewall deal with limiting the scope/vector of attack.  
In an inside type issue, you have to catch the person in the act.
Auditing of file access/resources might be what is needed but is not a preventative mechanism.  It is a look back info if something occurs.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Author Comment

ID: 38730626
Hi Arnold,
Thanks for the response
I completely agree the action of a trusted user is not hacking but a threat. But it is happening
I ahve to address this,
first of all can you answer the other 2 issues
1.What all a user can do with L2 Secuirty - like intercepting packets in switch
4. If there is is file system encryption like MS EFS, can the hacker able to steal data
LVL 71

Assisted Solution

Qlemo earned 532 total points
ID: 38730650
ad 1)
To intercept packets on a switch, you need admin access to the switch, and set up a monitoring port which replicates traffic of a specific other port.
Besides that, only ARP table attacks (flooding the switch's MAC tables, so it falls back to broadcasting all traffic) might occur, and the switch firmware should not allow that, as it is a well-known threat. Contemporary switches will go into silent mode then, switching off all ports for some time - or at least emptying their tables, which will only allow a few packets to be broadcasted (for e.g. two seconds).

ad 2)
Exploits running on a client are an issue. If you open a prepared Excel sheet, anything can happen. I don't get you question here, as malware can try to do anything if you allow it to run in a trusted network. Of course all client software needs to be patched to the most recent (security) stage, and that applies in particular to very popular client applications like Word, Excel, PowerPoint, PDF, and Web Browsers - anything that can have active content.

ad 4)
Just copying the files will not help the thief. They will need to gain access to the corresponding user profile, and extract the certificate used for EFS. Or have admin privs on the corresponding machine, which opens all dams anyway ...
LVL 80

Assisted Solution

arnold earned 1468 total points
ID: 38730935
As to one, access to router/switch management port would/should be restricted to admin systems.
A user who gains admin rights on a domain can do different things to gain access to efs data using by setting up a script which will run by the user copying the data as well as clearing the encryption.
Auditing settings would/could provide some realtime notifications if configured.
Eventlog to snmptrap (evntwin)
An analogy would be that you allow a person to enter your house, and then you are looking for a way to prevent access to a cabinet in the bathroom.
Your strongest protection is at the front door.

You could use vlans such that a user has to be sufficiently trusted to have access to higher level resources.  The issue deals with the size of your firm and whether these costs must be covered as a requirement by the nature f the firm. I.e. medical, legal, financial requirements.
If this is a small firm and you are suspecting that an employee might be stealing customers' data, it might not be feasible/cost effective to implement vlans, etc. in the environment.

Author Comment

ID: 38731145
Thanks Arnold and Qlemo.  
You are right. Protection is at front door.  I have it also. I have almost 25 user vlans and 2 layer of firewalls. Here problem is that the mischievies users is inside the house.  and can reach the peers in his same vlan and can access mail, AD and ERP servers in designated ports.
Now I am confused about what is inside threat now. If a user has linux VM, meterpreter to exploit client side vulnerability of another system, what will I call it? is this i have to really worry?  which layer i will  address this issue - Network level or system or applicaions. pl comment
LVL 71

Expert Comment

ID: 38731434
You will "address this issue" at every possible layer - all kind of attacks are feasible. Obviously capturing ethernet traffic with encrypted content (SSL, internal IPSec connections, other encrypted communication) is useless without further investigation and hacking on a higher level. Reading email passwords for SMTP/POP3 is easy that way.

Still, capturing traffic at L2 (network) isn't easy, as the switch will only forward broadcast traffic to every port. In every other case only source and target devices see the traffic. If the attacker manages to "mirror" traffic to a server, however, they can get at something useful for them. Of course you would not allow them to e.g. install network capturing software on a server ...
LVL 80

Accepted Solution

arnold earned 1468 total points
ID: 38731459
What level of access to their local resources to these users have?
Are they able to install applications/drivers?
Maintaining updates on the system will limit the attack vector.
i.e. usera is your "explorer" on workstationA. userB is running on workstationB.
Does each system employ a software firewall blocking access? (sacrificing resources for software firewall)
auditing on each workstation for access network/etc/ will generate events from workstationB that access is being attempted by userA or anonymous from workstationA.

windows 2008 and newer have eventlog publishing/subscribing/forwarding features.
This way events on local system will be pushed to a central system that you can then monitor. Splunk (splunk.,com) is a tool you can use. using eventlog to SNMPTRAP with a preconfigured set of events that are sent to a server (linux) that has snmptrapd which processes the received events and generates email, sms, etc. alerts.
Using a monitoring system that looks for unexpected events i.e. workstationB reports that access is being attempted from workstationA.
That would be not be normal.
Events from firewalls, routers, switches that access attempts are being made from specific locations that are failing and are unauthorized.
Attempt to install any application including user based (chrome, etc.) will trigger an alert.

The short of it, if a user has elevated rights on the local system, group of systems, or network.  Their "exploration" could go further than someone who has no  such rights.
Are users able to bring in external storage to connect to the system? USB, CD/DVD?
This might be how a user can use software from the external storage to run commands.
LVL 12

Expert Comment

ID: 38733910
control your systems also

lock down users to operating system X
unless they can show a vaild need
then if they have to use linux
control where they can go

use the FW - setup zones - limit the 'pool' that the user plays in

sounds like you might know where the weaknesses already are...
lock em down

scan their machines for apps that are not approved
try NEXPOSE or other vulberabilty scanners or a Enterprise AV

they will find ' hacker' software

I support thousands of users
Windows plays togehter in nice small 'pools" vLans --whatever

other systems Linux, Unix, MAC are controlled much more tightly

then monitor everything and tell everyone you are monitoring

finally you may need to make an example out of 1 or 2 to shake others to their senses

Author Closing Comment

ID: 38735743
Very healthy discussions

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question